Finding Text
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.
Condition: The University did not have updated procedures and processes in place specific to all the required GLBA elements. The GLBA policy had last been updated in 2019.
Cause: The University noted that several items required are in process or being developed to comply with the requirements.
Effect: Failure to comply with the requirements of GLBA standards puts the University out of compliance with requirements and potentially at risk of compromising consumer, nonpublic personal information.
Questioned costs: Not applicable
Context: Not applicable.
Recommendation: It is recommended that the University updates its written GLBA Security Policy to address all the required elements. At a minimum, the University should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4).
Management's Response: The University agrees with the recommendation.