Holiday Closure
The OUC (including FSS Help), along with other CU System Administration offices, will be closed from
Monday, December 23, 2024, through Wednesday, January 1, 2025.
We will reopen for normal business hours on Thursday, January 2.
The OUC (including FSS Help), along with other CU System Administration offices, will be closed from
Monday, December 23, 2024, through Wednesday, January 1, 2025.
We will reopen for normal business hours on Thursday, January 2.
Members of the University of Colorado community collect and use personal information for many educational and business functions. CU is committed to safeguarding this data consistent with applicable legal and policy requirements.
The GLBA Safeguards Rule requires CU to implement safeguards to ensure the security and confidentiality of certain nonpublic personal information (NPI) that is obtained when CU offers or delivers a financial product or service to an individual for personal, family, or household purposes. To support compliance with the Rule, CU has implemented administrative, technical, and physical safeguards as part of its comprehensive Data Governance and Information Technology (IT) Security programs.
The objectives of the GLBA Safeguards Rule are to:
To comply, a covered institution must develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards appropriate to the organization’s size and complexity, nature, and scope of activities, and sensitivity of NPI at issue.
Requirements include:
Note: On April 4, 2019, the Federal Trade Commission (FTC) issued a Notice of Proposed Rule Making (NPRM) proposing substantial changes to the Safeguards Rule. The proposed amendments to the Rule substantially increase the specific requirements an organization’s information security program will have to meet. The public comment period on the proposed changes ended August 2, 2019, and the FTC held a public workshop to discuss the proposed changes in July 2020. The timing and scope of any amendment to the existing Rule is yet to be determined.
The Federal Trade Commission (FTC) is charged with administration and enforcement of the GLBA for financial institutions not regulated by other federal banking or finance-related authorities, including institutions of higher education (IHEs). The FTC has determined that most IHEs are “financial institutions” for purposes of the GLBA because “[m]any, if not all, such institutions appear to be significantly engaged in lending funds to consumers.” 64 Fed. Reg. 33648 (May 24, 2000).
In addition, the Department of Education requires IHE compliance with the Safeguards Rule by contract, under the Federal Student Aid (FSA) Program Participation Agreement and Student Aid Internet Gateway (SAIG) Agreement.
CU is committed to safeguarding the personal information it collects, uses, or maintains for educational and business functions. This commitment is reflected in Regent Policy 8.A.7 Privacy and Confidentiality and in the Administrative Policy Statement Code of Conduct, which describe the expectation that university community members will comply with applicable legal, contractual, and policy obligations to maintain the confidentiality of such information, protect it from improper disclosure, and protect the privacy interests of individuals.
To ensure that data is managed as a material asset and protected in compliance with applicable requirements, CU has implemented a Data Governance Program and adopted a suite of policies that establishes the university-wide IT Security Program framework. Additional system-level and campus policies, procedures, and standards have been implemented to safeguard the confidentiality, integrity, and availability of information systems, services, and data in all forms, including personal information collected, maintained, or disposed of by CU or by service providers on CU's behalf.
CU's GLBA Safeguards Rule Information Security Program incorporates existing university policies, procedures, standards, and is in addition to any institutional policies and procedures that may be required under other federal and state laws and regulations.
Organizational units that collect/maintain NPI that must be safeguarded are typically involved in the provision or servicing of student, faculty, or staff loans, other extensions of credit, and collection agency services.
If your org unit collects, processes, maintains, or otherwise handles NPI that is obtained when CU offers or delivers a financial product or service to an individual for personal, family, or household purposes, your org unit must comply with the GLBA Safeguards Rule. If your org unit accesses or maintains protected data (even if the unit does not have primary responsibility for offering the financial product or service), you must comply with the Safeguards Rule.
Examples of a financial product or service covered by the rule include:
In these contexts, NPI must be safeguarded in all forms (not just electronic form), and in all org units with access to the data (e.g., via shared records systems) - whether or not the individual is ultimately extended credit or awarded financial aid.
While many org units will not conduct activities that subject the unit or program to the Rule’s specific requirements, it is important to be aware of the type of activities (financial products or services) that may trigger future compliance requirements should your org unit operations change.
If your org unit handles or maintains covered data, your unit must follow CU's Data Governance and Information Technology (IT) Security Program policies and related guidance regarding the privacy and security of confidential and highly confidential information.
Additional steps your org unit should take:
For purposes of the GLBA Safeguards Rule, a service provider is any person or entity that receives, maintains, processes, or otherwise is permitted access to NPI through its direct provision of services to CU. CU must oversee service providers by taking reasonable steps to select and retain providers capable of maintaining appropriate safeguards for NPI -- and requiring them, by contract, to implement and maintain these safeguards.
Org units that collect, process, or otherwise handle NPI for university purposes with the assistance of external service providers must exercise due care in assessing the capabilities of these providers. The CU System Office of Information Security (OIS) has established IT purchasing standards for this.
In addition, OIS (along with campus information security partners), provides assistance to units in conducting the necessary review. These offices, in collaboration with the Procurement Service Center and the Office of University Counsel, provide support to ensure service provider contracts include appropriate assurances regarding the safeguarding of sensitive personal information, including NPI, consistent with the requirements of the Rule and other applicable law.
1800 Grant Street, Suite 200 | Denver, CO 80203 | Campus Box: 436 UCA
Need Help? FSS@cu.edu