INFORMATION SECURITY PROGRAM

As it pertains to the Gramm Leach Bliley Act and the Health Insurance Portability and Accountability Act of 1996, Safeguarding of Electronic Customer Information and Protected Health Information Objectives of the Information Security Program for the Gramm Leach Bliley Act (GLBA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA):

  • Ensure the security and confidentiality of customer information in compliance with applicable GLBA rules as published by the Federal Trade Commission.
  • Provide administrative, physical, and technical safeguards to ensure compliance with the HIPAA Security Rule.
  • Safeguard against anticipated threats to the security or integrity of protected electronic data.
  • Guard against unauthorized access to or use of protected data that could result in harm or inconvenience to any customer.

Contents

I. Coordination and Responsibility for the Information Security Program
II. Risk Assessment and Safeguards
III. Employee Training and Education
IV. Oversight of Service Providers and Contracts
V. Evaluation and Revision of the Information Security Program
VI. Definitions
VII. Appendices
VIII. References


1 Purdue University compliance with the HIPAA Privacy Rule is not covered by this document. This Information Security Program document pertains to the GLBA Safeguards Rule and the HIPAA Security Rule.
2 For purposes of HIPAA, only Security Rule risk assessments are covered by this document.

I. Coordination and Responsibility for the Information Security Program

The Coordinator of the Information Security Program is the Chief Information Security Officer (CISO) for Purdue University. The Coordinator has also been designated as the HIPAA Security Officer. The Coordinator is responsible for the development, implementation, and oversight of Purdue University’s compliance with the policies and procedures required by the Gramm Leach Bliley Act (GLBA) Safeguards Rule and the Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although ultimate responsibility for compliance lies with the Coordinator, representatives from each of the operational areas are responsible for implementation and maintenance of the specified requirements of the security program in their specific operation.

See Appendix A for the matrix identifying the GLBA operational areas and their representatives. Appendix B includes a list of areas considered for inclusion in this program, but deemed to be outside the scope of the GLBA Safeguards Rule. For additional information about HIPAA, go to https://www.purdue.edu/legalcounsel/HIPAA/index.html. Purdue University maintains compliance with the three segments of the HIPAA Administrative Simplification regulations: the Privacy Rule, Transaction and Code Set Standards, and the Security Rule.

Information Security Governance Committee
The above referenced Committee exists to ensure that this Information Security Program is kept current and to evaluate potential policy or procedural changes driven by GLBA. Committee membership may change from time-to-time but will minimally include the Chief Information Security Officer, Director of Audits, Chief Privacy Officer, and representatives from Bursar, Comptroller, Financial Aid, Faculty/Department Head, Registrar, Research and Partnerships, Sponsored Program Services, Treasury Operations, Purdue University Fort Wayne (PFW), and Purdue University Northwest (PNW). Other individuals may be added as deemed necessary.

Questions regarding GLBA impacts on business processes and policies should be directed to the Coordinator of the Information Security Program, questions regarding HIPAA impacts on business processes and policies should be directed to the Chief Privacy Officer, and questions regarding technical issues, risk assessments, and information technology security policy should be directed to the Office of Information Technology Security and Policy.

II. Risk Assessment and Safeguards

There is an inherent risk in handling and storing any information that must be protected. Identifying areas of risk and maintaining appropriate safeguards can reduce risk. Safeguards are designed to reduce the risk inherent in handling protected information and include safeguards for information systems and the storage of paper.

Purdue University has a robust security program, Secure Purdue, with associated policies and practices. These are not restated within this document. The GLBA Information Sheet and HIPAA Information Sheet are located in Appendix C and E, respectively.

III. Employee Training and Education

Employees handle and have access to protected information in order to perform their job duties. This includes permanent and temporary employees as well as student employees, whose job duties require them to access protected information or who work in a location where there is access to protected information. Departments are responsible for maintaining a high level of awareness and sensitivity to safeguarding protected information and should periodically remind employees of its importance. Seemingly minor changes to office layout and practices could significantly compromise protected information if a culture of awareness is not present.

