To: Deans, Directors, and Department Heads
From: Robert F. Pack, University Privacy Officer and Customer Security Officer
Date: May 27, 2009
Subject: Customer Information Security Plan
Attached for your immediate review and implementation is the revised University Customer Information Security Plan. This plan is a comprehensive response to the efforts by various governmental agencies to secure sensitive information that is collected by the University. Its revision is in response to recently enacted regulations enacted by the Federal Trade Commission’s “Red Flags” rule. As it had previously done, the plan continues to represent the University’s implementation of the federal Gramm-Leach-Bliley Act, the Family Educational Right and Privacy Act, the Health Insurance Portability and Accountability Act, and the Pennsylvania Breach of Personal Information Notification Act.
I would ask that you carefully review the specific measures that you have taken to protect and secure sensitive personal information that you collect and retain. Each of you was earlier asked to conduct such a comprehensive review and to put in place a plan to ensure the security of such information. If you are operating under an approved plan, you need not submit it for further review. If you have not yet developed such a plan, please do so immediately and send it to me for consideration. If you have any questions concerning the implementation of such a plan, please contact Ted Fritz in the Office of General Counsel.
Thank you for your immediate attention to this request.
c: Ted Fritz