Compliance Regulatory Overview: Gramm-Leach-Bliley

by Guest Contributor | Sep 12, 2005 7:24:00 PM

Tags: Guest Contributor

Takeaway: In this lesson, we will explore the Gramm-Leach-Bliley Act: who it affects, what not complying could mean to your organization, and best practices for complying.

Lesson 3 of 7

The Gramm-Leach-Bliley Act, formally known as the Financial Modernization Act of 1999, is aimed at financial institutions and is enforced by eight separate federal agencies and the states. Gramm-Leach-Bliley provides for a fairly broad interpretation of the phrase "financial institution" and not only affects banks, insurance companies, and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.

10 things you should know about Gramm-Leach-Bliley

Here's a quick rundown of 10 things you should know about this act:

• Gramm-Leach-Bliley covers a wide range of business, but not all businesses are required to comply.
• Compliance is not an IT-only project.
• You need to get your security policies in order.
• Potential risks need to be continually identified.
• Both non-public and public information must be protected.
• Annual privacy policy information should include more than a Web page.
• Businesses must keep tabs on third-party providers.
• Data should be encrypted in storage and in transit.
• Data you don't need should be destroyed.
• Contact a lawyer or consultant.

For more details about these points, download 10 things you should know about the Gramm-Leach-Bliley Act.

How does this act affect your storage systems?

One major component of Gramm-Leach-Bliley requires that safeguards be in place to protect your customers' private financial information. According to this section of the act, safeguards must be in place in order to:

• insure the security and confidentiality of customer records and information;
• protect against any anticipated threats or hazards to the security or integrity of such records; and
• protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

For the full text, see the Gramm-Leach-Bliley Act.

What should you do to comply?

This overview of Gramm-Leach-Bliley looks at the specific aspects of the act that deal with storage and data security. Author Scott Lowe explains the requirements this way:

"Today's interpretation of Gramm-Leach-Bliley calls for controls on customer data, the strength of which are proportional to the sensitivity of the information being stored. What this means is that your data security goes well beyond your storage device alone and, in fact, encompasses a company's policies and procedures as well as the hardware that maintains the storage infrastructure.

"When it comes to policies and procedures, you need to define who can access which data, and under what circumstances. Further, you should log access to sensitive customer information to help provide accountability and provide a deterrent to insiders that threaten customer privacy."

To learn more about how to comply with the act, read Are you in compliance with Gramm-Leach-Bliley storage requirements?

For a comprehensive list of Gramm-Leach-Bliley resources, including free downloads, see page two.

Gramm-Leach-Bliley resources

• Gramm-Leach-Bliley: Frequently Asked Questions
  The staff of the Federal Trade Commission developed this FAQ to assist financial institutions in complying with the privacy provisions of the Gramm-Leach-Bliley Act and the Commission's financial privacy regulation.
• In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act
  The Federal Trade Commission offers a brief look at the basic financial privacy requirements of the law.
• Download: 10 things you should know about the Gramm-Leach-Bliley Act
  This handy, two-page list describes 10 things that IT professionals should know about the Gramm-Leach-Bliley Act.
• Gramm-Leach-Bliley Privacy Policy Generator
  The Direct Marketing Association (DMA) walks you through the process of creating a privacy policy that meets the notice and opt-out requirements of Gramm-Leach-Bliley through this interactive generator.
• Overview of the Gramm-Leach-Bliley Act
  This is a detailed overview of Gramm-Leach-Bliley from the Federal Reserve Bank of San Francisco.
• Careless Web site content can place your company at risk
  With all the new accountability laws being enforced today (e.g., Sarbanes-Oxley Act, Gramm-Leach Bliley Act, etc.), lax security on your Web site might leave you open to downstream liability.
• Discussion: IT should work with Legal Dept.
  In an excerpt from this discussion post, TechRepublic member kdrungilas says: "Section 501 of the Gramm-Leach-Bliley (GLB) Act mandates that financial services firms implement and enforce a written 'information security program' to protect non-public customer data. Thus, it is imperative that your company be able to monitor and track any electronic information entering or exiting your messaging system as an integral part of IT security." Read this peer's entire post.
• Gramm-Leach-Bliley: Records Management Implications for Financial Institutions
  Iron Mountain examines records management implications of the Gramm-Leach-Bliley Act.

White papers

• Remote Service and Support After Gramm-Leach-Bliley
  This white paper from Enexity discusses key Gramm-Leach-Bliley requirements as they relate to electronic access to a financial institutions, customer information, and how the SecureLink Virtual Support Network product suite can help a financial institution comply with Gramm-Leach-Bliley guidelines, while also realizing the benefits of a robust remote support solution.
• Conducting an electronic information risk assessment for Gramm-Leach-Bliley Act compliance
  In this white paper from the SANS Institute, Kevin Bong describes a process he developed for conducting an electronic risk assessment in accordance with the Gramm-Leach-Bliley Act, which he used to conduct a risk assessment for Johnson Financial Group.
• E-mail Content Filtering Strategies for GLBA Compliance
  E-mail management systems must provide tools and techniques that enable companies to comply with the Gramm-Leach-Bliley Act. This white paper from Tumbleweed Communications outlines a strategy that will enable companies to meet their compliance obligations as they relate to the transmission and disclosure of Nonpublic Personal Information through an e-mail system.
• The Gramm-Leach-Bliley Act versus Best Practices in Network Security
  In this white paper from the SANS Institute, the author focuses on Title V, section 501 of Gramm-Leach-Bliley, which mandates that financial institutions implement "administrative, technical, and physical safeguards" for customer records and information.

Vendors

• Cyberguard (SG Series and Gramm-Leach-Bliley solutions)
• SmartSoftKey (AMPLock)
• BindView (Policy Operations Center)
• Vericept (Vericept Intelligent Early Warning, or VIEW)

Course list

• Lesson 1: Sarbanes-Oxley
• Lesson 2: HIPAA
• Lesson 3: Gramm-Leach-Bliley
• Lesson 4: FERPA
• Lesson 5: U.S. Patriot Act
• Lesson 6: European legislation
• Lesson 7: What's next?

Sign up for the Compliance Regulatory Overview series

If you haven't subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.

We want your feedback

Print/View all Posts Comments on this article

Compliance Regulatory Overview: Gramm-Leach-Bliley Newsletter Editor | 09/12/05