Executive Overview
The success of any financial institution depends on customers’ willingness to place their personal finances in that institution’s care. For years, bank vaults, safety deposit boxes, security systems, and guards offered very visible signs of protection and security to a financial institution’s customers. Today however, “protection” and “security” are harder to see. The world of banking and finance now operates electronically, hosting and sharing clients’ financial and other non-public information on servers and workstations, and across data lines around the globe.
Ensuring the security of this privileged information was the impetus behind the Gramm-Leach-Bliley Act (GLBA), which was signed into law on November 12, 1999.
Section 501 of the GLBA, “Protection of Nonpublic Personal Information,” requires financial institutions to establish appropriate standards related to the administrative, technical, and physical safeguards of customer records and information. The scope of these safeguards is defined in the GLBA Data Protection Rule, which states that financial institutions must:
- ensure the security and confidentiality of customer data,
- protect against any reasonably anticipated threats or hazards to the security or integrity of such data, and
- protect against unauthorized access to or use of such data that would result in substantial harm or inconvenience to any customer.
While the initial deadline for compliance has passed, many organizations have not yet developed an information security program that meets the requirements of GLBA. In fact, on a regular basis, headlines expose the loss of hundreds of thousands and even millions of records at institutions like CitiBank, Bank of America, City National Bank, and CardSystems.
One key to securing customer financial information effectively is completely understanding and controlling the IT infrastructure. Many of the security standards included in both the Interagency Guidelines published by the Federal Financial Institutions Examination Council (FFIEC) and the Safeguards Rule established by the Federal Trade Commission (FTC) are fulfilled when an organization accurately documents and reports on the information held within their IT infrastructure.
In this whitepaper, we’ll summarize the background of GLBA, the precedents it sets for securing nonpublic consumer information, and the responsibilities it places on senior management and IT departments to ensure that customer data is safeguarded. We’ll address the value of change and configuration reporting in meeting the compliance requirements of GLBA, and explain how it can address other critical IT concerns, including business continuity, risk management, and security.
About the Gramm-Leach-Bliley Act
The primary motivation behind the passage of the Gramm-Leach- Bliley Act was “to enhance competition in the financial services industry by providing a framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers....” The law reversed more than six decades of restrictions on financial institutions, and, when President Clinton signed Public Law 106-102 (113 Stat. 1338) on November 11, 1999, consumer insurance, banking, and investment information became accessible through one source.
With the passage of GBLA, legislators directed the respective governing agencies to establish appropriate administrative, technical, and physical safeguards to:
- ensure the security and confidentiality of customer records and information,
- protect against any anticipated threats or hazards to the security or integrity of such records, and
- protect against unauthorized access to or use of such records or information, which could result in substantial harm or inconvenience to any customer.
Protecting Nonpublic Personal Information under the GLBA
Financial institutions, including banks, savings and loans associations, credit unions, insurers, stock brokerages, financial advisors, and investment firms, are all required to comply with the privacy protections afforded to consumers by GLBA.
In addition to the three privacy standards cited above, institutions are required to provide consumers with notice of their policies for sharing information when a customer relationship is established and annually thereafter.
GLBA defines nonpublic personal information (NPI) as personally identifiable financial information provided by a consumer to a financial institution during any transaction or service, or that is otherwise obtained by the financial institution. Nonpublic personal information includes:
- Customer name, address, social security number, account number
- Information a customer provides on an application
- Information obtained on a legal document that pertains to a summons, bankruptcy, divorce, etc.
- Information from a “cookie” obtained in using a website
- Information on a credit report obtained by a financial institution
