Gramm-Leach-Bliley Act

Before the passage of the U.S. 'Gramm-Leach-Bliley Act of 1999 (GLBA), banks, insurers, securities brokers, and other financial institutions had to act separately. With GLBA, banks can have stockbrokers, and insurers can offer savings accounts, and all the other fertile permutations that an aggressive MBA can conceive. Most GLBA compliance will involve making sure that your security policy refers to some of the threats described by the law, and being able to document that you have exercised due diligence in complying with its requirements.

While some consider GLBA a hunting license for financial sharks, it also has strong provisions about maintaining privacy and security of financial data. You must have compliant policies for financial privacy, safeguards, and pretexting protection ("social engineering") and be able to document that you actively enforce these policies.

Not only must you train your staff, you must make annual disclosure to your customers about what information you collect on them, how it is shared and used, and how you protect it. This is its Financial Privacy Rule.

Written notices are good, but enforcement is better, and GLBA requires that financial institutions have a written information security plan, which not only covers the personal financial data of customers, but formal customers. At least one employee must have formal responsibility for managing the safeguards on these data. Managing the safeguards involves a formal risk assessment, an active monitoring and testing program, and procedures for updating the protection to reflect changes in risk and the ways you use the data. The "Fraudulent Access to Financial Information" section makes it illegal either to use "social engineering" or "pretexting" to gain access to financial information. This law requires the financial institution to take positive steps to avoid such collection, which would include both staff training and active pursuit of miscreants who set up "phishing" sites.

Be sure your security policy has a clear section on cautions against being "socially engineered", and be able to document that you have taken precautions. Many policies cover actions by your employees, but not necessarily their interaction with the public -- which contains miscreants out to do no good.