In compliance with the
and the rules
promulgated therein by the Federal Trade Commission, Buffalo State requires that all employees receive the following
guidelines to ensure the security and confidentiality of customer
records and information:
Control access to rooms and file cabinets where paper records
- All doors to office areas must be locked during non-business
- Work areas where customer information is processed must be
behind locked doors or otherwise secured during business hours.
- Guests should be escorted in areas where customer
information is being processed.
- Guests should be restricted to areas that do not have
customer information in plain view. Conversely, customer
information should be kept out of areas accessible to students
and the public.
- File cabinets used to store customer information must be
secured in locked areas.
- Fireproof cabinets used to store promissory notes must be
locked during non-business hours.
Records containing customer information are to be retained
only as long as they are valid, useful, and required to be
retained. When no longer needed, paper, microfilm, and
microfiche records must be destroyed by shredding. Electronic
records must be destroyed according to current guidelines. Retention guidelines are available
Control access to information stored electronically:
- Workstations should be behind locked doors or otherwise
- Employees should "minimize" any computer windows not in use,
to prevent inadvertent breaches.
- Employees are encouraged to password-protect their
workstations when not in use.
- Employees should use strong passwords for all systems (at
least eight characters, alphanumeric).
- Employees should change their passwords every 60 days or
- Employees must not post passwords on or near their
- Access to student and employee records systems will be
granted only to those employees whose job duties require them to
access customer information.
Protect our customers' information:
- Employees should respond to requests for customer
information in accordance with the
Family Educational Rights and
Privacy Act (FERPA). FERPA questions or potential violations
should be referred to the
- Employees should refer to appropriate security policies as needed to
- Employees must report any fraudulent attempt to obtain
customer information to management, who should then report the
attempt to the Vice President for Finance and Management's
Source: Bulletin, Vol. 54, No. 12, November 6, 2008,
policy updated January 2012