University information security and identity theft protection program

Purpose

The purpose of the University Information Security and Identity Theft Protection Program is to support of the mission of the University and to comply with the Gramm-Leach-Bliley Act of 2000 (GLB) and the Federal Trade Commission’s Red Flag Rule. The Program establishes the governance structure for information security throughout the University.

Policy

Lynn University has adopted an Information Security and Identity Theft Prevention Program in compliance with the Gramm-Leach-Bliley Act of 2000 (GLB) and the Federal Trade Commission’s Red Flag Rule.

GLB mandates that the University designate an officer to coordinate the information security program, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees and volunteers who have access to customer’s sensitive information, oversee service providers and related contracts, and evaluate and adjust the program periodically. The Red Flag Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003, has similar requirements, including mandating Lynn University to have a program to identify, detect and respond appropriately to relevant “red flags.”

It is the policy of Lynn University to identify and safeguard the University’s Confidential Business Information and Personally Identifiable Information with the appropriate procedures to insure compliance with the GLB Act and to detect and respond appropriately to relevant “Red Flags” in compliance with the Fair and Accurate Credit Transactions Act.

Operational responsibility of the University’s Information Security and Identity Theft Prevention Program is delegated to the Chief Information Officer.

Definitions

Confidential Business Information—any information, including Directory Information, PII, and Student and Employee Financial Information that can be linked to any individual, including but not limited to, students, faculty, staff, patients, or contractors. Confidential Business Information and all applications storing and transmitting such data, regardless of the media on which they reside, are valuable assets, which the University has an obligation to manage, secure, and protect.

Directory Information: means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. The University designates the following categories of student information as public, or directory information: a student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, the most recent educational agency or institution attended, electronic mail addresses and photographs. It also states that directory information does not include a student’s social security number or student identification number. “Directory information” however does include, student identification numbers or user identification when such identifiers cannot be used to gain access to education records unless used in conjunction with other factors authenticating the user’s identity.

Employee Financial Information—that information the University has obtained from an employee in the process of offering a benefit or service. Offering a benefit or service includes all University sponsored benefit plans and University financial services such as flexible spending accounts, and personal payroll services. Examples of employee financial information include bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.
Student Financial Information—that information the University has obtained from a student in the process of offering a financial product or service, or such information provided to the university by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of student financial information include bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

Identity Theft—means fraud committed or attempted using the PII of another person without authority.

Personally Identifiable Information (“PII”)—any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity that is not been designated as directory information, such as social security number, place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

Red Flag—is a pattern, practice or specific activity that indicates the possible existence of Identity Theft.

Procedures / Guidelines

Not applicable.

To learn more about this policy or the supporting procedures, please contact Information Technology.

Policy updated on: Oct. 24, 2018