The department representative is responsible for ensuring that staff are trained in the relevant GLBA and HIPAA concepts and requirements. Training materials relative to GLBA, HIPAA, and data handling are available on the web. Upon approval by the Coordinator for GLBA and Chief Privacy Officer for HIPAA, these training templates and other materials may be tailored by each department to reflect their individual training needs. Training may be delivered in a variety of ways that meet the department’s objectives. Departments are responsible for maintaining records of staff that have received training and must be able to produce written copies upon request; however, if training is completed via WebCert, these records are maintained within the system.

IV. Oversight of Service Providers and Contracts

GLBA requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. The Office of Legal Counsel has assisted with language to ensure that all relevant service provider contracts comply with GLBA provisions. Contracts should be reviewed to ensure the following language is included:

[Service Provider] agrees to implement and maintain a written comprehensive information security program containing administrative, technical and physical safeguards for the security and protection of customer information and further containing each of the elements set forth in § 314.4 of the Gramm Leach Bliley Standards for Safeguarding Customer Information (16 C.F.R. § 314). [Service Provider] further agrees to safeguard all customer information provided to it under this Agreement in accordance with its information security program and the Standards for Safeguarding Customer Information.

The GLBA contract due diligence is considered in various aspects of contract negotiation, including security control reviews. Suggested security language for contracts with third-party providers is represented in Appendix F.

Similarly, HIPAA allows a covered component to disclose protected health information to a business associate who is providing a particular function for the covered entity only if the covered entity obtains satisfactory assurances that the business associate will safeguard the information appropriately as required by HIPAA. Excluded from this requirement are disclosures for treatment, and other exceptions. Standard contracts have been developed by legal counsel. The covered component is responsible for identifying the need for a business associate agreement and should contact the Chief Privacy Officer to determine if a business associate's agreement is required and for issuance of the agreement. Procurement Services may issue a business associate agreement in conjunction with a master agreement and will coordinate with the Chief Privacy Officer should this occur. These contracts should not be issued by covered components independently.

V. Evaluation and Revision of the Information Security Program

GLBA mandates that this Information Security Program be subject to periodic review and adjustment. The most frequent of these reviews will occur within Information Technology Security and Policy where constantly changing technology and constantly evolving risks indicate the wisdom of regular reviews. Processes in other relevant offices of the University such as data access procedures and the training programs should undergo regular review.

This Information Security Program is reevaluated regularly in order to ensure ongoing compliance with existing and future laws and regulations.

VI. Definitions

Covered Component means any area of Purdue University, which is required to be compliant with either GLBA or HIPAA regulations.

CUI (Controlled Unclassified Information) means information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Customer Information means any record containing nonpublic personal information as defined in 16 C.F.R. § 313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of [the financial institution] or [its] affiliates.

Financial Product or Service means
(i) any product or service that a financial holding company could offer by engaging in a financial activity; and
(ii) Financial Service includes your evaluation or brokerage of information that you collect in connection with a request or an application from a consumer for a financial product or service.

Non-Public Personal Information means
(i) Personally identifiable financial information and
(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. 16 C.F.R. § 313.3(n) (1).

Personally Identifiable Financial Information means any information:
(i) A consumer provides to you to obtain a financial product or service from you;
(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or 
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to the consumer.

Protected Information refers to either personally identifiable financial information or protected health information, which is covered by either the GLBA or HIPAA.

Protected Health Information (=individually identifiable health information) is information that is a subset of health information, including demographic information collected from an individual, and:
(i) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(ii) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

a. That identifies the individual; or
b. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Examples of Activities the FTC is Likely to Consider as a Financial Product or Service include:
• Student (or other) loans, including receiving application information, and the making or servicing of such loans
• Financial or investment advisory services
• Credit counseling services
• Tax planning or tax preparation
• Collection of delinquent loans and accounts
• Sale of money orders, savings bonds or traveler’s checks
• Check cashing services
• Travel agency services provided in connection with financial services
• Real estate settlement services
• Money wiring services
• Issuing credit cards or long term payment plans involving interest charges
• Personal property and real estate appraisals
• Career counseling services for those seeking employment in finance, accounting or auditing
• Services provided by a principal, broker or agent with respect to life, health, liability or disability insurance products
• Obtaining information from a consumer report
• Providing or issuing annuities

