INTRODUCTION TO THE GRAMM-LEACH-BLILEY ACT
The Gramm-Leach-Bliley Act (GLBA) was signed into law in 1999 and directly affects financial institutions, including insurance companies and agencies. At the heart of GLBA is a requirement that financial institutions provide a privacy notice to their customers and restrict what nonpublic personal information (NPI) they share about customers with third parties. Financial institutions are also required to provide security and integrity of customers’ NPI by way of physical, administrative and technical electronic means. While New Mexico State University (NMSU) is primarily an educational institution and its areas covered by GLBA are few, the University strives and is committed to satisfying the law in all its financial processes. This site provides detailed information on University policies and procedures designed to facilitate compliance with GLBA.
POLICIES AND PROCEDURES
Each NMSU Office or Administrative Support Component handling GLBA protected data should develop standard operating procedures detailing the conduct of its local operations according to GLBA requirements and align its operations to NMSU’s updated 15.63 – Protection of Customer Information; GLBA Compliance” Administrative Rule and Procedure (ARP). Part of the operating procedures should include a documented information security risk assessment to ensure the proper implementation of physical, administrative and technical safeguards for GLBA protected data. The risk assessment should be updated regularly or as major changes occur to the operation of the office or administrative support component.
WHO’S COVERED UNDER THE GRAMM-LEACH-BLILEY ACT
All NMSU Financial Aid Offices at all campuses plus all administrative Support Components involved in providing support relating to customer financial processing activities such as Information Technology Services, Accounts Receivable, Internal Audit, Office of General Counsel, Office of Institutional Analysis, Admissions Office, and Registrar.
GLBA REQUIRED WRITTEN INFORMATION SECURITY PROGRAM
NMSU’s Written Information Security Plan and Safeguarding Guidelines – The GLBA Information Security Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with NMSU, whether in paper, electronic or other form, which is handled or maintained by or on behalf of the University or its affiliates. For these purposes, the term nonpublic financial information shall mean any information (i) a student or other third party provides in order to obtain a financial service from the University, (ii) about a student or other third party resulting from any transaction with the University involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.
ROLES AND RESPONSIBILITIES
The NMSU Information Technology Compliance Officer serves as the Chief Privacy Officer (CPO) for all NMSU campuses for purposes of GLBA compliance. The CPO is responsible for the development, implementation, and maintenance of a GLBA Compliance Program for the NMSU system and works in collaboration with the Chief Information Security Officer and the Financial Aid Director in the establishment and implementation of a GLBA information security, privacy and training program.
Each Financial Aid Office at NMSU will create a Notice of Privacy Practices. A Notice of Privacy Practices discloses the ways the University gathers, uses, discloses, and protects GLBA data.
The CPO is the individual responsible for the development and implementation of information security policies and procedures for NMSU, and who is the primary contact to manage situations in which customer information is compromised. Anyone at the NMSU community can and should report a known or suspected violation of GLBA information privacy, security or University policy. Known or suspected violations should be reported to the CPO by phone at (575) 646-5902, or by email at email@example.com. You can also report identity theft and get a recovery plan from the Federal Trade Commission by visiting https://www.identitytheft.gov/.
RESOURCES FROM THE FEDERAL TRADE COMMISSION
For more information contact:
Carlos S. Lobato, CPA
Chief Privacy Officer