Gramm-Leach Bliley Act (GLBA)

Passed: November 1999

Purpose: To protect the information financial institutions collect about customers.

Types of companies affected: Mainly financial institutions, but also any company that collects name, Social Security number and bank account number from customers or employees.

Gist: On May 23 2003 the act's Safeguards Rule came into effect, forcing financial institutions to design, implement and maintain safeguards to protect customer information.Effects on IT departments: All companies that collect financial information must take security measures, such as maintain firewalls, install and update virus protection, and schedule routine security audits, as well as develop and implement privacy policies.

Opinion: "Most IT departments are aware that they must protect information, but they aren't specifically aware that there are federal regulations enforcing this." Stan Gatewood, CISO of UGA- InfoSec

10 Things You Need to Know...

In 1999, the US Congress passed the Gramm-Leach-Bliley Act, formally known as the Financial Modernization Act of 1999. This act imposes privacy legislation on financial institutions by regulating how information can be shared. Because most sensitive information is stored on or shared through the UC network, we should understand how the Act affects UC. Here are ten things that you should know about the Gramm-Leach-Bliley Act.

1) The Gramm-Leach-Bliley Act covers a wide range of businesses - Not all businesses are required to comply with the Gramm-Leach-Bliley Act (GLB). For example, if you sell trinkets through a Web site, you don't need to worry about GLB (although you should still safeguard customer information). GLB covers businesses such as banks, appraisal companies, mortgage brokers, securities firms, insurance companies, credit card issuers, income tax prepares, debt collectors, real estate settlement firms, and other companies that may have self-financing plans. For example, if you work at a college and your institution provides loans to students to pay their tuition bill, UC falls under the GLB umbrella. GLB indicates that any business "significantly engaged" in financial activities is subject to GLB.

2) Compliance is not an IT-only project - GLB makes information security the purview of executive management. Although information technology is a major component of this process, the overall sensitive information security mechanism should not be left completely to IT.

3) Get the information security policies in order - Finalize your written information security policy. GLB requires institutions to "develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any sensitive information."

4) Continually identify potential risks - Keep security standards current. After meeting GLB's initial risk identification requirements, refine those requirements as changes are made in the environment, either through acquisitions or the implementation of new technology. Also update written policies and procedures accordingly. Institutionalize these processes. For example, require every IT project to undergo a complete security analysis and GLB document update before completion.

5) Secure both nonpublic and public personal information and any lists that may be derived from this information - GLB includes provisions for the release of both private and public information. For example, financial institutions may share "directory information" publicly listed phone number more freely than a account balance or credit card purchases. Even when institutions share publicly-available information, they may only do so under specific circumstances. For example, a real estate settlement company may release a home buyer's name and phone number only if the information is part of the public record. GLB defines information in the public record--name and address for example--as "directory information". Directory information can be shared without the customer's consent. Institutions however, must offer customers the ability to opt out of such sharing and must honor those requests. GLB also requires that lists compiled from personal information be released under specific guidelines, even if the information is publicly available. For example, an institution could not release a list of names for mortgage applicants with low credit scores, even if the information is culled from public records.

6) Annual privacy policy notifications should include more than a Web page- GLB requires that institutions notify customers of the institution's privacy policy. This policy must indicate what personal information the institution discloses. It isn't enough for an institution to just bury the notice somewhere on their Web site. Instead, the notice must be completely conspicuous and delivered as a part of a transaction. If the customer has to acknowledge receipt of the privacy policy, the institution has met its responsibility, as long as the notice remains accessible and changes to the policy are similarly provided to the customer.

7) Keep tabs on third-party service providers - All third-party providers with access to confidential customer information should operate under contracts that stipulate what data the provider has access to, how the provider will protect the data, and how the provider will use data. The contract should also include an assurance from the third-party to keep the data confidential and secure.

8) Encrypt data both in storage and in transit - Whether you move data over the network, on CDs, on tapes, or on floppy disks, you should encrypt all sensitive information. If unencrypted data is compromised, the institution could be held liable for the privacy violation. You should also encrypt the data you store - on your SAN, for example - and make sure that access rights are strict and minimal.

9) Destroy what you don't need - Follow the legal retention requirements for the information your organization collects, but destroy what you no longer need. Thoroughly wipe or destroy old floppy disks, CD-ROMs, tapes, hard drives, and other media, including paper documents.

10) Real questions require a lawyer and/or consultant - You already know this, but it's worth repeating. If you have a question, the answer to which means the difference between the institution being sued or staying out of court, you need to ask legal affairs, even if you do your own research. "But I read on the Internet that this was legal" won't likely be a suitable defense if you fail to follow GLB guidelines.

For more info, visit http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act

 

  • University of Cincinnati UCIT Office of Information Security
  • University Hall
  • 51 Goodman Drive
  • Cincinnati, OH 45221