Protecting Your Piece of the PII Gramm Leach

Protecting Your Piece of the PII: Gramm Leach Bliley Act and Red Flag Rules Scott Mc. Glynn, Marketing & Content Manager Annmarie Buchanan, Vice President of Compliance & Acting Chief Compliance Officer

Disclaimer • The information contained within this presentation is not legal advice and is not a full and exhaustive explanation of GLBA or Red Flag Rules and their applications. This information should not be used to replace the sound advice of your own legal counsel who has a working knowledge of your business and all its applicable state and federal laws. This information is provided for informational and educational purposes only.

Gramm-Leach-Bliley Act (GLBA): Welcome to the Club

Welcome to the Club • Who here has been to the BJ’s Wholesale Club in Brooklyn? • Identity theft isn’t the exception to the rule anymore

Identity Theft • According to the Identity Theft Resource Center’s® 2017 Data Breach Year-End Review: • 1, 579 data breaches in 2017 • 44. 7% increase from 2016 (2016 was record high) • Educational Sector accounted for 8% of data breaches That is 126 data breaches in the education sector in 2017. • 50% of instances of Identity Theft happened via cyber methods

Take a moment • What would happen if your institution had a data breach? • • Loss of reputation Headache Long hours of work Thousands of dollars • I couldn’t stop my information from being stolen, but I can have a plan prepared to manage it • So how do you prepare?

Gramm-Leach-Bliley Act Photo: Justin Lane/The New York Times/Redux

Background of the GLBA • Financial Services Modernization Act of 1999 • Repealed the Glass-Steagall Act of 1933 • Allowed banks, financial institutions, security companies, and insurance agencies to combine • Allowed banks to offer both savings and investment services • Financial Privacy Rule • Compliance is mandatory • Higher Education Institutions are treated as financial institutions under FTC regulations

What’s the Point? • “The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. ” - FTC

GLBA Requirements • Must have policy in place to protect non-public information from threats in security and data integrity • Components include: o Financial Privacy Rule o Safeguard Rules o Pretexting Protection • Colleges and universities can be in compliance under privacy provisions if compliant with FERPA • Required to meet administrative, technical, and physical safeguarding of information

Department of Education on GLBA • “Our expectation is that all FSA partners will quickly assess and implement strong security policies and controls and undertake ongoing monitory and management for their systems, databases and processes that support all aspects of the administration of Federal student financial aid programs authorized under Title IV of the Higher Education Act of 1965, as amended (the HEA). Such systems, databases and processes include all systems that collect, process, and distribute information – including PII – in support of application for and receipt of Title IV student assistance. ” – Dear Colleague Letter GEN-15 -18 • Student Aid Internet Gateway (SAIG) Enrollment Agreement requires GLBA compliance

GLBA Compliance Audit • The U. S. Office of Management and Budget (OMB) plans to include new Special Tests and Provisions in its 2018 Compliance Supplement. • Department of Education expected to add the testing requirements in the Audit Guide shortly after • Compliance with certain GLBA provisions will be tested as part of the single audit beginning in either 2018 or 2019. • ED drafted provisions for 2017 but removed • https: //www. claconnect. com/resources/articles/2018/information-securityto-be-tested-as-part-of-the-higher-education-audit

Compliance Elements of GLBA • Develop, implement and maintain a written information security program • Designate the employee(s) responsible for coordinating the information security program • Identify and assess risks to customer information • Design and implement an information safeguards program • Select appropriate service providers that are capable of maintaining appropriate safeguards • Periodically evaluate and update security program

Security Program Objectives • Ensure security and confidentiality of customer information • Protect against anticipated threats to the security or integrity of information • Guard against unauthorized access to or use information that could result in substantial harm or inconvenience • https: //www. nacubo. org/-/media/Nacubo/Documents/news/200301. ashx? la=en&hash=54 DF 89 E 68289 BDB 6 FA 72 E 13 BC 3469058360 E 08 10

Data Breach Requirements • Unauthorized disclosure, misuse, alteration, destruction or other compromise of information • Doesn’t have to be electronic in nature • Does not have a minimum number of compromised records to qualify • Failure to report actual or suspected breaches can include a fine of up to $54, 789 per violation. • What information to report: Date of breach, information and number of records compromised, how breach occurred, security program officer’s contact information, and detailed description of how your organization is handling notification and mitigation of impact.

P@$$W 0 RD @w@R 3 N 3$$ • Use strong passwords; the more characters, the better • Use combination of uppercase, lowercase, special characters and numbers • Follow guidelines of your organization’s policies • Periodically change passwords • Do not write down passwords where publically accessible • Do not share passwords

What is PII? • Information that can be used to distinguish or trace an individual’s identity either directly or indirectly through other information • All personal information associated with an individual • Student’s Name, name of family members, address, personal identifier such as social security number, student number, date of birth, place of birth, mother’s maiden name, etc.