VII. Appendices

A. Business Processes Considered In-Scope under GLBA
B. Business Processes Considered Out-of-Scope under GLBA
C. GLBA Information Sheet
D. Communication from the United States Department of Education Protecting Student Information
E. HIPAA Information Sheet
F. Suggested Service Provider Contract Language

VIII. References

GLBA and HIPAA Training Templates (departments are responsible for maintaining records of staff that have received training). Note: Either training template may be used or departments may adapt, with permission, the training template relative to departmental needs.

• General GLBA Training https://www.purdue.edu/bursar/pdf/GLBATraining.pdf
• HIPAA Liaison Training https://www.purdue.edu/legalcounsel/HIPAA/LiaisonTrainingTrackingandReleasing1.pdf
• HIPAA Research Training https://www.purdue.edu/legalcounsel/HIPAA/Training.html
• HIPAA Staff Training https://www.purdue.edu/legalcounsel/HIPAA/Training.html

Legal References (citations)

• 15 USC, Subchapter I, §§ 6801-6809 (Gramm-Leach-Bliley Act)
• Pub. L. No. 104-191, 110 Stat. 1936 (codified in scattered sections of 18, 26, 29, and 42 U.S.C.). (Health Insurance Portability and Accountability Act of 1996)
• 16 CFR, Part 313 (Privacy Regulations, see reference to Family Educational Rights and Privacy Act (FERPA).)
• 20 USC, Chapter 31, 1232g (FERPA)
• 34 CFR, part 99 (FERPA regulations)
• 16 CFR, part 314 (Safeguard Regulations, as published in the Federal Register, 5/23/02)
• 45 CFR, parts 160 & 164; 68 Fed. Reg. 8334 (Feb. 20, 2003) (HIPAA Security Regulations)
• NACUBO Advisory Report 2003-01, issued 1/13/03
• FTC Facts for Business: Financial Institutions and Customer Data: Complying with the Safeguards Rule, published September 2002

Selected University Policies, Executive Memoranda (referenced)

• No. B-50, Terms and Conditions of Employment of Faculty Members, https://www.purdue.edu/policies/human-resources/b-50.html
• Terms and Conditions of Administrative and Professional Staff Employment (VI.F.5), https://www.purdue.edu/policies/human-resources/vif5.html
• Operating Procedures for Responding to Requests for University Records, https://www.purdue.edu/business/records/Public_Records/index.html
• Delegation of the President’s Authority (V.B.5) https://www.purdue.edu/policies/governance/vb5.html
• Assignment of Authority and Responsibility for the Retention and Disposal of University Records (V.B.3), https://www.purdue.edu/policies/governance/vb3.html
• Access to Student Education Records (VIII.A.4), https://www.purdue.edu/policies/records/viiia4.html
• Social Security Number Policy (VII.B.7), https://www.purdue.edu/policies/information-technology/viib7.html
• Authentication and Authorization (VII.B.1), https://www.purdue.edu/policies/information-technology/viib1.html
• Incident Response (VII.B.3), https://www.purdue.edu/policies/information-technology/viib3.html
• Acceptable Use of IT Resources and Information Assets (VII.A.4), https://www.purdue.edu/policies/information-technology/viia4.html
• IT Resource Logging (S-11), https://www.purdue.edu/policies/information-technology/s11
• Information Security and Privacy (VII.B.8), https://www.purdue.edu/policies/information-technology/viib8.html
• Data Classification and Handling, https://www.purdue.edu/securepurdue/data-handling/index.php
• Remote Access to IT Resources (VII.B.4), https://www.purdue.edu/policies/information-technology/viib4.html
• Electronic Mail (S-7), https://www.purdue.edu/policies/information-technology/s7.html

