Gramm Leach Bliley Act (GLBA)In recognition of the importance of protecting personal financial information, the GLBA was signed into law on November 12, 1999. The act dictates that financial institutions must, under 15 USC 6801 Section 501, 505(b) and 507, establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, physical and technical safeguards. GLBA further states that "it is the policy of the Congress (and now the United States) that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information." These safeguards must be sufficient to:
- insure the security and confidentiality of customer records and information;
- protect against any anticipated threats or hazards to the security or integrity of such records; and
- protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Compliance DatesThe effective date for implementing these guidelines is dependent upon which government agency is responsible for regulating your financial institution. See the chart below for a further explanation:
|Financial Institutions Regulates||Implemetation
|FDIC||Primary federal regulator of state-chartered "nonmember" banks--commercial and savings banks that are not members of the Federal Reserve System.||July 1, 2001||July 1, 2003|
|OTS||Primary regulator of all federal and many state-chartered thrift institutions, which include savings banks and savings and loan associations.||July 1, 2001||July 1, 2003|
|OCC||Charters, regulates, and supervises all national banks. Also supervises the federal branches and agencies of foreign banks.||July 1, 2001||July 1, 2003|
||May 23, 2003||May 23, 2006
(To conform third-party
service contracts entered into before July 24, 2002)
|FRB||Primary federal regulator for state-chartered banks that are members of the Federal Reserve System, as well as for all bank and financial holding companies and certain operations of foreign banking organizations.||July 1, 2001||July 1, 2003|
|NCUA||Charters and supervises federal credit unions and insures the deposits in all federal and many state-chartered credit unions.||July 1, 2001||July 1, 2003|
|Supervise state-chartered banks, savings institutions, and credit unions.||July 1, 2001||July 1, 2003|
|State Insurance Authorities||Insurance companies are regulated at the state level.||varies by state||varies by state|
How can Information Risk Group assist your company in complying with these guidelines?Regardless of size all financial institution must take specific actions to comply with GLBA. The steps that must be taken vary slightly by regulating agency; however, each agency has based its guidelines around a common set of information security principles.
Each financial institution must develop a written information security plan that includes:
- designate one or more employees to coordinate the safeguards
- identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks
- design and implement a safeguards program, and regularly monitor and test it
- select appropriate service providers and contract with them to implement safeguards
- evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business arrangements or operations, or the results of testing and monitoring of safeguards.
- Information Security Plan Development
- Execution of a security assessment designed to comply with Section 501 and 505(b) of the GLBA
- Inicident Response to security penetrations inline with GLBA guidance
- Annual host and perimeter vulnerability assessments
- Implementation and design review of Intrusion Detection Systems, Incident Response and Business Continuity Plans
Contact IRG today for further information on how we can help you comply with GLBA.
Info Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609
Offering information security and risk management services to companies throughout the Americas.