[unisog] GBLA policy examples

Christopher Cramer chris.cramer at duke.edu
Wed Jul 16 20:35:50 GMT 2003

Hi James,

Unfortunately, most universities *didn't* think it applied which is why
many haven't implemented a policy yet.  However, the FTC did rule that
universities are covered under GLB - think student loans, financial aid
and debit-like cards.  

One advantage that we do have is that of the two components (privacy and
security), the privacy component is addressed by most institution's
FERPA policy.  The only problem there is whether or not the FERPA policy
covers all areas where we are acting in a bank-like function, e.g.
faculty and staff at Duke can put money on their Duke card, they aren't
covered by FERPA.


On Wed, 2003-07-16 at 15:32,James Goldston wrote:
> The format of a policy shouldn't matter (other than for readability,
> understandability, etc.).  Content is king.
> Assuming you are asking in the context of an educational facility, is the
> edu considered a "financial institution?"  If not then I'm not sure the GLB
> applies.  If you believe it does, please provide why if you don't mind.
> There are various places where pre-approved examples of consumer notices and
> opt-out examples are already provided.  You can also look at a financial
> institution web's sites for examples.  Most will have them.
> For the financial world, of much more importance are all the banking
> regulations as a result of the GLB fallout.  E.g., require a formal written
> Info Sec Prgm, Board level involvement.
> James
> Notes:
> Subtitle A of Title V of the Gramm-Leach-Bliley Act ("GLB Act") has privacy
> provisions relating to consumers' financial information...
> Definition: Any institution the business of which is engaging in financial
> activities as described in section 4(k) of the Bank Holding Company Act (12
> U.S.C. ? 1843(k)). Under the Final Rule promulgated by the Federal Trade
> Commission (FTC), an institution must be significantly engaged in financial
> activities to be considered a "financial institution."
> > -----Original Message-----
> > From: Phillip G Deneault [mailto:deneault at WPI.EDU]
> > Sent: Wednesday, July 16, 2003 1:39 PM
> > To: unisog at sans.org
> > Subject: [unisog] GBLA policy examples
> >
> >
> > Does anyone have any good examples for policies that fulfill the
> > Gramm-Leach-Bliley Act?  I understand what I need to put in but not the
> > format.
> >
> > We've missed the deadline to have submitted our policies and now its on my
> > desk.  Woo.
> >
> > Thanks
> > Phil
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > Phil Deneault     "We work in the dark, We do what we can,
> > deneault at wpi.edu   We give what we have. Our doubt is our passion,
> > WPI NetOps         and our passion is our task. The rest is the
> > InfoSec            madness of art." - Henry James
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/unisog/attachments/20030716/c2c15c6c/attachment-0003.bin

More information about the unisog mailing list