Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requires financial institutions that offer consumers financial products or services to explain their information-sharing practices to their customers and to safeguard sensitive customer data.

Because Portland Community College (PCC) engages in financial activities (e.g. processing student loans), it is considered by the Federal Trade Commission (FTC) to be a financial institution and is therefore required to be compliant with GLBA.

GLBA requirements

GLBA dictates several specific requirements regarding the privacy of customer financial information. These are codified in three rules:

1. Pretexting Rule

The Pretexting Rule is designed to counter identity theft.

To comply, PCC must have mechanisms in place to detect and mitigate unauthorized access to personal, non-public information (such as impersonating a student to request private information by phone, email, or other media).

2. Privacy Rule

The Privacy Rule is designed to govern the collection and disclosure of customers’ personal financial information by financial institutions.

3. Safeguards Rule

The Safeguards Rule is designed to ensure the administrative, technical, and physical safeguarding of personal, non-public customer information.

The Safeguards Rule requires PCC to develop, implement, and maintain a comprehensive Information Security Program containing administrative, technical, and physical safeguards that are appropriate for the size, complexity, and nature of its activities, in order to:

  • Ensure the security and confidentiality of customer records and information.
  • Protect against any anticipated threats or hazards to the security or integrity of such records.
  • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Under GLBA, it is the obligation of PCC to establish appropriate standards for areas under its jurisdiction relating to administrative, technical, and physical safeguards for customer financial information or covered data.