|
 |
Protecting Personal Information Under
Gramm-Leach-Bliley
Sage Information Security exists to help our clients protect their information assets. This makes good business sense, and in many cases it is also a legal requirement. Sage Information Security is not a law firm, and we cannot provide legal advice. If you need legal advice, you should consult with a qualified attorney. This white paper discusses the business requirements of Gramm-Leach-Bliley. If you have questions about this information, or would like a free consultation, please give us a call.
Overview
The Financial Modernization Act of 1999, more commonly known as the Gramm-Leach-Bliley Act, defines strict requirements for businesses to protect personal information they collect. The purpose of this white paper is to explain this law in general terms, including the requirements for business owners and managers to be in compliance with federal law.
The year 2005 was catastrophic in Information Security. Professional criminals stole the personal information of nearly 50 million Americans. The misuse of personal information has become more serious as identity theft has become a major problem for consumers and financial institutions. Hacking is no longer a juvenile problem. There are well-organized international criminal enterprises specializing in stealing personal information, and using this information to commit fraud.
The US government has responded with a set of laws to protect the privacy of consumer information. Consumer information held by financial institutions (and the FTC has chosen to interpret "financial institutions" very broadly, including merchants some cases) is protected under the Gramm-Leach-Bliley Act. Businesses have also been prosecuted in the last year for disclosing consumer information under the Federal Trade Commission Act, and the Fair Credit Reporting Act.
Before 2004, law enforcement narrowly targeted specific industries, and there were no requirements to reveal breaches of private information. That has changed: 23 states (including North Carolina) have enacted laws requiring businesses to notify individuals whose personal information has been lost or stolen from a company's systems. More states are enacting such laws, and federal legislation is almost certain to come soon. This represents a clear risk to businesses, for two reasons. First, it is quite expensive to notify consumers under the breach laws. Second, companies can be held liable for consumer losses if they are responsible for the theft of an individual's data. Businesses are now required to safeguard personal data, and failure to do so represents a major financial risk.
Elements of Gramm-Leach-Bliley
The GLB Act has three main requirements: The Financial Privacy Rule, the Safeguards Rule, and the Pretexting section. GLB gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to "financial institutions," broadly defined. This includes not just banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers, including lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. The Pretexting section of GLB protects consumers from individuals and companies that obtain their personal financial information under false pretenses.
The Financial Privacy Rule
The Financial Privacy Rule of Gramm-Leach-Bliley governs collection and disclosure of customer financial information by companies, whether or not they are financial institutions, that receive such information. The law requires that financial institutions protect information collected about consumers: it does not apply to information collected in business or commercial activities. The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.
Who is covered under the Financial Privacy Rule?
|
Banks
| |
Insurers
| |
Securities Firms
| |
Consumer Lenders
| |
Tax Preparers
| |
Financial Advisors
| |
Credit Counselors
| |
Debt Collection Agencies
|
For a more complete explanation of who is covered under the Financial Privacy Rule, visit the FTC website.
Under the Financial Privacy Rule, a company's obligations differ for consumers and customers. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A customer is a consumer with a continuing relationship with a financial institution. The distinction is matters, because customers must receive a notice every year for as long as the customer relationship lasts. Consumers are entitled to receive a privacy notice from a financial institution only if the company shares the consumers' information with companies not affiliated with it, with some exceptions. The privacy notice must be a clear, conspicuous, and accurate statement of the company's privacy practices. It explains what information the company collects about consumers and customers, who it shares the information with, and how it protects the information. The notice applies to all "nonpublic personal information" the company gathers and discloses about its consumers and customers. This usually means all the information a company has about them.
Consumers and customers have the right to say no ("opt-out") to having their information shared with certain third parties. The privacy notice must explain how to opt-out, and offer a reasonable way to accomplish this.
Gramm-Leach-Bliley also limits how anyone that receives consumer information from a financial institution can use or share the information. For example, a mailing company that receives customer information for mailing account statements, where the consumer has no right to opt out, can only use that information for limited purposes: mailing account statements. It cannot sell the information to other organizations or use it for marketing.
When a company receives consumer information from a financial institution that provided an opt-out notice, and the consumer didn't opt out, the receiving company may use the information for its own purposes or re-disclose it to a third party, consistent with the financial institution's privacy notice.
The Safeguards Rule
The Safeguards Rule requires all covered financial institutions to design, implement and maintain safeguards to protect personal information from their customers. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions. It applies to businesses, regardless of size, that are "significantly engaged" in providing financial products or services to consumers. Financial institutions are responsible for developing their own safeguards. They are also responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
Who is covered under the Safeguards Rule? Among others, the following businesses are covered:
|
Banks
| |
Mortgage brokers
| |
Data processors
| |
Non-bank lenders
| |
Real estate appraisers
| |
Professional Tax Preparers
| |
Courier Services
| |
Credit Reporting Agencies
| |
ATM Operators
| |
Automotive Dealerships
|
For more information on who is covered under the Safeguards Rule, visit the FTC website.
