Gramm-Leach-Bliley Act (GLBA) Compliance

Image
Mortarboard with cash

About GLBA

The Gramm-Leach-Bliley Act (GLBA) was signed into law in 1999 to reform the financial services industry and address concerns relating to consumer financial privacy. GLBA requires financial institutions that offer financial products or services, such as loans or financial advice to explain their information-sharing practices to their customers and to safeguard sensitive data. 

Academic institutions like the University of Arizona are considered financial institutions and must adhere to the requirements of GLBA when handling Customer Information 


When GLBA Applies at UA

GLBA can apply to a variety of services provided by UA. Thus, it is important that university Units understand when GLBA requirements apply to the product or service that is being provided.

“Does the Information Resource include nonpublic personal information about an individual related to a financial service or financial product associated with the University of Arizona?” An affirmative answer indicates that GLBA may apply. (Login to see ISO-400-G2 for more details)

Examples of university services or activities that can be impacted by GLBA include, but are not limited to:

  • Student loans, including the processes of receiving application information, making, or servicing loans
  • Tuition-related services
  • Credit counseling services
  • Collection of delinquent loans and accounts
  • Check cashing services
  • Payment plans involving interest charges
  • Obtaining information from a consumer report or federal tax information

The GLBA Compliance Program at UA

The University of Arizona is committed to protecting the confidentiality, integrity, and availability of its information resources. The university’s Information Security Program Policy (ISO-100) and underlying IT governance, support compliance with GLBA by addressing requirements around:

  • Program oversight
  • Customer Information risk assessment
  • Safeguards
  • Continuous monitoring
  • Training
  • Vendor/Third-Party Oversight
  • Security risk assessment
  • Incident Response plan
  • Annual reporting

The compendium of ISO Governance can be found on the ISO Communications SharePoint space (UA login required). 


Got Questions?

Questions regarding the security of Customer Information under GLBA that is handled or maintained by or on behalf of the University of Arizona should be sent to the Information Security Office-Governance, Risk, and Compliance (ISO-GRC) team. 

Actual or suspected security incidents involving Customer Information should be reported immediately to the ISO Security Operations Center (ISO-SOC) team in accordance with the university policy on Information Security Incident Reporting and Response (ISO-600). 


GLBA-Related Resources