When Is a College Like a Bank?
A federal law regulating financial institutions poses puzzling security rules for academe
By DAN CARNEVALE
The Chronicle of Higher Education
July 11, 2003
When Congress passed the Gramm-Leach-Bliley Act in 1999, college officials paid little notice. Higher education seemed to have little to do with a law that requires financial institutions, such as banks and investment companies, to protect customers' private information from computer mishaps.
Campus officials got a rude surprise when the Federal Trade Commission issued a regulation last year that put virtually all colleges under the law, also known as the Financial Services Modernization Act. Many college administrators didn't find out about the ruling until this year. Now colleges are playing catch-up and are trying to figure out how to comply.
In the regulation, which sets forth how the law is enforced, the commission created a definition of "financial institutions" that includes most colleges on the basis of the financial relationships they have with students, donors, and others. Consequently, colleges must draft detailed policies for handling financial data covered by the law, such as parents' annual income, and must take steps to protect the data from falling into the wrong hands, like a hacker prowling for Social Security numbers.
Although the law isn't limited to computerized information -- printed records also are covered -- the greater potential vulnerability of digital data has colleges scrambling. Many missed the May 23 deadline to prepare the required security policies.
That problem may have arisen in part because the law itself is ambiguous about what information it covers. Adding to the confusion is the fact that the act was written for banks, investment firms, and other financial institutions, to enable them to work with one another -- not for colleges and universities.
"Part of the holdup is the legal definition is confusing because it wasn't written with higher-education institutions in mind," says Peg O'Donnell, assistant general counsel at Catholic University of America.
More Than Shuffling Papers
Some observers believe that only a few colleges will have to make major changes to their computer systems to comply with the law. "Most schools have awfully good data protection, because they're worried about hackers," says Jeffrey Swope, an attorney at the Boston law firm Palmer & Dodge who helped several colleges develop their policies. "The principal burden is for people to make sure they're documenting what they're already doing."
Nevertheless, the law is forcing college officials to do more than just shuffle papers.
William F. Lantry, director of academic technology services at Catholic, says its officials will have to install more computer-virus protection and encrypt more transactions in order to comply with the law. They are also updating their technology-training video with information from the act.
Some of the work, he says, will never end, like updating a record of all computers on the campus so that technology officials can monitor transactions involving sensitive data. With students and staff members endlessly plugging their own laptops into campus dataports, it can be impossible to keep track of what's going on electronically, he says.
Whoever is put in charge of overseeing compliance with the law could end up doing nothing else, Mr. Lantry warns. "We need to be doing a constant risk assessment. This could evolve to more than a full-time job."
The Gramm-Leach-Bliley Act has two provisions of interest to colleges: a privacy section and a data-protection section.
The privacy section simply requires institutions to notify people of their right to keep their financial information confidential. It also allows people to decide whether to make any of that information publicly available.
Colleges that comply with the Family Educational Rights and Privacy Act are already in compliance with that part of the Gramm-Leach-Bliley Act in terms of students, experts say.
But Ferpa applies only to students, Mr. Swope notes, while many colleges also collect information on faculty members, staff members, and alumni and other donors. The law requires institutions to provide essentially the same privacy protection to people in those categories.
The law's data-protection measure is the one that will keep technology officials on their toes. It requires institutions to develop a plan to fix weaknesses in their computer networks and continually check to make sure that new weaknesses don't present themselves. The law requires colleges to make concerted efforts to safeguard their data, although it doesn't penalize them for hacking incidents or other security lapses.
"You have to take reasonable actions to protect your computers against an attack," Ms. O'Donnell says. "Even if you get hacked, that doesn't mean you're not compliant."
Baylor University, Catholic University, and the University of Minnesota system were among the first to develop written policies required by Gramm-Leach-Bliley. The National Association of College and University Business Officers lists examples of some policies on its Web site (http://www.nacubo.org).
Mr. Swope recommends that institutions limit their liability by adopting narrow policies, applying the law only to those activities that make a college a financial institution under the law. If colleges apply the provisions to other data, he warns, "they've taken on more responsibility than the law requires."
The challenge lies in figuring out what activities are covered by the law. The subtleties of the services that colleges provide are key in determining what information they must protect. For example, a college might offer a debit program in which a student puts money into an account to use for buying things on the campus with a student ID or a debit card. Any information collected in order to conduct the service -- like where and when the student bought pizza -- would be subject to protection under the Gramm-Leach-Bliley Act, the lawyer says.
But in a slightly different example, a college might sell a card with a stored value that a student can use to make on-campus purchases. A student who loses the card loses the money as well. Such a program would not be subject to Gramm-Leach-Bliley protection, because the college would not be acting as a bank and would have no financial information to protect.
"In some cases, that seems kind of silly," Mr. Swope adds, "because the person who uses the card doesn't distinguish what kind of card that is."
