15.63 – Protection of Customer Information; GLBA Compliance
Policy Details
Responsible Executive: Provost and Chief Academic Officer
Responsible Administrator: Chief Information Security Officer
Scope: NMSU System
Last Updated: 02/13/2018
PART 1: PURPOSE
As directed by RPM 15.50, Information Data Security, NMSU administration adopts this rule for the purpose of safeguarding the privacy of non-public personal information it may receive pertaining to its students and employees, in compliance with the Gramm-Leach-Bliley Act, as may be amended, and with other applicable regulations (e.g. the Federal Trade Commission’s Safeguards Rule and Financial Privacy Rule). Additionally, the terms of the Program Participation Agreement relating to financial aid funding requires NMSU to be able to demonstrate such compliance, with particular attention to information provided to institutions by the Department of Education or information obtained in support of the administration of the Title IV federal student financial aid programs authorized under Title IV of the Higher Education Act, as amended.
PART 2: DEFINITIONS
- GLBA: GLBA is the Gramm-Leach-Bliley Act of 1999 as may be amended, which requires financial institutions including NMSU to explain their information-sharing practices to their customers and to safeguard sensitive data. As used in this rule, reference to “GLBA” will include the requirements of the implementing regulations promulgated under the authority of the Act such as the Safeguards and Financial Privacy Rules.
- Customer Information: Customer Information refers to the collection of “nonpublic personal information (NPI)”, also referred to as private or sensitive information for GLBA purposes.
- NPI is any “personally identifiable financial information” that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise “publicly available.” NPI is:
- any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);
- any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
- any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).
- NPI does not include information that you have a reasonable basis to believe is lawfully made “publicly available.” In other words, information is not NPI when you have taken steps to determine:
- that the information is generally made lawfully available to the public; and
- that the individual can direct that it not be made public and has not done so. For example, while telephone numbers are listed in a public telephone directory, an individual can elect to have an unlisted number. In that case, her phone number would not be “publicly available.”
- NPI is any “personally identifiable financial information” that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise “publicly available.” NPI is:
- Chief Privacy Officer (CPO): The CPO is the individual responsible for the development and implementation of information security policies and procedures for NMSU, and who is the primary contact 1) to manage situations in which Customer Information is compromised, 2) to receive and refer or process customer complaints, 3) to provide information to the university community about any matter covered by this rule or the GLBA Notice of Privacy Practices. See Parts 6 and 7 below.
- Chief Information Security Officer (CISO): The CISO is the individual responsible for the implementation of technical security policies and procedures, information security system assessments, and investigation of technical security violations, and for proposals of changes or new information security policies.
- Notice(s) of Privacy Practices: Notice of Privacy Practices refers to the document that specifies how NMSU uses and discloses Customer Information and the rights of individuals related to this information.
- NMSU Entity: NMSU Entity, sometimes also referred to as “unit”, is a general term which may refer to a college, a department or any other individual administrative unit within the NMSU System, including but not limited to agricultural experiment stations.
PART 3: GLBA COMPLIANCE AT NMSU
- Financial Aid Offices: The NMSU Financial Aid Office at each campus location must operate in compliance with GLBA requirements.
- Administrative Support Component: Administrative support units must operate in compliance with GLBA requirements if they provide support functions which involve access to Customer Information in performing those functions, such as:
- Information Technology Services
- Accounts Receivable
- Internal Audit
- Office of General Counsel
- Office of Institutional Analysis
- Admissions Office
- University Student Records Office
- Others: In the event that an NMSU employee or office not identified above as either a Financial Aid Office or Administrative Support Component has a need to access Customer Information for a special project or other job related purpose, the responsible administrator for the unit must contact the Chief Privacy Officer (CPO) for guidance to ensure compliance with this rule.
PART 4: GLBA REQUIREMENTS
The NMSU entities identified in Part 3, with leadership and guidance from the CPO and officials listed in Part 6 below, will maintain Customer Information in a secure and confidential manner using security standards established under the National Institute of Standards for Technology Special Publication 800-171 (NIST SP 800-171) as a guide. These standards require:
- Development, implementation, and maintenance of a written information security program;
- Designation of the employee(s) responsible for coordinating the information security program;
- Identification and assessment of risks to Customer Information;
- Design and implementation of an information safeguards program;
- Selection of appropriate service providers capable of maintaining appropriate safeguards; and
- Periodic evaluation and updates to the written information security program.
Additionally, until repealed or amended, guidance relating to administrative, technical and physical security of Customer Information is identified in the NMSU document entitled, Written Information Security Program.
PART 5: PRIVACY NOTICES
Under the leadership of and guidance from the CPO, the NMSU Financial Aid Office at each campus location will document how it uses and discloses Customer Information and the rights of individuals related to this information. Privacy Notices will be provided in accordance with the federal Privacy Rule.
PART 6: DUTIES – ROLES AND RESPONSIBILITIES
The NMSU Information Technology Compliance Officer serves as the Chief Privacy Officer (CPO) for all NMSU campuses for purposes of GLBA compliance. This position may perform other tasks and duties on behalf of the university. The CPO is responsible for the development, implementation, and maintenance of a GLBA Compliance Program for the NMSU system, to include the provision of ongoing training and resources to employees and other individuals authorized to access Customer Information. To ensure comprehensive coverage of the program, the CPO should collaborate and coordinate efforts with those listed below, as well as report progress and issues to the university’s Compliance Oversight Committee and/or Executive Management.
- Chief Information Security Officer (CISO): The CISO will provide guidance for the implementation and maintenance, as needed, for technical information security controls.
- NMSU’s Financial Aid Director: The director is responsible for ensuring that the Financial Aid office at each NMSU campus operates according to GLBA requirements in the handling of Student Financial Aid information. The director will coordinate and cooperate with the CPO and the CISO in the establishment and implementation of an information security, privacy and training program.
PART 7: DATA BREACH NOTIFICATION, REPORTING AND HANDLING
All NMSU employees, students or other affiliates upon becoming aware of a potential data breach/compromise relating to Customer Information, must report such incidents to the CPO. The CPO will:
- Communicate to NMSU senior officials regarding reported data compromises and breaches;
- Investigate, document and manage reported incidents in collaboration with General Counsel, Human Resources and other university departments as appropriate;
- Submit timely notices about data breaches, as required by the various regulatory agencies;
- Notify affected individuals in collaboration with University Communications; and
- Retain appropriate documentation for each reported data breach/incident.
PART 8: GLBA TRAINING REQUIREMENTS
Supervisors will arrange for the employees and other authorized individuals (e.g. volunteers) with access to Customer Information to be trained about this rule and job duties relating to GLBA compliance. With the leadership and guidance from the CPO, the NMSU entities identified in Part 3 above must facilitate such training to staff upon hire and periodically thereafter. One mechanism for delivery of the training may be to invoke the authority of the provost and/or assistant vice president of Human Resource Services to mandate the training pursuant to ARP 6.89 – Mandatory Employee Training; Opportunities for Professional Development. Official training logs and certificates will be kept in the Training Central system maintained by Human Resource Services, Center for Learning and Professional Development.
Related
Cross-Reference:
ARP 6.89 – Mandatory Employee Training; Opportunities for Professional Development
RPM 15.50 - Information Data Security
NMSU - Written Information Security Plan
Revision History:
02/13/2018 Amendment approved by Chancellor
Recompiled 2017, formerly Rule 2.90.30
10/21/2015 former Policy 2.90.30 replicated by Board of Regents as initial Rule 2.90.30