Gramm-Leach-Bliley Act

From Citizendium
Revision as of 18:46, 10 November 2009 by imported>Howard C. Berkowitz
Jump to navigation Jump to search

Before the passage of the U.S. 'Gramm-Leach-Bliley Act of 1999 (GLBA), banks, insurers, securities brokers, and other financial institutions had to act separately. With GLBA, banks can have stockbrokers, and insurers can offer savings accounts, and all the other fertile permutations that an aggressive MBA can conceive. Most GLBA compliance will involve making sure that the corporate security policy refers to some of the threats described by the law, and being able to document the organization has exercised due diligence in complying with its requirements.

While some consider GLBA a hunting license for financial sharks, it also has strong provisions about maintaining privacy and security of financial data. You must have compliant policies for financial privacy, safeguards, and pretexting protection ("social engineering") and be able to document that these policies actively are enforced.

Not only must staff be trainedf, you must make annual disclosure to your customerss on what information collected on them, how it is shared and used, and how you protect it. This is its Financial Privacy Rule. There are, however, interacting laws, such as the Bank Secrecy Act and Right to Financial Privacy Act which require that the collection of certain information, provided to law enforcement, must not be disclosed to customers.

Written notices are good, but enforcement is better, and GLBA requires that financial institutions have a written information security plan, which not only covers the personal financial data of customers, but formal customers. At least one employee must have formal responsibility for managing the safeguards on these data. Managing the safeguards involves a formal risk assessment, an active monitoring and testing program, and procedures for updating the protection to reflect changes in risk and the ways you use the data.

The "Fraudulent Access to Financial Information" section makes it illegal either to use "social engineering" or "pretexting" to gain access to financial information. This law requires the financial institution to take positive steps to avoid such collection, which would include both staff training and active pursuit of miscreants who set up "phishing" sites.

Be sure the security policy has a clear section on cautions against being "socially engineered", and be able to document that precautions cqan be taken. Many policies cover actions by employees, but not necessarily their interaction with the public -- a public which contains miscreants out to do no good.