Gramm-Leach-Bliley Act (GLBA)
Gramm-Leach-Bliley Act (GLBA)
The Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act) (GLBA) includes provisions to protect consumers' personal financial information held by financial institutions. As part of its implementation of GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule under section 501(b), requiring financial institutions under FTC jurisdiction to secure customer records and information.
The three main objectives of GLBA 501(b) are to:
- Ensure the security and confidentiality of customer records and information
- Protect against any anticipated threats or hazards to the security or integrity of such records
- Protect against unauthorized access or use of such records or information which could result in substantial harm or inconvenience to any customer.
In accordance with GLBA, almost any organization that works with consumers’ money is considered a financial institution. Some inclusions are obvious (e.g. bank, credit union or brokerage). However, there are many less obvious inclusions as well.
Some examples from the FTC include:
- Preparers of income tax returns
- Consumer credit reporting agencies and credit counseling services
- Real estate transaction settlement services
- Debt collection agencies
In addition to the direct providers of those services, any organization that receives data from those providers must also comply with GLBA requirements. The FTC uses an extremely broad definition of the term "financial institution" for the purposes of GLBA
GLBA Compliance - Safeguards Rule
The Safeguards Rule, which went into effect in 2003, requires that included institutions take proactive steps to ensure the security of customer information.
At a minimum, institutions must:
- Appoint an individual or group to bear specific responsibility for GLBA compliance.
- Identify risks to customer information and assess existing safeguards.
- Implement safeguards that are needed to fill any gaps.
- Monitor the effectiveness of all safeguards.
- Ensure service providers are capable of meeting GLBA requirements.
- Adjust the organization's security program as necessary when circumstances change.
Compliance with the GLBA is a serious matter. Failure to comply has serious consequences for individuals and organizations found guilty.
Federal Financial Institutions Examination Council (FFIEC)
The Federal Financial Institutions Examination Council (FFIEC), comprised of examiners from many different regulatory bodies tasked with GLBA enforcement, has created an Information Security Handbook and an exhaustive set of tests to assess compliance with the Safeguards Rule, including over 20 specifically related to intrusion prevention and detection.
The security process recommended by the FFIEC comprises five key areas:
- Information Security risk assessment
- Information Security strategy
- Implement security controls
- Security testing
- Monitoring and updating