The Gramm-Leach Bliley Act (“GLBA”) and Title IV of the Higher Education Act of 1965 require institutions of higher education, as financial institutions, to take steps to protect customers’ nonpublic personal information. Institutions of higher education are required to comply with the Federal Trade Commission Standards for Safeguarding Customer Information (Safeguards Rule) as outlined in 16 C.F.R. Part 314. These requirements are additional to those of the Family Educational Rights and Privacy Act (FERPA).
This procedure applies to all “customer information” which is defined to be information obtained by Eastern Illinois University because of providing a financial service such as when the University administers or aids in the administration of Title IV programs; makes institutional loans or scholarship; or certifies a private education loan on behalf of a student. Customer information is limited to financial information connected to student and parent finances such as student and parent loans, bank account information and income tax information for financial aid packages.
The following departments have GLBA responsibilities for customer information: Financial Aid and Bursar's Office
The GLBA Safeguards Rule mandates that an institution of higher education’s GLBA written information security program includes the elements outlined in this procedure.
The University IT (Information Technology) Security Officer is responsible for this GLBA procedure and is designated as the Qualified Individual for the University.
The designated units and the IT Security Officer work together to identify and assess risks to customer information including but not limited to:
The University acknowledges that the list of risks mentioned above may not cover all the potential risks related to the security of customer information. Technology evolves over time, and new risks may emerge, so the program's evaluation will revise the plan annually.
The minimum safeguards to protect customer information include:
The IT Security Officer will follow regular Technology Solution procedures to test the technical safeguards for GLBA customer information. Internal Audit performs periodic audits/reviews of the University's information technology and information security.
The GLBA Information Security Procedure is a subset of the University IT Policies. Data Custodians are responsible for facilitating and enforcing compliance with all information security policies and practices applicable to their unit. Ensuring employees are trained is an essential component of their efforts.
The University units subject to GLBA will take reasonable steps to collaborate with the University Purchasing Office and ITS to take steps to select and retain service providers who maintain appropriate safeguards for customer information.
The GLBA Information Security Procedure will comply with the standards established by ITS Policy and related procedures for assessing the information security program, regular updates, and enhancements.
The University Emergency Plan contains a written plan for handling a data security incident. Eastern Illinois University will adhere to the Information Technology Security Incident Reporting Policy. The Information Security team has the duty of carrying out response actions to a compromise of University IT systems or an unauthorized disclosure of Eastern Illinois University data.
It is understood that in the event of a breach of customer information, the University is required to notify contacts designated by the U.S. Department of Education within 24 hours after an incident is known or identified.
The Qualified Individual will collaborate with departments have GLBA responsibilities and will submit a report to the President Council annually.
Last Report Submitted: 06/10/2024
Last Date Reviewed: 06/13/2024