Selected Purdue Information Technology Administrative Computing Guidelines or Policies (referenced)

• Standards, https://www.purdue.edu/securepurdue/it-policies-standards/it-standards/access-control-standards.php

Appendix A - Business Processes Considered In-Scope Under GLBA

Matrix updates as of May 2017


Process Free Application for Federal Student Aid (FAFSA) receipt of electronic transmissions
West Lafayette Campus Division of Financial Aid
WL Area Contact Executive Director of Financial Aid
Regional Campus Contact PFW: Director of Financial Aid; PNW: Executive Director, Financial Aid
Rationale Information pertaining to student financial aid eligibility is received and stored.

Process Loans – There are a variety of both federal and private student and parent loan programs available
West Lafayette Campus Division of Financial Aid
WL Area Contact Executive Director of Financial Aid
Regional Campus Contact PFW: Director of Financial Aid; PNW: Executive Director, Financial Aid
Rationale Student loans are considered a financial product or service.

Process Campus Based Loans - Servicing and Collection
West Lafayette Campus URCO oversees the Third Party Vendor Relationship for servicing Purdue’s campus based loans
WL Area Contact Assistant Comptroller, Receivables and Collections and Third Party Vendor Relationship
Regional Campus Contact N/A
Rationale Student loans are considered a financial product or service. The vendor relationship and associated security of data is contained within the contract.

Process Payment Plans
West Lafayette Campus Bursar
WL Area Contact Bursar
Regional Campus Contact Bursar
Rationale Represents offering “credit” for tuition and fee payments through deferment of amounts due beyond due date. Includes fee for service.

Process Installment Plans
West Lafayette Campus Bursar
WL Area Contact Bursar
Regional Campus Contact Bursar
Rationale Third party arrangements. West Lafayette offers installment plan options through an online payment portal.

Process Accounts receivable, student loan administration, internal collection activities, associated credit reporting, and/or collection agency referrals
West Lafayette Campus University Receivables and Collections Office (URCO) and third party vendors
WL Area Contact Assistant Comptroller, University Receivables and Collections
Regional Campus Contact PFW: Director of Accounting and Fiscal Systems; PNW: Director of Financial Accounting and Reporting
Rationale Systems utilized to bill and collect on general university A/R, student loans, past due tuition and fee amounts, and failed payments. For third party vendors, appropriate contracts have been negotiated.

Appendix B - Business Processes Considered Out-of-Scope Under GLBA

Matrix updates as of May 2017


Process Financial counseling by Compensation and Benefits
West Lafayette Campus Compensation and Benefits
Reason for Exclusion Not applicable under Act
Rationale Purdue University does not provide financial or investment advice.

Process Tax treaty analysis by University Tax Group
West Lafayette Campus University Tax Group
Reason for Exclusion Not applicable under Act
Rationale Purdue University does not provide tax advice or return preparation.

Process BoilerExpress, Don Dollars PMU Gift Cards, and HTM Gift Cards
West Lafayette Campus ID Card Office
Reason for Exclusion Not applicable under Act
Rationale Purdue University is not providing credit, nor is confidential information collected.*

Process Transmission of student information to National Clearing House
West Lafayette Campus Division of Financial Aid/Registrar
Reason for Exclusion Not applicable under Act
Rationale Task is not in conjunction with customers obtaining financial products or services.

Process Affiliated organizations' investments in CMIP and UEP
West Lafayette Campus Investments/Accounting
Reason for Exclusion Not applicable under Act
Rationale Investments are not for individuals and customer information is not captured.

Process Faculty editorships
West Lafayette Campus Various academic areas
Reason for Exclusion Out of Scope
Rationale Services are not provided to individuals; should be cautious about assessing fees for this service as other regulations applicable to banks may apply.

Process Limited tax return (for student orgs) preparation by Tax Group
West Lafayette Campus University Tax Group
Reason for Exclusion Not applicable under Act
Rationale Services are not being provided to individuals.

