The GLBA Safeguards Rule requires the University of Colorado to implement safeguards to ensure the security and confidentiality of certain nonpublic personal information (NPI) that is obtained when the university offers or delivers a financial product or service to an individual for personal, family, or household purposes. The rule also covers any list, description, or other grouping of customers derived using NPI.
Any organizational unit responsible for handling or maintaining protected data must comply with the Rule. While most org units will not conduct activities that subject the unit or program to the Rule, it is important to be aware of the activities that may trigger future compliance obligations so that appropriate measures to mitigate risk and adequately protect NPI can be implemented in a timely manner.
Typical activities that would involving the collection and maintenance of NPI that must be safeguarded include the provision of student, faculty, or staff loans, other extensions of credit, and collection agency services. Information collected directly from customers or other regulated institutions in connection with the provision of these financial products or services must be protected in all forms (not just electronic form) and in all org units with access to the data (e.g., via shared records systems).
Most organizational units will not have exposure to the Safeguards Rule. To determine if your org unit conducts activities that are covered under the rule, consider the following examples of financial products and services:
- Lend, exchange, transfer, invest for others, or safeguard money or securities for or to individuals
- Insure, guarantee, or indemnify against loss, harm, damage, illness, disability or death
- Act as an investment advisor to an individual (e.g., providing tax planning, tax preparation, or instruction on individual financial management) if CU collects and maintains non-public information provided in connection with this service
- Extend credit to students, faculty, staff, or other CU customers (e.g., long-term payment plans involving interest charges) - this does not include deferred payments, layaway, or accepting credit card payments
- Service loans to students, faculty, staff, or other CU customers
- Service loans to students, faculty, staff, or other CU customers (e.g., long-term payment plans involving interest charges) - this does not include deferred payments, layaway, or accepting credit card payments
- Conduct collection activities for loans or other credit made or extended to individuals
- Contract with third parties for collection activities for loans or other credit made or extended to individuals
- Provide real estate or personal property appraisals or settlement services
- Provide check guaranty services
- Provide credit bureau services
- Lease real or personal property to be used by an individual for that individual's benefit (i.e., for property that is not operated by CU/CU employee/agent of CU)
- Cash checks for faculty, staff, students, or other CU customers, excluding situations where customers receive cash back by writing a check in an amount higher than the purchase price
- Sell money orders, savings bonds, or traveler's checks
- Issue credit cards