Complying With the Safeguards Rule
The Safeguards Rule requires businesses to develop a written information security plan that describes their program to protect customer information. The plan must suit the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each financial institution must:
|
Designate one or more employees to coordinate the safeguards
| |
Identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks
| |
Design and implement a safeguards program, and regularly monitor and test it
| |
Select appropriate service providers and contract with them to implement safeguards
| |
Evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business arrangements or operations, or the results of testing and monitoring of safeguards.
|
Gramm-Leach-Bliley does not have a requirement that companies notify consumers if their information is stolen. Typically, regulators find out about breaches from consumer group complaints, or from computer security researchers who find problems with a company's security. For more information on consumer data disclosure laws, see our white paper on the subject.
Recommended Actions to Comply with the Safeguards Rule
The FTC discusses some recommendations for meeting the requirements of the Safeguards Rule. The next section summarizes the agency's recommendations. Firms need to consider all areas of operation, but three are considered particularly important to information security:
|
Employee management and training
| |
Information systems
| |
Managing system failures.
|
Specific issues in each of these areas are discussed below.
Employee Management and Training
Firms wishing to show due diligence should consider background checks on new employees who will be working with consumer data. New employees should agree in writing to follow the firm's privacy and security policies. Employees need training on protecting customer information. Some examples of best practices for doing this include:
|
Keeping sensitive documents in locked rooms or cabinets
| |
Using password protected screensavers
| |
A password policy that requires strong passwords, requires passwords to be changed regularly, and does not allow posting passwords near computers
| |
Encrypting sensitive customer information when it is transmitted electronically over networks or stored online
| |
Referring calls or other requests for customer information to designated individuals who have had safeguards training
| |
Training employees to recognize any fraudulent attempts to obtain customer information and to report it to an appropriate authority
| |
Limiting access to customer information to employees who require it to accomplish their jobs
| |
Employees should be aware of the consequences of failing to protect customer information.
|
Information Systems
Companies need to maintain security through the life cycle of customer information, from the data entry to its disposal. This includes information stored both on computers and on paper. Provisions need to be made for secure storage, transmission, and disposal of customer data. Best practices for secure data storage include:
|
Using storage areas that are protected against destruction or potential damage from physical hazards, like fire or floods
| |
Storing electronic customer information on secured computers that are kept in physically secure areas
| |
Never storing sensitive customer data on a machine connected to the Internet
| |
Making regular backups, and keeping the backup media secure
|
Secure Data Transmission
The Internet is not secure, so if customer data is to be transmitted across it, provisions should be made for securing the connection. This can be done by the Secure Sockets Layer for web servers, or various virtual private network (VPN) technologies. Employees should be provided with clear instructions and simple tools if they need to transmit customer information across unsecured networks. Best practices in this area include:
|
Encrypting all sensitive financial data in transit
| |
When collecting information directly from consumers, make secure transmission automatic. Advise consumers against transmitting sensitive data, like account numbers, via electronic mail
| |
Making all access to sensitive data password protected
|
Disposal of Customer Data
Sensitive customer information must be disposed of in a secure manner. Best practices in this area include:
|
Designating a records retention manager to supervise the disposal of records containing nonpublic personal information
| |
Shredding customer information recorded on paper with a cross-cut shredder or use a reputable document disposal service
| |
Erasing all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other media containing customer data
| |
Promptly disposing of outdated customer information
| |
Maintaining a close inventory of your computers
|
Managing System Failures
If your information security defenses are breached, your firm needs to know this, and to have a plan to respond. A good security program makes provision for preventing, detecting and responding to attacks, intrusions and other system failures. Best practices in this area include:
|
Developing an incident response plan to address any breaches of your physical, administrative or technical safeguards
| |
Regularly applying vendor software patches and updates
| |
Running anti-virus software that updates automatically
| |
Maintaining up-to-date firewalls on all Internet connections
|
Conclusion
The Gramm-Leach-Bliley Act requires a new level of sophistication for companies to protect sensitive information. The Financial Privacy Rule restricts what firms can do with consumer data. The Safeguards Rule requires that companies take specific measures to protect consumer data. Companies must develop written information security plans describing their program to protect customer information, designate a security manager, and conduct a risk assessment of their consumer data. Sage Information Security presents this summary of the Gramm-Leach-Bliley Act to help corporations understand what is expected of them. If you have questions on this, or would like a free consultation on addressing any of these issues, please give us a call.
References:
For more about the Financial Privacy Rule:
http://www.ftc.gov/privacy/privacyinitiatives/financial_rule.html
http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm
For more about the Safeguards Rule:
http://www.ftc.gov/privacy/privacyinitiatives/safeguards.html
The Safeguards Rule is posted at http://www.ftc.gov/privacy/privacyinitiatives/safeguards_l&r.html.
For more information on whether your company is a financial institution, please see section 313.3(k) of the Financial Privacy Rule and the Financial Activities Regulations. Both can be found at www.ftc.gov/privacy/privacyinitiatives/financial_rule_l&r.html.
|
|
|
|