Process Verification of employment/salary by banks for purposes of employees obtaining loans
West Lafayette Campus Payroll
Reason for Exclusion Not applicable under Act
Rationale Incidental process; not involved in University providing financial products or services. However, good business practices for safeguarding information apply if copies are kept.

Process Direct Deposit (file transmission)
West Lafayette Campus Payroll/Investments
Reason for Exclusion Not applicable under Act
Rationale Transactions involving payroll appear outside of scope of Act. Rational is that if the FTC intended to include these activities, they would not have limited GLBA to “financial institutions” only.

Process Direct Deposit of Financial Aid (file transmission)
West Lafayette Campus Bursar
Reason for Exclusion Not applicable under Act
Rationale This process is managed by the secure billing & payment third party vendor.

Process Direct Deposit of Financial Aid (file transmission)
West Lafayette Campus Bursar
Reason for Exclusion Not applicable under Act
Rationale This process is managed by the secure billing & payment third party vendor.

ACH Activities:


Process Remittance of withholdings
West Lafayette Campus University Tax Group/Investments
Reason for Exclusion Not applicable under Act
Rationale See above.

Process Remittance of child support payments to State of Indiana
West Lafayette Campus Payroll/Investments
Reason for Exclusion Not applicable under Act
Rationale See above.

Process Remittance of PERF/TIAA-CREF/and other SRAs
West Lafayette Campus Compensation and Benefits/Investments
Reason for Exclusion Not applicable under Act
Rationale See above.

Process Dean of Students Emergency Loan Fund
West Lafayette Campus Dean of Students/Loan Operations
Reason for Exclusion Not applicable under Act
Rationale Loans are short term and interest free.

Process Check cashing service
West Lafayette Campus Fiscal Administrator PMU
Reason for Exclusion Not applicable under Act
Rationale Customer information not collected or maintained. Fee is $1.00 based on showing PUID card. FTC rules envisioned “payday” loan operations.*

Process Career counseling for students interested in financial services industry
West Lafayette Campus Director/Center for Career Opportunities
Reason for Exclusion Not applicable under Act
Rationale Customer information is not collected or maintained.*

Process Customer information is not collected or maintained.*
West Lafayette Campus e-Commerce & Credit Card Operations
Reason for Exclusion Not applicable under Act
Rationale Comptroller*

*Denotes rationale that was verified with the Federal Trade Commission.

Appendix C - GLBA Information Sheet

INTRODUCTION

The Gramm Leach Bliley Act (GLBA) is a comprehensive law affecting institutions and departments that deal with financial information, which includes nonpublic personal information such as addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. Due to the fact that Purdue University does significantly engage in student loan making and provides other financial services that use nonpublic personal information, Purdue falls within the definition of “financial institution” under GLBA regulations. For these reasons, Purdue University reviews policies and systems to ensure compliance with the requirements of the GLBA Safeguards Rule. Purdue’s current Family Educational Rights and Privacy Act (FERPA) initiatives will ensure compliance with the Privacy Rules required by the GLBA, limiting the scope of this assessment to the Safeguards Rule.

REQUIREMENTS

The GLBA includes requirements to protect the security, integrity, and confidentiality of this consumer information. To be GLBA compliant, organizations must develop, implement, and enforce a comprehensive information security program including administrative, technical, and physical safeguards as determined appropriate for the institution and data. In addition to developing their own safeguards, organizations are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care. The United States Department of Education strongly encourages institutions of higher education to review and understand the standards defined in the NIST SP 800-171, the recognized information security publication for protecting “Controlled Unclassified Information" (CUI). More on this can be found in Appendix D.

University personnel are responsible for recognizing and assessing risks, as well as managing and controlling these accordingly. Due to the size and complexity of the University, a collaborative approach to assessing and mitigating risks exists. This includes, but is not limited to, expertise in the following areas: vendor management and contracts; human resource training; systems, software and network security; legal; and operational monitoring, etc.

