The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers' personal financial information held by financial institutions.
The University of Pittsburgh must comply with GLB's safeguarding regulations, based on GLB's final rules on Safeguarding Customer Information which do not exempt educational institutions and require them to adopt an information security program. Key compliance requirements include designating an employee to coordinate an information security program, identifying risks to the security of customer information (including a risk assessment of computer information systems), and contractually requiring service providers to implement and maintain safeguards.
Note that colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are still subject to the provisions of the GLB Act related to the administrative, technical, and physical safeguarding of customer information.
To comply with GLB:
The University has designated an official Customer Information Security Officer, based in the Office of the Provost.
University units that are significantly engaged in financial activities that involve the collection or utilization of customer financial information must identity themselves to the University's Customer Information Security Officer. Examples of activities that GLB would apply to include the administration of financial aid, the processing of credit card information, or the collection of any other form of customer financial information. University units must document all such collection and processing activities, describe the nature and extent of their utilization of customer information, and appoint an employee to oversee the unit's information safeguards practices.
University units must assess their current customer information practices, identify vulnerabilities, and take appropriate measures to secure customer information.