Letter to the Community

To: The University Community

From: Victoria D. Johnson, General Counsel
John D. Lawson, Chief Information Officer

Re: Compliance with the Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLB) requires that financial institutions establish a policy protecting the privacy of financial information of certain individuals by May 23, 2003. The GLB's intent is to reform the financial services industry and addresses concerns relating to consumer financial privacy including the safeguarding of consumer information. Because higher education institutions participate in financial activities such as making Federal Perkins Loans, the Federal Trade Commission (FTC) regulations consider them financial institutions for purposes of compliance with the act. Tulane has experience with similar rulings such as the Family Educational Rights and Privacy Act (FERPA), which addresses the privacy of student information and the Health Insurance Portability and Accountability Act (HIPAA), which addresses privacy protections for individually identifiable health information. The GLB not only addresses the privacy of financial information, but also addresses the necessity for administrative, technical and physical safeguarding of private, non-public information.

Technology Services and the General Counsel's office will coordinate this initiative and ensure that the deadline is met. John Lawson has been designated as the interim Information Security Officer for the GLB Act and Michele Hebert-Solares will serve as the GLB Data Administrator. All areas of the University that conduct financial transactions and/or store or use non-public information for students, employees or customers will all need to participate in this process.

Three items will occur:

1. A policy statement addressing GLB compliance will be added to the Tulane Policy manual.
2. A plan for the creation and implementation of a program to safeguard private, non-public information will be created.
3. An inventory of private, non-public information will begin immediately. The inventory will include electronic information as well as information stored in other formats. This information will be collected by a web-based questionnaire.

Each senior officer will be required to appoint a person(s) to coordinate the information security program for their area(s). These coordinators will initially be responsible for responding to the questionnaire and providing input. The deadline for completing the questionnaire is June 30, 2003. As the implementation of the plan continues, they will be involved in training and compliance activities.

Please write GLB@tulane.edu for questions or contact Denise B Alix at 865-5783.