Gramm-Leach-Bliley Information Security Plan
The Gramm-Leach-Bliley Act of 2000 (GLB) mandates that financial institutions must take steps to safeguard the security and confidentiality of customer information. The Federal Trade Commission (FTC) ruled that GLB applies to institutions of higher education. Compliance with GLB involves compliance with 1/ the privacy provisions of the act and 2/ provisions regarding the safeguarding of customer information. The FTC has said that colleges are deemed in compliance with the privacy provisions of GLB if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). With respect to the second area, GLB specifies new requirements for colleges to safeguard non-public customer information, such as family financial information and social security and identification numbers, by having an institutional security program and security plans in specific offices of the college that handle such information.
Designated Security Program Officers The designated GLB Security Program Officers for Swarthmore College are Greg Brown,Vice President for Finance and Administration and Joel Cooper, CITO. All correspondence and inquiries about the Swarthmore College Information Security Plan should be directed to one of these Officers.
For purposes of FERPA and GLB, the College considers students, employees, and alumni or any other third party engaged in a financial transaction with Swarthmore College as “customers”. Customer information that must be safeguarded is “any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form.” It includes financial information, academic and employment information, and other private paper and electronic records.
With respect to the privacy provisions of the GLB Act, Swarthmore College is in compliance with FERPA. Directory information (for example, name, address, enrollment at the college and degree information), the list of which is published
yearly in the Student Handbook, is considered public (unless a student has requested otherwise in writing). All non-directory information is restricted or confidential, what GLB calls "non-public." Under FERPA, restricted information (for example, academic or financial records) is released outside the college only with the student's written consent. Designated school officials, including faculty, key employees and occasionally outside service providers, have access to restricted, “non-public” information on a need-to-know basis only. Confidential information (for example, a faculty member's or dean's private notes) is even more protected than restricted information, and released only in certain unusual circumstances as outlined in FERPA. Although FERPA if narrowly construed only applies to enrolled students and past students, in compliance with GLB and long standing good practice, the College extends FERPA privacy protections to all customers of the college.
The Registrar’s Office will provide guidance in complying with all FERPA privacy regulations. In addition, the College also complies with HIPAA (Health Insurance Portability and Accountability Act of 1996) with the Health Center and Human Resources providing guidance on this Act. Each department is responsible for securing customer information in accordance with all privacy guidelines.
With respect to the safeguarding provisions of the GLB Act, the Swarthmore College GLB Information Security Plan herein is designed to ensure the security, integrity, and confidentiality of non-public customer information, protecting it against anticipated threats, and guarding it against unauthorized access or use. Covered under the Plan are administrative, technical, and physical safeguards used in the collection, distribution, processing, protection, storage, use, transmission, handling, or disposal of non-public customer information. The Plan covers actions by both employees of the College and outside service providers.
The policies incorporated in this document apply to all College departments. In addition, in the case that individual departments may have additional security provisions, they will maintain written documentation of these and will make them available to the Security Program Officers. For example, the information technology department will maintain and provide access to policies and procedures that protect against any anticipated threats to the security or integrity of electronic customer information and that guard against the unauthorized use of such information.
The College security policies for departments include the elements described in the following sections.
The College uses direct personal control or direct supervision to control access to and handling of all non-public customer information when an office is open. Whether the information is stored in paper form or any electronically accessible format, departmental non-public information is maintained, stored, transmitted and otherwise handled under the direct personal control of an authorized employee of the College.
Departmental non-public information is collected, processed, transmitted, distributed and ultimately disposed of with constant attention to its privacy and security. Conversations concerning non-public information are held in private. Papers with non-public information are mailed via official campus mail, US mail, or private mail carrier. Departments are encouraged to password-protect electronic files of non-public information when transmitting electronically. When best practices permit the disposal of non-public information, it is destroyed; paper containing such information is routinely shredded or otherwise destroyed.
Confidential material is kept secure. Most offices have locked windows and locked doors with restricted access. For those that do not, materials are kept in locked filing cabinets or other locked storage areas. When offices are open, confidential information is kept out of sight from visitors, and computer screens are not visible to visitors. Offices and/or computers are locked when the office will be vacant for an extended length of time.
Key access is limited to authorized College employees only, in the context of College key control governing the distribution of keys. College Public Safety further ensures the security of offices after hours.
Departmental offsite storage and information processing generally conforms to the same practices as onsite storage, and is safeguarded under the provisions for outside service providers, as described below.
The College relies on the Information Technology Services Department to provide network security and administrative software password access security according to industry standards in order to protect non-public customer information that is accessed electronically but stored outside of a department.
Departmental desktop computers and other electronic devices storing non-public customer information are protected by physical safeguards.
The Information Technology Services Department maintains its own written security policy which is incorporated with the overall College policy. This is included as Appendix A.
Employee Management and Training
All College employees, including part-time and temporary employees, and volunteers are given specific training by their supervisors about issues of security of sensitive and confidential material used in their respective offices. Employees are held accountable to know that although they have access to non-public information in order to perform their duties for the College, they are not permitted to access it for unapproved purposes or disclose it to unauthorized persons. The Employee Handbook, which is provided to all employees, states that violation of security policies could result in termination of employment or legal action, or both.
Outside Service Providers
Each area will assure that third party service providers are required to maintain appropriate safeguards for nonpublic information to which they have access. Contracts with service providers, who within their contracts have access to Swarthmore College non-public customer information, shall include the following provisions as appropriate:
- Explicit acknowledgment that the contract allows the contract partner access to confidential information;
- Specific definition of the confidential information being provided;
- Stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
- Guarantee from the contract partner that it will ensure compliance with the protective conditions outlined in the contract;
- Guarantee from the contract partner that it will protect the confidential information it accesses according to commercially acceptable standards and no less rigorously than it protects its own customers' confidential information;
- Provision allowing for the return or destruction of all confidential information received by the contract partner upon completion of the contract;
- Stipulation allowing the entry of injunctive relief without posting bond in order to prevent or remedy breach of the confidentiality obligations of the contract;
- Stipulation that any violation of the contract's protective conditions amounts to a material breach of contract and entitles Swarthmore College to immediately terminate the contract without penalty;
- Provision allowing auditing of the contract partners' compliance with the contract safeguard requirements;
- Provision ensuring that the contract's protective requirements shall survive any termination agreement.
Reassessment of Plan
This Plan and any other individual departmental policies are reviewed at least annually and adjusted as needed. The GLB Security Program Officers circulate this policy to each department and request a reassessment. The annual reviews include identification and assessment of internal and external risks to the security, integrity, and confidentiality of non-public customer information, including review of outside contractors and their contracts to ensure that proper safeguards are in place.