A summary of the background of GLBA, the precedents it sets for securing nonpublic consumer information, and the responsibilities it places on senior management and IT departments to ensure customer data is safeguarded.
WHITEPAPER
Practical Guide to Understanding and Complying
with the Gramm-Leach-Bliley ActExecutive Overview About the Gramm-Leach-Bliley ActThe success of any financial institution depends on customers' The primary motivation behind the passage of the Gramm-Leach-willingness to place their personal finances in that institution's care. Bliley Act was "to enhance competition in the financial servicesFor years, bank vaults, safety deposit boxes, security systems, and industry by providing a framework for the affiliation of banks,guards offered very visible signs of protection and security to a securities firms, insurance companies, and other financial servicefinancial institution's customers. Today however, "protection" and providers...." The law reversed more than six decades of restrictions"security" are harder to see. The world of banking and finance now on financial institutions, and, when President Clinton signed Publicoperates electronically, hosting and sharing clients' financial and Law 106-102 (113 Stat. 1338) on November 11, 1999, consumerother non-public information on servers and workstations, and across insurance, banking, and investment information became accessibledata lines around the globe. through one source.Ensuring the security of this privileged information was the impetus With the passage of GBLA, legislators directed the respectivebehind the Gramm-Leach-Bliley Act (GLBA), which was signed into governing agencies to establish appropriate administrative, technical,law on November 12, 1999. and physical safeguards to:Section 501 of the GLBA, "Protection of Nonpublic Personal . ensure the security and confidentiality of customer records andInformation," requires financial institutions to establish appropriate information,standards related to the administrative, technical, and physical . protect against any anticipated threats or hazards to the securitysafeguards of customer records and information. The scope of these or integrity of such records, andsafeguards is defined in the GLBA Data Protection Rule, which states . protect against unauthorized access to or use of such records orthat financial institutions must: information, which could result in substantial harm or. ensure the security and confidentiality of customer data, inconvenience to any customer.. protect against any reasonably anticipated threats or hazards tothe security or integrity of such data, and. protect against unauthorized access to or use of such data that Protecting Nonpublic Personal Informationwould result in substantial harm or inconvenience to any under the GLBAcustomer. Financial institutions, including banks, savings and loansassociations, credit unions, insurers, stock brokerages, financialWhile the initial deadline for compliance has passed, many advisors, and investment firms, are all required to comply with theorganizations have not yet developed an information security privacy protections afforded to consumers by GLBA.program that meets the requirements of GLBA. In fact, on a regular In addition to the three privacy standards cited above, institutions arebasis, headlines expose the loss of hundreds of thousands and even required to provide consumers with notice of their policies for sharingmillions of records at institutions like CitiBank, Bank of America, City information when a customer relationship is established and annuallyNational Bank, and CardSystems. thereafter. One key to securing customer financial information effectively is GLBA defines nonpublic personal information (NPI) as personallycompletely understanding and controlling the IT infrastructure. Many identifiable financial information provided by a consumer to aof the security standards included in both the Interagency Guidelines financial institution during any transaction or service, or that ispublished by the Federal Financial Institutions Examination Council otherwise obtained by the financial institution. Nonpublic personal(FFIEC) and the Safeguards Rule established by the Federal Trade information includes: Commission (FTC) are fulfilled when an organization accuratelydocuments and reports on the information held within their IT . Customer name, address, social security number, accountinfrastructure. numberIn this whitepaper, we'll summarize the background of GLBA, the . Information a customer provides on an applicationprecedents it sets for securing nonpublic consumer information, and . Information obtained on a legal document that... [download for more]
