Third Party Agreements / Confidential Information
- References: Gramm-Leach-Bliley Act; FTC-15USC Subchapter I, §6801-6809 & Subchapter II, §6821-6827
- Issue Date: April 2007
- Revision Date: December 2018
- Expiration Date: N/A
Federal legislation designed to ensure the privacy and safeguarding of confidential information places specific requirements on the University when the University allows access to or shares custody of it’s confidential information with third parties. Third parties may include those who store or destroy confidential information; conduct forensic investigation of electronic data; or conduct other electronic communication services.
California State University, Long Beach shall take reasonable measures to select and retain third parties that are capable of maintaining appropriate safeguards for the information at issue; and shall require each third party, by written Agreement, to implement and maintain such safeguards. The University shall not contractually engage a third party who cannot demonstrate that they are capable of maintaining appropriate safeguards to protect information or who cannot demonstrate that they maintain required insurance coverage.
When Agreements are established with contractors, consultants, or external vendors, (third parties) those Agreements shall include satisfactory assurances that the contracting third party will appropriately safeguard information in accordance with federal and state laws and regulations, University policies, and contractual obligations. When providing access to or passing confidential information to a third party agent of the University, the written contractual Agreements shall include terms and conditions that:
- prevent disclosure of confidential information by the third party to other third parties including subcontractors,
- require third parties to observe federal and state laws and University policies for privacy and security,
- require a specific plan by the third party for the implementation of administrative, technical, or physical security strategies to protect CSULB confidential information,
- require a plan for the destruction or return of confidential information upon completion of the third party’s contractual obligations,
- specify access or authorization permissions and restrictions necessary to fulfill contractual obligations.
- when appropriate require third parties to adhere to the PCI DSS requirements.
Access shall be terminated when contractual obligations have been completed.
The following requirements govern Agreements with third-parties in those instances where the third party may have access to confidential information:
- Prior to the University entering into contractual agreement with a third party, the Purchasing Office shall determine the adequacy of the third party’s system of safeguarding information. Depending on the service to be provided, the University may consider reviewing the third party’s audits, summaries of its test results for security, or other internal and external security evaluations. The Purchasing Office may be aided in this determination by the University Risk Manager, Internal Auditing Services, and/or Information Technology Services.
After the third party’s system of safeguarding information has been determined to be adequate, the Purchasing Office shall execute the Agreement which shall include a privacy clause which requires the third party to implement appropriate measures to safeguard the confidential information, to refrain from sharing any such information with any other party, and obtain evidence that CSU minimum insurance requirements have been met.
In addition to the CSU insurance requirements for service agreements, Third party agreements/confidential information shall include the requirements that the third party be bonded and maintain commercial liability insurance or a program of cyber risk insurance which protects against allegations of violations of privacy rights of individuals as a result of misuse, theft, or improper or insufficient care of confidential information on the part of the third party. The third party shall provide to the University, documentation including Certificates of Insurance that evidence these requirements.
Information Security Office