Learn about the financial institution safeguards included in the Gramm-Leach-Bliley Act (GLBA) and how your organization can institute an orderly set of compliance steps using an automated configuration audit and control solution.
Daniel J. Langin, 1Attorney at Law, LLC
Unraveling GLBA: Compliance BasicsFor Managers, Officers and Directors of Financial Institutions
white paper
Configuration Control for Virtual and Physical InfrastructuresContents
3 Introduction 3 What Color Is the Fabric? 4 Individual Threads 7 Weaving the Strands Together 8 Conclusion 9 About the Author
2 | WHITE PAPER | Unraveling GLBA: Compliance BasicsIntroduction
A popular song from a decade ago contained the lyric "if . the National Credit Union Administration Guidelines for you want to destroy my sweater, hold this thread as I walk credit unions ("NCUA Guidelines"), and;2away. " The process of unraveling federal legislation to find 6. The FTC Safeguards Rule for credit card companies, credit the core compliance requirements can be similar to the reporting agencies and similar FTC-governed entities process outlined in that song lyric. The hard part is finding ("Safeguards Rule").the thread or threads that will allow the regulated entity to In addition to these regulations, at least two sets of draft end up with an orderly set of compliance steps at the end, regulations concerning incident response are currently rather than a tangled mess of disconnected requirements. pending: The Gramm-Leach-Bliley Act (GLBA) and its implement-ing regulations present one such tightly-knit set of legal . The draft Interagency Guidance on Response Programs for 7requirements. Passed by Congress due to growing concerns Unauthorized Access ("Interagency Guidance") for banks, over identity theft and misuse of consumer financial infor- thrifts and related financial institutions, and; mation, the law requires financial institutions to adopt . the draft NCUA Guidance on Response Programs for numerous measures concerning use, disclosure and protec- Unauthorized Access to Member Information and Member 8tion of the nonpublic personal information of customers. Notice for credit unions ("NCUA Guidance"). Although much attention was initially paid to the privacy Faced with this tangle of federal laws and regulations, provisions of GLBA (which require institutions to develop how can a financial institution determine which threads privacy policies and send privacy notices to customers), to follow? This paper will attempt to unravel GLBA and perhaps more concern lately has been generated among its regulatory regime by defining the general scope of the managers, officers and directors of financial institutions regulations, reviewing the individual compliance measures, over the information security provisions of GLBA, also and then dividing compliance steps into the three primary known as the "financial institution safeguards." categories outlined in 501(b) (administrative, technical The information security requirements of GLBA are found and physical measures). This paper will conclude that the in Section 501(b), which states that the regulatory agen- most tightly knotted threads of GLBA (administrative and 3cies and authorities that govern financial institutions shall technical compliance measures) can be best approached by establish administrative, technical, and physical safeguards to: adopting a configuration audit and control process which (1) insure the security and confidentiality of customer combines technical pro-tections, clear audit trails and records and information; reporting, ongoing evaluation and administrative best prac-(2) protect against any anticipated threats or hazards to tices which support all of the foregoing.the security or integrity of such records; and The reasons for complying with GLBA and its regula-tions are simple. The agencies charged with enforcing GLBA (3) protect against unauthorized access to or use of such may apply sanctions for violations (for example, the FDIC records or information which could result in substan-4 may impose penalties ranging from $5,000 per day up to tial harm or inconvenience to any customer. $1,000,000), and the reputation and viability of institutions To establish the standards required by 501(b), federal agen- may be directly impacted. cies have passed a number of regulations. These include the following: What Color Is the Fabric? . The Interagency Guidelines Establishing Standards for 5Safeguarding Customer Information for banks, thrifts and Defining the General Scope of GLBA Complianceother "traditional" financial institutions (the "Interagency T... [download for more]
