|Responsible Division:||Finance and Administration|
|Approving Official:||Vice President of Finance and Administration|
|Effective Date:||January 1, 2014|
|Last Revision Date:||Unrevised at this time.|
The Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. 6801, implemented by 16 CFR Part 314 and The Federal Trade Commission (FTC) Rule on "Standards for Safeguarding Customer Information"
To specify the methods for safeguarding confidential financial and personal information maintained in University financial records, reports and systems that, if not protected in accordance with this policy, can increase the magnitude of harm resulting from loss, misuse, unauthorized access or modification.
The Florida State University, hereinafter referred to as "University", generates, receives and stores many financial documents and records of a confidential nature. This includes, but is not limited to, the awarding and issuance of loans to students and the collection of payments from students, parents, patients and customers via check, money order, wire transfer, ACH and credit/debit card.
To comply with safeguarding confidential financial records and related personal information, this University policy will:
(1) designate one or more employees to coordinate the safeguards;
(2) identify and assess risks to customer information and evaluate the effectiveness of the current safeguards;
(3) designate and implement a safeguards program that includes regular compliance monitoring and evaluation;
(4) select appropriate service providers and ensure that contracts with those providers include safeguards; and
(5) provide for evaluating and adjusting the program in light of relevant circumstances.
A. SCOPE OF THIS POLICY
This policy applies to all University personnel who administer, manage, maintain or use financial or personal information, their supervisors and unit administrators. It applies to all locations of this information, whether on campus or from remote locations.
All University units and related affiliate organizations that handle confidential financial transactions or personal information shall designate at least one employee who will coordinate the safeguards as specified in University policies and procedures; annually assess risks to customer information to include evaluating the effectiveness of the current safeguards; adjust the safeguard program in light of relevant circumstances; ensure staff are trained on the University rules of confidentiality; and ensure each staff member who handles any aspects of financial transactions signs an Employee Confidentiality Statement.
All University contracts with applicable contract service providers will be required, under the terms of the contract, to stipulate implemented safeguards that adhere to, and are in compliance with, the provisions of the Gramm-Leach-Bliley Act.
B. DEFINITION OF CONFIDENTIALITY
As the custodian of sensitive and private information, the University recognizes the importance of protecting information resources from loss, misuse, unauthorized access or modification.
All printed material containing confidential, personal information related to business, financial or medical transactions, including name, birth date, address, telephone number, social security number, personal photograph, amounts paid or charged or account number, are to be safeguarded.
Note: Student privacy regulations (e.g., FERPA) provides that schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards and dates of attendance. However, schools are required to inform students about this directory information and provide for a reasonable amount of time for students to request that the school not disclose related directory information.
Documents stored on the University information systems are linked directly to a specific account and are able to be viewed at authorized employees' workstations. Selected documents may be viewed on screen or printed for review. Other systems allow authorized employees to scan, view, print and store paper documents and correspondence in electronic files directly on computer systems for immediate access, backup and retrieval. Once electronically stored, the original material is then reviewed by management personnel and kept in safekeeping or shredded if no longer needed.
It is the University's policy to prohibit the un-authorized exchange of confidential financial and personal information between computer information systems. Written management authorization and contracts must be obtained prior to exchanging confidential financial or personal information with any outside computer information system.
The University Office of Inspector General and State of Florida Auditor General conduct risk assessments and security audits to ensure that any potential threats to University information systems are identified and evaluated. Security audits are performed to ensure that proper system documentation, appropriate protection measures, including physical security and proper handling of confidential, sensitive information, continues in all aspects of our information security measures.
All University units and related affiliate organizations are responsible for designating a person responsible for conducting and monitoring risk assessments and security audits to ensure that any potential threats to their physical areas and information systems are identified and evaluated. Whenever a significant change occurs to an office space, such as additions or remodeling, the designated safeguard monitor will perform an analysis to define assets, vulnerabilities and threats and the countermeasures required to eliminate any potential loss. Process audits are to be performed to ensure that proper system documentation, appropriate protection measures and proper handling of confidential, sensitive information continues in all aspects of our working environment.
In addition to being informed of the confidentiality of University computerized records and hardcopy correspondence, all employees are to be informed of their particular obligation to the University and its customers to protect the confidential nature of the information obtained and used during the course of its daily operations.
Note: Only employees designated as having access to confidential data, including faculty, will be required to sign the Employee Statement of Understanding confirming their understanding of their obligation to safeguard confidential financial and personal information. That statement should be part of the hiring process and retained by the hiring department. All positions having access to confidential data should have that so designated on the position description. Departments who hire employees who have access to confidential data must train their employees on the requirements to safeguard confidential information. Disciplinary action for violating this policy could be taken under the University's current Standards for Disciplinary Action for violation of provision of University Policy.
The University requires its employees to sign a statement authorizing supervisory and managerial personnel to monitor their work as a quality assurance measure. In the event that inappropriate employee conduct is detected, supervisory and managerial personnel will address the issue with the employee and take appropriate remedial or disciplinary action as determined warranted under the circumstances, including termination of the employee.
C. RELATED FEDERAL, STATE AND UNIVERSITY SAFEGUARD PROGRAM COMPONENTS
The following provide additional, supplemental components of the University's safeguards program.
Note: University faculty, students and employees are bound by all applicable laws, rules, policies and procedures. This policy is not intended to limit the applicability of any law or policy and does not preclude University units and related affiliate organizations from implementing additional, supplemental and/or more stringent safeguards.
Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Section 1232g and 34 CFR Section 99
Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. Section 1320d and 45 CFR Parts 160, 162, and 164
Americans with Disabilities Act (ADA) CFR Section 1630.13 and Section 1630.14
Chapter 119, Public Records, Sections 1002.21, 1002.22, 1004.22(2), 1006.52, 1012.91
Chapter 257, Public Libraries and State Archives
Chapter 282.318, F.S. Security of Data and Information Technology Resources
Florida Administrative Code:
Chapter 1B-11, 1B-24, 1B-26.003 and 1B-021, Florida Administrative Code
Florida Department of State Rules 1A-27.07 and 1A-21
University Policies and Procedures:
4-OP-F-3 Records Management
4-OP-F-5 Public Records - Uniform Charges
4-OP-F-6 Destruction/Shredding of Confidential Documents and Records
4-OP-H-6 Use of University Information Technology Resources
4-OP-H-8 Wireless Data Communications
4-OP-H-9 Information Technology Security
Employee Confidentiality Statement