ACTIONS REQUIRED

The following basic actions must be taken to satisfy GLBA requirements:

  • Assess risk
  • Manage and control risk
  • Oversee service provider arrangements
  • Adjust the program to work with new technologies

Appendix D - Communication from the United States Department of Education Protecting Student Information

Re: Dear Colleague Letter GEN-16-12, published July 1, 2016 (follow up to Dear Colleague Letter GEN-15-18, published July 29, 2015)

The U.S. Department of Education issued a letter to institutions of higher education reminding of the importance of strengthening their cybersecurity infrastructure and that:

“Under their Program Participation Agreement (PPA) and the Gramm-Leach-Bliley Act (15 U.S. Code § 6801), they must protect student financial aid information, with particular attention to information provided to institutions by the Department of Education or otherwise obtained in support of the administration of the Title IV Federal student financial aid programs authorized under Title IV of the Higher Education Act, as amended.”
Also under their Student Aid Internet Gateway (SAIG) Enrollment Agreement, they “[m]ust ensure that all users are aware of and comply with all of the requirements to protect and secure data from Departmental sources using SAIG.”

The Department of Education also indicated that they are in the process of incorporating the GLBA security controls into the Annual Audit Guide in order to assess and confirm institutions’ compliance with the GLBA. The Department will require the examination of evidence of GLBA compliance as part of institutions’ annual student aid compliance audits.

“The Department strongly encourages institutions to review and understand the standards defined in the NIST SP 800-171, the recognized information security publication for protecting “Controlled Unclassified Information (CUI), a subset of data that includes unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Federal policies. NIST SP 800-171 identifies specific recommended requirements for non-Federal entities that handle CUI, including:

  • Limit information system access to authorized users (Access Control Requirements);
  • Ensure that system users are properly trained (Awareness and Training Requirements);
  • Create information system audit records (Audit and Accountability Requirements);
  • Establish baseline configurations and inventories of systems (Configuration Management Requirements);
  • Identify and authenticate users appropriately (Identification and Authentication Requirements);
  • Establish incident-handling capability (Incident Response Requirements);
  • Perform appropriate maintenance on information systems (Maintenance Requirements);
  • Protect media, both paper and digital, containing sensitive information (Media Protection Requirements);
  • Screen individuals prior to authorizing access (Personnel Security Requirements);
  • Limit physical access to systems (Physical Protection Requirements);
  • Conduct risk assessments (Risk Assessment Requirements);
  • Assess security controls periodically and implement action plans (Security Assessment Requirements);
  • Monitor, control, and protect organizational communications (System and Communications Protection Requirements);
  • Identify, report, and correct information flaws in a timely manner (System and Information Integrity Requirements)

Appendix E - HIPAA Information Sheet

INTRODUCTION

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a comprehensive law affecting institutions and departments that deal with protected health information. University policy defines this as:

Individually identifiable health information, in any form received or created as a consequence of providing healthcare services or health plan benefits (including demographic information). Protected health 
information may include information used for research purposes, if that information identifies or could be used to identify a human research subject.

Because most, if not all of this information is stored, transmitted, and/or processed by various information systems, IT Purdue Systems Security (PSS) assesses the compliance and risk of various departments within not only IT but the rest of the University.

REQUIREMENTS

HIPAA includes requirements to protect the security, integrity, and confidentiality of this health-related information. These requirements apply to departments at Purdue that have been officially designated by the Chief Privacy Officer as covered by HIPAA. To be HIPAA compliant, departments must develop, implement, and enforce a comprehensive security program including administrative, technical, and physical safeguards as determined appropriate for the institution and data. In addition to developing their own safeguards, departments are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

ACTIONS REQUIRED

The following basic actions must be taken to satisfy HIPAA requirements:

  • Assess risk to information systems, applications, and the HIPAA covered data it must protect.
  • Manage and control these risks.
  • Identify business associates in your area and communicate them to the Chief Privacy Officer prior to sharing protected health information with them.
  • Adjust new technologies and programs to satisfy HIPAA requirements.
  • A full risk assessment and compliance recommendation for your department will be performed by ITSP to accomplish these goals.

