Financial Information
#Why is this Important
#Reference
#Criticality
#Sample RFP Language
#Sample Contract Clauses
Why is this Important:
Institutions of higher education might have other obligations regarding use of data under federal, state, or local laws, regulations, or contractual obligations. Generally speaking, an institution may not be able to alleviate such obligations by contracting with a third party to perform functions that use regulated data. Clauses that include instructions to contracting third parties regarding regulatory requirements help to protect the institution in the event of an unauthorized disclosure or breach.
Reference:
The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102 (1999), privacy protections are codified at 15 USC § 6801 et seq.).
Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(r); (s)
Criticality: Category 1, Category 2, and Category 4.
Sample RFP Language:
- Proposer may create, receive from or on behalf of Institution, or have access to financial records or record systems that are subject to the Gramm-Leach-Bliley Act (GLBA) (Public Law). Describe the security features incorporated into the product to safeguard records subject to GLBA.
Sample Contract Clauses:
- GLBA Compliance. [Vendor] agrees that it will execute a GLBA Business Associate Agreement ("BAA") with Institution and the BAA will be in the form set forth in Exhibit E, GLBA Business Associate Agreement, attached and incorporated for all purposes.]
Federal, state, or local law, regulation, or contractual obligation
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).