Mid Michigan College will protect, to the extent reasonably possible, the privacy, security, and confidentiality of personally identifiable financial records and information.
This program applies to all personally identifiable financial records and information regardless of where it resides and covers employees and all other individuals or entities using these records and information for any reason. This program also establishes an expectation that members of the college community act in accordance with this program, relevant laws, contractual obligations, and the highest standards of ethics.
The goals for this program are as follows:
The Gramm-Leach-Bliley (GLB) Act requires financial institutions to take steps to ensure the privacy, security and confidentiality of customer records. Because higher education institutions engage in financial activities, such as making Federal Perkins Loans, Federal Trade Commission (FTC) regulations consider them financial institutions for GLB Act purposes.
The GLB act dictates several specific requirements regarding the privacy of customer financial information. Under the regulations, colleges are deemed to be in compliance with the privacy provision of the GLB Act if they are in compliance with the Family Educational Right and Privacy Act (FERPA). However, higher education institutions are subject to the Safeguards Rule of the Act related to the administrative, technical, and physical safeguarding of customer information.
The Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to develop and maintain a security plan to protect the confidentiality and integrity of personal information. The college’s program seeks to (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
The following definitions apply to this program:
Customer: an individual who has obtained a financial product or service from Mid Michigan College to be used primarily for personal, family or household purposes and who has a continuing relationship with the college. Examples of activities which create customer relationships with the college could include obtaining a loan through the college or having a loan for which the college has servicing rights or responsibility.
Customer Information: non-public personal information about an individual who has obtained a financial product or service from the college for personal, family or household reasons, that results in a continuing relationship with the college. Examples would be any extension of credit by the college for personal or family purposes, such as an extension of credit for tuition, fees,etc; the making and/or servicing of loans and/or financial aid. These situations are subject to GLB, even if the individual ultimately is not awarded any financial aid, in which case their non-public personal information would still be protected under GLB.
Information Security Program: A program developed, maintained and enforced by the Chief Information Officer to ensure that the information assets of the college are maintained securely.
Service Provider: any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its direct provision of services to Mid Michigan College.
Employee Responsibilities and Access:
The following restrictions apply to all personally identifiable financial records and information maintained by the college and are meant to safeguard the security of these records and to maximize the integrity of the information. College employees are responsible for ensuring that, within their areas of responsibility, appropriate enforcement of the GLB program will be maintained.
College employees are granted access to those data and information resources required to carry out the responsibilities of their position and may not access additional resources without authorization (in other words, employees may not access customer information unless they have a need to know that information to perform their job duties).
Access is determined based on the duties and responsibilities of each position and each employee is responsible for protecting their means of access from misuse. (for example, employees must not share their user name/password(s) with anyone else, or allow others to have access to their keys, etc.).
Employees shall not knowingly alter, destroy, or misuse customer information.
Employees must ensure that any release of customer information is conducted in an appropriate and secure manner (for example, employees should not release customer information without verifying the identity of the person(s) requesting the information, employees should use password protected file attachments and/or encrypted emails when transmitting confidential information, etc.).
Personally identifiable financial records and information, regardless of where it resides, must be maintained in a physically secure location with controlled access.
Centralized and departmental computers and servers must have the appropriate level of physical and electronic security. The level of such security measures depends on the sensitivity of the data they process.
Each department subject to this program must perform an annual risk assessment along with participation in security trainings by the Technology Division and the Chief Information Officer.
The Chief Information Officer will review the results of risk assessments and make recommendations to the departments and the Technology Division to improve security systems based on risk assessment results.
The program is administered by the Director of Information Technology.
Kirk Lehr
Director of Information Technology
klehr@midmich.edu
Information security awareness training is also required for all staff working in GLBA affected offices.
In the event Mid Michigan College contracts with a service provider to perform an activity in connection with any personally identifiable financial records and information, the college will take the following steps to ensure that the service provider performs its contracted activities in a secure manner:
Require that service providers have reasonable policies and procedures in place to insure the security and confidentiality of customer records and information ; and
Require by contract, that all contracts with service providers contain language requiring the service providers to implement appropriate measures designed to ensure that customer information is kept confidential and that it is only used for the purposes set forth in the contract.
Exceptions:
Any exceptions to this program must be approved by the president upon the recommendation of the Chief Information Officer and the Vice President for Finance. Questions regarding this program should be referred to the Chief Information Officer.
Federal Trade Commission Best Practices (link removed due to 404)