Appendix F - SUGGESTED SERVICE PROVIDER CONTRACT LANGUAGE

During the term of this Agreement and thereafter, COMPANY shall not disclose or use for the benefit of other than Purdue any confidential information, proprietary information or Restricted Data disclosed to COMPANY as a result of this Agreement. For purposes of this Agreement, the term "Restricted Data" shall include, without limitation: (i) confidential or proprietary information; (ii) any Social Security Numbers; (iii) any Protected Health Information, as that term is defined in 45 C.F.R. §160.103, as amended, of the Health Insurance Portability and Accountability Act (HIPAA) regulations; (iv) any Customer Information, as that term is defined in 16 C.F.R. § 314, as amended, of the Gramm Leach Bliley Safeguards Rule; (v) any information contained in any Education Records, as that term is defined in 34 C.F.R. §99.3, as amended, of the Family Educational Rights and Privacy Act (FERPA) regulations; and (vi) any information protected by any other applicable state or federal law imposing similar privacy or security obligations. COMPANY represents that it does not have in its possession and has not used for the benefit of Purdue any confidential information or documents belonging to others. COMPANY represents that its retention by Purdue will not require it to violate any obligation to others, under agreement or otherwise, or to violate any confidence of others. COMPANY knows of no written or oral agreement or of any other impediment which would inhibit or prohibit the relationship with Purdue provided for herein. COMPANY represents that it will not, by signing this Agreement or performing the services provided for herein, violate any rights, including but not limited to intellectual property rights such as trademark, trade secret and copyright, of any other individual or entity.

SECURITY OF RESTRICTED DATA: COMPANY represents and warrants that it has and maintains a written comprehensive information security program containing appropriate administrative, technical and physical safeguards for the security and protection of Restricted Data. COMPANY further represents and warrants that its security program is periodically reviewed and appropriate updates are implemented to address any gaps identified in its security program. COMPANY agrees to make its security policies and procedures available to Purdue upon reasonable request.

1.1 COMPANY expressly agrees to:

11.1.1 Protect the security and confidentiality of Restricted Data it receives or accesses in accordance with its information security program and this Agreement and further agrees to comply with the requirements of I.C.§ 4-1-10 concerning any social security numbers included in the Restricted Data.
11.1.2 Limit access to Restricted Data to those employees who have a legitimate business need to know the information.
11.1.3 Prohibit disclosure of any social security numbers included in the Restricted Data except as expressly permitted by I.C. § 4-1-10.
11.1.4 Require all of its subcontractors and agents that receive, use or have access to Restricted Data to agree to implement reasonable and appropriate security safeguards to protect it and to agree in writing to the confidentiality and security requirements of this Agreement.
11.1.5 Understand the requirements of I.C. § 4-1-11 concerning breaches of security and notification of disclosures of social security numbers and personally identifiable information, and to immediately report to Purdue any security incident involving any social security numbers or other Restricted Data of which it becomes aware, and to provide Purdue with all information necessary to permit Purdue to timely comply with the notification provisions of I.C.
§4-1-11 and its implementing rules. To the extent COMPANY is required to make its own notification under law concerning any Restricted Data, COMPANY agrees to cooperate with Purdue regarding the notification process prior to making such notification.
11.1.6 Implement reasonable policies and procedures designed to detect and provide appropriate response to relevant “Red Flags” that identity theft may be occurring (as defined in 16 CFR § 681.2) or that may arise in the performance of COMPANY’s activities, if COMPANY has access to customer information from covered accounts under the Red Flag Rules. COMPANY agrees that policies and procedures to detect relevant “Red Flags” are updated periodically. COMPANY further agrees to notify Purdue of the detection of a Red Flag and to implement reasonable steps to prevent or mitigate identity theft.

1.2 COMPANY represents and warrants that it will not use any of Purdue’s Restricted Data for any purpose other than those permitted purposes set forth in this Agreement.
1.3 At the completion of this Agreement, COMPANY will physically or electronically destroy beyond all ability to recover any and all Restricted Data provided to them. This includes any and all copies of the data such as backup copies created at any COMPANY site.