Michigan State University
Controller's Office
The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" (GLB Act), includes privacy provisions to protect consumers' personal financial information held by financial institutions. In 2003, the Federal Trade Commission (FTC) confirmed that higher education institutions are considered financial institutions under this federal law. The Safeguards Rule of the GLB Act requires financial institutions to have a security plan to protect confidentiality and integrity of personal information. Privacy notices explaining an institution's information-sharing practices must also be provided.
As of May 23, 2003, colleges and universities must be in compliance with provisions of the GLB Act that relate to the Safeguards Rule.Safeguarding data has two major components: privacy and security. Colleges and universities that already comply with the Family Educational Rights and Privacy Act (FERPA) are deemed to be in compliance with FTC privacy rules under the GLB Act to the extent the information held relates to students. In addition, colleges and universities are subject to the provisions of GLB related to the security of customer information.
While Michigan State University is primarily an educational institution and its areas covered by the GLB Act are few, the University is committed to complying with the law. This site provides detailed information on University policies and procedures designed to facilitate compliance.
Report complaints and potential violations to the MSU Controller's Office.
How do I know if a service offering of my unit is covered?
If you engage in offering a financial product or service normally offered by a financial institution, you maintain records (electronically or paper) about the consumers of that service and their transactions, and you are significantly engaged in that offering, you may be required to comply with the GLB Act.
Examples of activities considered to be financial in nature are:
What is Customer Information?
Customer information is any record containing non-public personal information about a customer whether in paper, electronic or other form, related to the covered product or service. Examples include social security number, account number, credit card numbers, date of birth, or details of any related financial transactions.
Non-public personal information means personally identifiable financial information that is:
The term non-public also includes any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived using any personally identifiable financial information that is not publicly available.
What does "significantly engaged" mean?
The FTC regulation and final ruling provides little guidance on how to interpret "significant", but the FTC has advised that if a company holds itself out as undertaking the listed financial activities, such activities are "significant", without regard to dollar volume and without regard to the percentage of the revenue of the overall business.
Examples of entities that are not significantly engaged in financial activities.
Who do I contact with questions?
Controller's Office
Hannah Administration Building
426 Auditorium Road, Room 305, East Lansing, MI 48824
Phone: (517) 355–5020
Overview
The GLB Act covers many types of financial products and services transacted with consumers. These services include: lending, brokering or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; and an array of other activities. Such non-traditional "financial institutions" are regulated by the FTC. For more information on the types of financial activities covered, Click here.
Michigan State University collects personal information from its customers. This information may include names, addresses, and phone numbers; bank and credit card account numbers; and Social Security Numbers. The GLB Act requires that MSU, to the extent its service offerings are defined under the law as a "financial service(s)" ensure the security and confidentiality of this type of information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires MSU to have measures in place to keep customer information related to these services secure.
Written Plan
The Safeguards Rule requires MSU and its affected units to develop a written information security plan that describes its program(s) to protect customer information. The plan must be appropriate to MSU’s size and complexity, the nature and scope of our activities and the sensitivity of the customer information it handles. As part of its plan, MSU and its affected units must:
MSU has developed an umbrella Customer Information Security Plan for Michigan State University, as well as unit-based plans to cover their unique safeguarding requirements as dictated by their business operations. See Section IV. below
Guidelines
Some of the practices to safeguard information in place at affected units include:
Requesting every employee to sign an agreement to follow the University’s confidentiality and security standards for handling customer information and regularly reminding them of the University’s policies and legal obligations to keep customer information secure and confidential. These policies include, but are not limited to:
Managing Sensitive Data at Michigan State University
Conference Report and Text of Gramm-Leach-Bliley Bill
U.S. Senate Committee on Banking, Housing, and Urban Affairs
Financial Services Modernization Act - Summary of Provisions
U.S. Senate Committee on Banking, Housing, and Urban Affairs