Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) is a federal regulation under the Federal Trade Commission that requires financial institutions (companies that offer consumer financial products or services such as loans, financial or investment advice, or insurance) to explain their information-sharing practices to their customers and to safeguard sensitive data.
https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

UH is considered a financial institution because we receive and process federal student aid.

UH is subject to GLBA per the US Department of Education’s office of Federal Student Aid (FSA) and requires that the GLBA Safeguard rules be included as an audit objective in the federal single audit process that UH undergoes annually.
https://library.educause.edu/topics/policy-and-law/gramm-leach-bliley-act-glb-act

Per the updated GLBA Safeguarding Rules, UH is required to maintain an information security program which must include the following elements:

  1. Designate a Qualified Individual to implement and supervise your company’s information security program. UH’s “qualified individual” is the UH Chief Information Security Officer.
  2. Conduct a risk assessment. ITS will conduct risk assessments on a regular basis.
  3. Design and implement safeguards to control the risks identified in the risk assessment.
    1. Implement and periodically review access controls.
    2. Know what you have and where you have it.
    3. Encrypt customer information on your systems and when it’s in transit.
    4. Assess your apps.
    5. Implement multi-factor authentication for anyone accessing customer information on your systems.
    6. Dispose of customer information securely.
    7. Anticipate changes to your information system or network.
    8. Maintain a log of authorized users’ activities and keep an eye out for unauthorized access.
  4. Regularly test or otherwise monitor the effectiveness of safeguards.
  5. Train your staff. UH AP2.215 “Mandatory Training on Data Privacy and Security” establishes UH’s training requirements.
  6. Monitor your service providers. IT contracts or purchases with third parties that include the processing of personal data must go through the UH Data Governance Process. Also, check UH EP 8.200 “Policy on Contracts and Signing Authority” for any other contractual requirements.
  7. Keep your information security program current. The UH Information Security Program description is available at: https://www.hawaii.edu/infosec/infosecprogram/
  8. Create an incident response plan.
  9. Require your Qualified Individual to report to your Board of Directors.

The official FTC updated GLBA Safeguards Rules can be viewed at the FTC website:
https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know