GLBA: Gramm-Leach-Bliley Act
Security Brigade Logo
Services | Products | Compliance | Training | Home | Clients | Contact Us
Menu
Services
Products
Training
Compliance
Whitepapers
Case-Studies
News
Media
Contact Us

Clients / Partners

Search
Gramm-Leach-Bliley Act (GLBA) Compliance

Overview

Our expert security consultants help identify and analyze gaps in your current security state compared to requirements for security best practices. The scope of services encompass the entire spectrum: from development of a formal security program, approved by the board of directors, to implementing all the necessary procedural, technical and physical controls. Our GLBA compliance services assist in not only meeting the Privacy requirements of GLBA, but also in implementing a comprehensive Security Controls Framework based on ISO 27001 practices.

Our services include:

  • Identifying and assessing risks that threaten client information.
  • Developing security policies and procedures to manage and control these risks.
  • Identifies gaps in your agency's security program.
  • Experts help you implement security best practices.
  • Providing assistance in implementing the security policies.
  • Provides detailed recommendations for ongoing conformity.
  • Conducting periodic audits to ensure a consistent level of Information Security in the organisation.
  • Security expertise from Security Brigades team of experienced security professionals.

Features

Security Brigade has demonstrated continued success helping public organisations quickly and simply achieve security best practices that meet the requirements of the Gramm-Leach-Bliley Act.

In order to streamline security and help achieve security best practices for the Gramm-Leach-Bliley Act, we leverage a five-step process that identifies and analyses gaps in the current security state compared to requirements for security best practices. We then design and help implement solutions to close those gaps and ensure ongoing conformity.

Key Features

  • Regular risk assessments.
  • Major infrastructure changes undergo technical and non-technical evaluations.
  • Documented policy and procedures.
  • Risk assessments determine appropriate controls for given situations.
  • Logging of all access to personal information.
  • Capability to detect potential intrusions and the placement of intrusion detection devices.
  • Firewalls form a core component to network security.
  • Authentication and access control for access to sensitive information.
  • Encryption of storage and transmissions and integrity controls.
  • Regular vulnerability scanning helps meet regular technical and non-technical evaluation requirements.

Benefits

Safeguarding the confidentiality and integrity of customer information is no longer just a best practice for financial institutions; it's now a legal requirement.

The Gramm-Leach-Bliley Act mandates that all financial institutions establish appropriate security standards to protect customer data from internal and external threats and unauthorised access occurring through online systems and networks. This level of security is mandatory to ensure companies maintain data integrity and privacy standards for employees and customers that have provided personal information.

  • Reduced costs for financial services and insurance.
  • Streamlined processing of finance information.
  • Improved Service for customers.
  • Better financial services through reduced errors.
  • Improved privacy of personal financial information.
  • Spread security awareness throughout the organisation.
  • Enjoy customer confidence with stringent privacy regulations in place.
  • Security policies put in place to meet specific requirements of the organisation
  • Prevents loss of customer’s confidential information.
  • Helps to achieve and maintain compliance with federal and state regulations.
  • Overcoming legal hassles due to failure of the application security.
  • Avoid hefty fines that come with compromises of customer data.

Technical Information

The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition among banks, securities companies and insurance companies. The Glass-Steagall Act prohibited a bank from offering investment, commercial banking, and insurance services.

The Gramm-Leach-Bliley Act (GLBA) allowed commercial and investment banks to consolidate. For example, Citibank merged with Travelers Group, an insurance company, and in 1997 formed the conglomerate Citigroup, a corporation combining banking and insurance underwriting services. Other major mergers in the financial sector had already taken place such as the Smith-Barney, Shearson, Primerica and Travelers Insurance Corporation combination in the mid-1990's. This combination, announced in 1993 and finalized in 1994, would have violated the Glass-Steagall Act and the Bank Holding Acts by combining insurance and securities companies, if not for a temporary waiver process [[1]]. The law was passed to legalize these mergers on a permanent basis. Historically, the combined industry has been known as the financial services industry.

Privacy

  • GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity
  • Major Components put into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information:
    • Financial Privacy Rule
    • Safeguards Rule
    • Pretexting Protection

Financial Privacy Rule

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties per the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt-out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information.

Safeguards Rule

The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule also applies to information of those no longer consumers of the financial institution.) This plan must include:

  • Denoting at least one employee to manage the safeguards,
  • Constructing a thorough [risk management] on each department handling the nonpublic information,
  • Develop, monitor, and test a program to secure the information, and
  • Change the safeguards as needed with the changes in how information is collected, stored, and used.

This rule is intended to do what most businesses should already be doing: protect their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLBA.

Pretexting Protection

Pretexing (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a "phony" website or email to collect data). The GLBA encourages the organisations covered by the GLBA to implement safeguards against pretexting. For example, a well-written plan written to meet GLBA's Safeguards Rule ("develop, monitor, and test a program to secure the information") ought to include a section on training employees to recognize and deflect inquiries made under pretext. In the U..S. pretexting by individuals is punishable as a common law crime of False Pretenses.

Financial Institutions Defined

The GLBA defines “financial institutions” as: …”companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these:

  • non-bank mortgage lenders,
  • loan brokers,
  • some financial or investment advisers,
  • debt collectors,
  • tax return preparers,
  • banks, and
  • real estate settlement service providers.

These companies must also be considered significantly engaged in the financial service or production that defines them as a “financial institution”.

Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLBA. State law can require greater compliance, but not less than what is otherwise required by the GLBA.

Consumer/Client Privacy Rights

Under the GLBA, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.

The privacy notice must also explain to the customer the opportunity to ‘opt-out’. Opting out means that the client can say "no" to allowing their information to be shared with affiliated parties. The Fair Credit Reporting Act is responsible for the ‘opt-out’ opportunity, but the privacy notice must inform the customer of this right under the GLBA. The client cannot opt-out of:

  • information shared with those providing priority service to the financial institution
  • marketing of products or services for the financial institution
  • when the information is deemed legally required.

 

 

 


Copyright 2006 Security Brigade