Sensitive PII • Information which lost, compromised or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness • Can be stand-alone or paired with other PII Stand-Alone Paired with other PII Social Security Number Medial Information Driver’s License Number Account Passwords Financial Account Number Date of Birth Biometric Identifiers Criminal History • Can be based on PII context: • List of Employees compared to List of Low Performing Employees

Questions that Need Answers • What kind of data do you have or maintain? • Where is the data housed / stored? • Who has access to it? • How is data being monitored?

Useful Strategies • Turn monitors away from public view • Properly dispose of all documents • Lock your computer anytime you leave • Shortcut: “Windows Key” + “L” • Keep your desk clean and organized • Do not leave PII in your desk if not locked • Do not leave PII in public areas • Keep areas containing PII locked at all times

GLBA Takeaways • Compliance is required • Safeguarding data is your priority • Be mindful of how you treat data • Have a written policy to handle data security and integrity

Red Flag Rules

Red Flag Rules • Final rules and guidelines on identity theft “red flags” were published on November 9, 2007, (“Red Flags rule”) to implement section 615(e) of the Fair Credit Reporting Act (FCRA) (15 U. S. C. 1681 m(e)) • Requires written identity theft prevention program to mitigate risk of identity theft for consumers • FTC estimates nine million Americans have their identity stolen each year • Can carry $3, 500 fine per violation • Individuals can seek damages • Required if a “Creditor”

Definition of a Creditor • Obtains or uses consumer reports in connection with a credit transaction; • Furnishes information to consumer reporting agencies in connection with a credit transaction; or • Advances funds to or on behalf of a person, in certain cases.

Does my Institution Need a Plan? If you fall under any of the activities in the definition of a creditor and answer yes to one or more of the following questions, you do. Does your institution: • Defer payments for goods and services or bill customers? • Grant or arrange credit? • Participate in the decision to extend, renew or set the terms of credit?

Developing Your Plan FTC provides guidelines in developing a Red Flag Rule Policy Plan https: //www. ftc. gov/tips-advice/business-center/guidance/fightingidentity-theft-red-flags-rule-how-guide-business

Red Flag Program Parts 1. Must include reasonable policies and procedures to identify signs of identity theft (“red flags”) in day-to-day operations 2. Must be designed to detect the red flags of identity theft identified by the business 3. Must set out actions the business will take upon detecting red flags 4. Must re-evaluate its Program periodically to reflect new risks from this crime

Example If your institution requires valid ID for identity verification: 1. Formally recognize that ID’s could result in Red Flags 2. Create guidelines of the components of invalid ID and methods to test for validity 3. Create policies and procedures to handle instances of invalid IDs 4. Review for new / changes in IDs

Identify Relevant Red Flags Risk Factors Sources of Red Flags Categories of Common Red Flags: • Alerts, notifications and warnings from a credit reporting company • Suspicious documents or information • Personal identifying information inconsistent • Unusual account activity • Notice from other sources

Detect Red Flags • Use identity verification and authentication methods to help detect red flags. • Reasonable procedures for new and existing accounts.

Prevent and Mitigate Identity Theft • Monitor accounts for evidence of identity theft. • Contact the customer (student). • Change passwords or security codes. • Close account and reopen with new number. • Do not refer to debt collector or try to collect. • Notify law enforcement.

Update the Program • Board of Directors or a committee appointed by the Board must approve initial plan. • Train all relevant staff as necessary. • Third Party services providers must comply • Periodically review plan and update as new red flags are identified.

Personal Identity Measures • Use complex passwords • Use different passwords for different purposes and make financial passwords unique and separate • Keep your email secure • • • Two-Factor Authentication where possible Monitor what you say on Social Media Use Credit Freezes as necessary Diversify Only use secured wireless networks Update software Monitor credit reports and financial statements regularly Immediately respond to potential threats Have a plan in place

Additional Information: • NACUBO: • https: //www. nacubo. org/Topics/Other-Business-Areas/Privacy-Intellectual. Property/GLBA-Data-Security-Resources • Department of Education Dear Colleague Letters: • GEN-15 -18: https: //ifap. ed. gov/dpcletters/GEN 1518. html • GEN-16 -12: https: //ifap. ed. gov/dpcletters/GEN 1612. html

Questions?

Thank you! For additional questions, please speak with: • Corky Mobley, Regional Account Executive cmobley@coastprofessional. com (714) 673 -7578 • Brooke Singletary, Director of Sales & Marketing bsingletary@coastprofessional. com (318) 307 -9856