Another source of confusion is whether or not the law applies to all uses of a student's Social Security number. Mr. Swope says the act applies to Social Security numbers only when they are recorded as part of an institution's financial service, such as for providing student loans.
But Ms. O'Donnell, of Catholic University, says the law could be applied to other uses of Social Security numbers, including those for student identification. Colleges should encrypt any computer transactions in which students provide their Social Security numbers, she recommends. "For universities that use your Social Security number as your university ID number," she says, "it's going to be really difficult to comply with this law."
Catholic, for one, has ceased using Social Security numbers to identify students for their meal plans and other campus amenities, says Robert Fox, general manager of the university's dining services. Now students are assigned random identification numbers.
The Federal Trade Commission has held informational meetings about the law but has provided few practical rules on how comply with it.
Ellen Finn, an attorney in the commission's Bureau of Consumer Protection, says she can't give general advice on what information needs to be protected. "There isn't a one-size-fits-all plan," she explains, "so we don't want to give one-size-fits-all advice."
Colleges are not required to file their security plans with the commission. But if a college is suspected of not complying with the law, the commission can undertake an audit to see if the institution has set up adequate security measures.
Students whose personal information is compromised cannot sue a college under Gramm-Leach-Bliley. But Ms. O'Donnell says that failing to comply with the law could place a college at greater risk of a negligence suit in general.
With that in mind, officials of some institutions have taken a broad approach to complying with the law. Christopher W. Holmes, assistant general counsel at Baylor, says officials there took that route to avoid needlessly confusing staff members. They are treating all financial information as though it were covered by the law.
"What we didn't want was to have to explain to the university that certain types of information fall under Gramm-Leach-Bliley and certain types don't," he says. "We didn't want to have a higher standard for some information and a lower standard for others."
Gordon D. Wishon, associate vice president and associate provost for information technology at the University of Notre Dame, says his institution is broadly protecting all financial data, in part because he sees Gramm-Leach-Bliley as a first step in ensuring privacy for all electronic information.
Future state and federal laws will very likely call for even more protection, he says, so institutions might as well start holding themselves to tougher standards now. "We would expect to see additional legislation in the future," he says.
Indeed, a California law, which took effect on July 1, requires organizations, including colleges, to inform people if their private information is compromised, whether by a hacker attack or by mistake (The Chronicle, June 6).
The law's impact on academe extends beyond colleges. It also covers a college's contractors and outside services, which can number in the hundreds. By May 2004, each will have to include a statement in its contract that it will comply with the law.
Lizanne Payne, executive director of the Washington Research Library Consortium, says it is in the process of updating its security to comply with Gramm-Leach-Bliley. "I've been swallowed up in the GLB black hole for about three weeks," she says.
Putting Plans into Action
The library consortium offers colleges in the Washington, D.C., area subscriptions to electronic journals and Internet-search features. Students log in to the system using their own personal identification numbers. Because many colleges use Social Security numbers to identify students, the consortium plans to interpret the law as if it covered all of the ID numbers, and will encrypt its Internet transmissions to protect that data accordingly.
Community colleges, which have fewer resources, may have a tougher time meeting the law's requirements.
"It does sound like we're having a slightly harder time than the average institution," says David Baime, vice president for government relations at the American Association of Community Colleges. "But I guess we're used to that."
Timothy P. Bonnel, student financial-aid coordinator in the chancellor's office of the California Community College System, says its colleges would probably have to hire more staff members to update security and comply with the law. But with the state's budget crunch, the colleges will have trouble scraping up the money to do that. "We have huge challenges from a manpower standpoint," Mr. Bonnel says.
But Ms. Finn, of the Federal Trade Commission, says applying the security standards should be a top priority for colleges no matter what their resources, and regardless of what financial data they collect.
"There are certain security measures that universities should take because they're a good idea, not because they're mandated by Gramm-Leach-Bliley," she says. "We think that this should be part of an overall security strategy for the universities."
SECURITY UNDER THE LAW
By May 23, colleges were supposed to have created security policies explaining how they would protect personal financial information, as required by the Gramm-Leach-Bliley Act. Because of confusion over the law, however, many missed the deadline. The law says the security policies should have five components:
Designate an employee or employees to coordinate information security. That could be the chief information officer, a privacy officer, the registrar, or a combination.
Identify security risks, both internal and external. Security problems must be fixed in computer networks and paper records.
Teach employees how to maintain security. Training should cover anyone who has access to a computer system with customer information, or to paper copies of that information.
Require service providers to comply with the law. Colleges don't have to comb through their providers' computer networks but are supposed to include contract language requiring compliance.
Continue to monitor network security. Audits by outside security companies are one option.
Section: Information Technology
Volume 49, Issue 44, Page A27