Gramm-Leach-Bliley Act (GLBA) Policy

Approval Date: 10/8/2025
Last Revision Date:10/8/2025

Board Policy Alignment:   
EL-1 Treatment of Students
EL-2 Treatment of Employees
EL-9 Asset Protection

Responsible Officials: Chief Information Officer, Chief Financial Officer and Vice President for Administration, and Vice President for Student Experience

 


Purpose

Frederick Community College is committed to protecting personal data and adhering to regulations pertaining to safeguarding the personal data of students and employees and any other individual whose personally identifiable information (PII) is collected by the College in carrying out its mission. In accordance with the Gramm-Leach-Bliley Act ("GLBA") (15 U.S.C. § 6801 et seq.) and its implementing regulations at 16 CFR Part 314, the College will implement and maintain a comprehensive written Information Security Program ("ISP") and to appoint a coordinator for the program. The objectives of the ISP are to (1) ensure the confidentiality of covered information; (2) protect against anticipated threats or hazards to the security and integrity of such information; and (3) protect against unauthorized access or use of such information that could result in substantial harm or inconvenience to customers.


Scope

This policy covers non-public personal information about a student or other third party who has a continuing relationship with the College, where such information is obtained in connection with the provision of a financial service or product by the College, and that is maintained by the College (“covered information”). Non-public personal information includes students' names, addresses, income, social security numbers, account numbers, payment history, loan or deposit balances, credit or debit card purchases, and students' and parents' financial information. Covered information does not include records obtained in connection with single or isolated financial transactions such as ATM transactions or credit card purchases.

 

Definitions

See the Policy Glossary for definitions of hyperlinked terms in this policy.

 

Policy

The College has designated the Chief Information Security Officer as the qualified individual to be responsible for coordinating and implementing the Information Security Program (ISP). The ISP Coordinator may designate other individuals to oversee and/or coordinate elements of the ISP.

The College’s ISP identifies and assesses external and internal risks to the confidentiality, integrity, and availability of covered information that could result in unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The ISP Coordinator will provide guidance to appropriate personnel in administration, academic units, and other College units in evaluating their current practices and procedures and in assessing reasonably the sufficiency of safeguards in place to control these risks.

The ISP Coordinator will coordinate with appropriate personnel to design and implement safeguards, as needed, to control the risks identified in assessments and will develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards.

The College will develop and maintain an Incident Response Plan.

The ISP Coordinator will work with the Office of Finance Purchasing to assist in instituting methods for selecting and retaining service providers that can maintain appropriate safeguards for covered information. Contract language shall require Third-Party Providers to implement and maintain appropriate safeguards for those computing resources that collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Covered Information.

The ISP program will report annually to the senior leadership of the College on risk posed to the College by information technology, cybersecurity and privacy to the College.

For continuous improvement, the ISP Coordinator will evaluate and adjust the ISP as needed, based on the risk identification and assessment activities undertaken pursuant to the ISP, as well as any material changes to the College’s operations or other circumstances that may have a material impact on the ISP.