Guidance for UB Gramm-Leach-Bliley Act Compliance

Category: Information Technology

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Information Officer (VPCIO)

Date Established: July 3, 2024

The University at Buffalo is dedicated to safeguarding university data in compliance with the Federal Trade Commission’s 2021 amendment to the Gramm-Leach-Bliley Act (GLBA) mandating the protection of student financial aid information by postsecondary institutions. The guidance applies to all UB offices handling nonpublic financial information about students or other third parties in any form.

The University at Buffalo (UB, university) is committed to protecting Category 1 and Category 2 university data and to complying with the requirements of the Federal Trade Commission's safeguard rules requiring universities to implement provisions of the Gramm-Leach-Bliley Act (GLBA). This guidance corresponds with the University at Buffalo Information Security Program, 2024 Qualified Individual Appointment Memorandum, and the Information Security Incident Response Plan.

In 2021, The Federal Trade Commission (FTC) issued amendments to the Gramm-Leach-Bliley Act Standards for Safeguarding Customer Information (Safeguards Rule), requiring all postsecondary institutions and third-party servicers to protect student financial aid information provided to them by the Department of Education or otherwise obtained in support of the administration of the Federal student financial aid programs (Title IV programs) authorized under Title IV of the Higher Education Act of 1965 (HEA).

This guidance applies to all offices which collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle any record containing nonpublic financial information about a student or other third party who has a relationship with the University at Buffalo, whether in paper, electronic or other form, which is handled or maintained by or on behalf of the university or its affiliates.

Qualified Individual is responsible for:

• Developing and maintaining the university’s incident response plan to address any breaches or security incidents promptly.
• Ensure that all relevant staff members receive proper training on GLBA requirements and maintain awareness of their responsibilities.
• Implementation and supervision of the university’s information security program in accordance with GLBA guidelines.
• Providing periodic reports to senior management and relevant stakeholders regarding GLBA compliance efforts.
• Regularly assessing risks related to information security and recommending necessary adjustments to UB policies and procedures.

Office of the Vice President and Chief Information Officer
Phone: 716-645-7979
Email: vpcio@buffalo.edu

Information Security Office
Phone: 716-645-6997
Email: sec-office@buffalo.edu

Information Security Office - Privacy Contact
Phone: 716-645-5997
Email: privacy@buffalo.edu

Computing and Network Use Policy
Data Risk Classification Policy
Disaster Recovery Plan
Information Security Incident Response Plan
Protection of University Data Policy
UB Emergency Management’s Comprehensive Emergency Management Plan (CEMP)
University at Buffalo Information Security Program

Gramm-Leach-Bliley Act