Gramm-Leach-Bliley Act Compliance Policy 61.12A
This policy describes Howard Community College’s information security program mandated by the Federal Trade Commission’s Safeguard Rule and the Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (“GLBA”). This mandate requires institutions of higher education to implement administrative, technical, and physical safeguards for certain types of nonpublic personal financial information.
Some GLBA designated nonpublic personal financial information is protected under other federal or state laws which also require the securing and safeguarding of data. Accordingly, this information security program incorporates and is in addition to college policies and procedures required by other federal and state laws and regulations, including, without limitation, the Family Educational Rights and Privacy Act (“FERPA”). When another college policy governs GLBA designated nonpublic personal financial information, the more specific policy will take precedence (provided that the specified safeguards meet the minimum GLBA information security program requirements).
Definitions
- “GLBA Information Security Program”: The administrative, technical, or physical safeguards the college uses to access, collect, distribute, protect, store, use, transmit, dispose of, or otherwise handle Nonpublic Personal Financial Information as required under the Federal Trade Commission’s Safeguard Rule and the Gramm-Leach-Bliley Act.
- “Financial Service”: Federal law defines financial services to include, but not be limited to, activities such as the lending of money; investing for others; providing or underwriting insurance; providing financial, investment or economic advisory services; marketing securities, and the like. Financial Services covered by GLBA include, but are not limited to, college activities such as offering or processing loans or other types of financial aid to students.
- “Nonpublic Personal Financial Information”: Any personally identifiable information handled or maintained by or on behalf of the college – whether in paper, electronic or other form – that:
i. A student or other third party provides in order to obtain a Financial Service from the college;
ii. Is about a student or other third party resulting from any transaction with the college involving a Financial Service; or
iii. Is otherwise obtained about a student or other third party in connection with providing a Financial Service to that person. - “Service Provider”: Any person or entity that receives, maintains, processes, or otherwise is permitted access to Nonpublic Personal Financial Information through its direct provision of services to the college.
- “Collection Unit”: Any college department or unit that collects Nonpublic Personal Financial Information. Collection units will be identified through procedures established under this policy, and include, but are not limited to: the Office of Information Technology; the Financial Aid Office; and the Office of Records, Registration and Veterans' Affairs.
The college’s chief information officer, or designee, is responsible for coordinating and overseeing the GLBA Information Security Program. The college’s chief information officer, or designee, shall perform these duties in conjunction with representatives from each office identified as a Collection Unit.
As required by federal law, the college’s GLBA Information Security Program has the following four components:
1. Risk assessments to identify reasonably foreseeable security and privacy risks.
Risk assessment shall include the identification of college Collection Units subject to the GLBA Information Security Program. Procedures shall be established for identifying and assessing external and internal risks to the security, confidentiality, and integrity of Nonpublic Personal Financial Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.
In compliance with federal law, risk assessment shall include, but not be limited to, evaluation of:
i. Collection Unit employee training regarding procedures and practices relating to access to and use of Nonpublic Personal Financial Information;
ii. Information systems, including network and software design, information processing, and the storage, transmission and disposal of Nonpublic Personal Financial Information; and
iii. Systems for detecting, preventing, and responding to attacks, intrusions or other system failures.
2. Implementation of information safeguards and monitoring procedures to control the risks identified.
Procedures shall be established to ensure that information safeguards for each Collection Unit are designed and implemented to control, monitor, and test risks identified in the assessment set forth above, including but not limited to the areas of employee training, information systems, and managing system failures. The level of monitoring will be appropriate based upon the potential impact and probability of the risks identified, as well as the sensitivity of the information provided.
3. Overseeing service providers.
The college’s chief information officer, or designee, shall work with representatives from each Collection Unit, the Office of General Counsel, and the Procurement Department to ensure reasonable steps are taken to select capable Service Providers and to require Service Providers by specific contract terms and conditions to implement and maintain appropriate GLBA required safeguards.
4. Periodic evaluation and adjustment of the GLBA Information Security Program based upon the results of testing and monitoring, as well as changes in operations or operating systems.
The college’s chief information officer, or designee, working with responsible units and offices, will evaluate and adjust the GLBA Information Security Program in light of results of GLBA Information Security Program testing and monitoring, as well as any material changes to operations or business arrangements, and any other circumstances which may reasonably have an impact on the GLBA Information Security Program.
Effective Date: 4/29/2026