Who is subject to GLBA Compliance?
Many are under the perception that the Gramm-Leach Bliley Act (GLBA) affects only banks. However there are many other organizations involved in providing financial activities that are also subject to these regulations; thereby impacting their security posture.
What is GLBA?
GLBA was enacted in 1999 for the purpose of implementing adequate security controls and processes pertaining to how organizations store, access and transmit confidential financial information of individuals. Protecting the privacy of consumer’s Personally Identifiable Financial Information (PIFI) obtained in the process of providing financial services to the public is a primary focus of this Act. Enforcement is not limited to the FFIEC, as there are eight federal agencies (e.g. SEC, FDIC, FTC, etc.), as well as state insurance agencies with enforcement authority.
As part of its implementation of the GLB Act, the (FTC) issued the Safeguards Rule, which requires these organizations defined as “financial institutions” to have measures in place to keep customer information secure. Although safeguarding customer information is the law, the FTC advocates this also makes good business sense to help increase consumer confidence.
Are You subject to GLBA Compliance?
The GLB Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of personal information collected from their customers. This includes names, addresses, and phone numbers; bank and credit card numbers; income and credit histories; and Social Security numbers. Accordingly, the definition of “financial institution” includes many businesses that may not normally describe themselves that way.
In addition to banks, securities firms and insurance companies, this also includes, for example, preparers of income tax returns, financial advisors, credit counselors, check-cashing businesses, payday lenders, mortgage brokers, non-bank lenders, providing residential real estate settlement services, collecting consumer debts, etc. Many Colleges involved in providing student loan processing activities are also required to comply with GLBA. In addition to the direct providers of these services, any organization that receives data from those providers must also comply with GLBA requirements.
Penalties for Ignoring GLBA Compliance
Organizations subject to GLBA face costly penalties for noncompliance. This can include fines up to $100,000 per violation and $192 per record lost in restitution. This also includes fines for officers and directors of up to $10,000 per violation, criminal penalties of up to five years in prison, and revocation of professional licenses.
How does GLBA impact your security posture and risk?
First and foremost, GLBA compliance requires organizations to adopt and maintain a formal security management process based on risk awareness. Many companies treat information security as strictly an IT issues, however information security is a business risk management issue!
If you’re covered by the Safeguards Rule, the question is whether your security standards and processes are up to snuff! Here are some basic rules on GLBA compliance which are based on standard security management practices:
Designate someone with the specific responsibility for GLBA compliance.
Identify risks to customer information and assess the adequacy of existing security safeguards based on security best practices.
Implement appropriate safeguards to address any gaps.
Monitor the effectiveness of all safeguards on an ongoing basis.
Ensure service providers are capable of meeting GLBA requirements
Adjust your security program as necessary whenever circumstances warrant.
Information security involves the application of administrative, technical, and physical controls in an effort to protect the confidentiality, integrity, and availability of information. In order for information security to be effective, there needs to be an appropriate balance between controls and risks. A lack of control = a vulnerability. A vulnerability + a threat = a risk. Conducting an annual Risk Analysis is a critical element of risk management.
Has your environment been assessed lately? If not, contact us today to discuss the benefits of a Security Risk Management Assessment for your organization!