At Utah State University (USU), personal data is used for many essential educational and administrative functions. USU is committed to protecting this information in line with legal and policy standards—including the Gramm-Leach-Bliley Act (GLBA).
The GLBA Safeguards Rule applies whenever USU offers financial products or services—like student loans—that involve collecting nonpublic personal information (NPI). To comply, USU has put in place administrative, technical, and physical safeguards under its Information Security Program.
What the Safeguards Rule Requires
The rule aims to:
- Keep customer data, including NPI, secure and confidential
- Prevent threats, breaches, or unauthorized access
- Minimize the risk of misuse, loss, or harm to individuals
Every covered institution must have a formal, written information security program that fits its size, complexity, and data sensitivity.
Key Requirements
USU must:
- Appoint staff to coordinate the security program – At USU, this responsibility is held by the Chief Information Security Officer (CISO), who oversees the implementation and management of our GLBA-related safeguards.
- Assess risks to NPI across systems, staff, and processes
- Implement safeguards and monitor their effectiveness
- Oversee third-party vendors, ensuring contracts require data protection
- Update the program as needed based on internal reviews or changes in operations
Why Does This Apply to USU?
Although GLBA originally targeted financial institutions, the Federal Trade Commission (FTC) has extended coverage to higher education institutions, which often provide or manage student loans or other forms of credit.
In addition, the U.S. Department of Education requires universities to follow GLBA as part of the Federal Student Aid (FSA) participation agreements.
How Does USU Stay Compliant?
- University-wide policies and standards
- Campus-level procedures for handling sensitive data
- Clear responsibilities for protecting information
USU’s Information Security Program is designed to work in harmony with other applicable state and federal privacy laws.
Does This Apply to My Department?
Yes—if your department:
- Handles student or employee loans
- Provides tuition payment plans or financial assistance
- Works with collection agencies
- Manages NPI as part of any financial service
Even if your department doesn’t directly offer these services, you must still comply if you access or maintain NPI from shared systems.
What Should My Department Do?
If your team handles NPI, make sure to:
- Review internal policies for data protection
- Train your team on safeguarding NPI and reporting risks
- Review contracts with vendors handling sensitive data
- Reach out to USU's Chief Information Security Officer for help evaluating risks and ensuring safeguards are in place
What About Third-Party Vendors?
A service provider under GLBA is any third party that collects, stores, or accesses NPI on behalf of USU. These vendors must be:
- Carefully evaluated for their data protection practices
- Required by contract to implement strong safeguards
USU’s Information Security, Privacy and Procurement teams work together to review vendor contracts and ensure compliance with GLBA requirements.