Skip to main content
Eastern Illinois University

Panthertech

Safeguarding GLBA Customer Information Procedure

Purpose

The Gramm-Leach Bliley Act (“GLBA”) and Title IV of the Higher Education Act of 1965 require institutions of higher education, as financial institutions, to take steps to protect customers’ nonpublic personal information. Institutions of higher education are required to comply with the Federal Trade Commission Standards for Safeguarding Customer Information (Safeguards Rule) as outlined in 16 C.F.R. Part 314. These requirements are additional to those of the Family Educational Rights and Privacy Act (FERPA).

Scope

This procedure applies to all “customer information” which is defined to be information obtained by Eastern Illinois University because of providing a financial service such as when the University administers or aids in the administration of Title IV programs; makes institutional loans or scholarship; or certifies a private education loan on behalf of a student. Customer information is limited to financial information connected to student and parent finances such as student and parent loans, bank account information and income tax information for financial aid packages.

The following departments have GLBA responsibilities for customer information: Financial Aid and Bursar's Office

Procedure

The GLBA Safeguards Rule mandates that an institution of higher education’s GLBA written information security program includes the elements outlined in this procedure.

1 - Designate a Qualified Individual to oversee and implement its information security program

The University IT (Information Technology) Security Officer is responsible for this GLBA procedure and is designated as the Qualified Individual for the University.

2 - Identify and assess the risks to covered data in each relevant area of the university’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks

The designated units and the IT Security Officer work together to identify and assess risks to customer information including but not limited to:

The University acknowledges that the list of risks mentioned above may not cover all the potential risks related to the security of customer information. Technology evolves over time, and new risks may emerge, so the program's evaluation will revise the plan annually.

3 - Design and implement a safeguards program with the minimum safeguards outlined in 16 C.F.R. 314.4 (c)(1) through (c)(8)

The minimum safeguards to protect customer information include:

4 - Regularly monitor and test the safeguards program

The IT Security Officer will follow regular Technology Solution procedures to test the technical safeguards for GLBA customer information. Internal Audit performs periodic audits/reviews of the University's information technology and information security.

5 - Implement policies and procedures to ensure that university personnel can implement the information security program

The GLBA Information Security Procedure is a subset of the University IT Policies. Data Custodians are responsible for facilitating and enforcing compliance with all information security policies and practices applicable to their unit. Ensuring employees are trained is an essential component of their efforts.

6 - Select service providers that can maintain appropriate safeguards over covered data, ensure the service contract requires them to maintain safeguards, and oversee their handling of covered data

The University units subject to GLBA will take reasonable steps to collaborate with the University Purchasing Office and ITS to take steps to select and retain service providers who maintain appropriate safeguards for customer information.

7 - Provides for the evaluation and adjustment of information security program considering relevant circumstances, including changes in the university’s business or operations, or the results of security testing and monitoring

The GLBA Information Security Procedure will comply with the standards established by ITS Policy and related procedures for assessing the information security program, regular updates, and enhancements.

8 - Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of covered data in the university’s control; and,

The University Emergency Plan contains a written plan for handling a data security incident. Eastern Illinois University will adhere to the Information Technology Security Incident Reporting Policy. The Information Security team has the duty of carrying out response actions to a compromise of University IT systems or an unauthorized disclosure of Eastern Illinois University data.

It is understood that in the event of a breach of customer information, the University is required to notify contacts designated by the U.S. Department of Education within 24 hours after an incident is known or identified.

9 - Require the Qualified Individual to report in writing, regularly and at least annually, to the Board of Trustees.

The Qualified Individual will collaborate with departments have GLBA responsibilities and will submit a report to the President Council annually.

Last Report Submitted: 06/10/2024

Last Date Reviewed: 06/13/2024

CONTACT THE DEPARTMENT

Technology Support

217-581-4357
support@eiu.edu