According to regulators and observers who have closely monitored the Gramm-Leach-Bliley Act (GLBA), aggressive enforcement and education have made the law an effective instrument of improved data security in the financial services industry.
"There are no hard statistics, but we think that it has made a huge difference," said Jessica Rich, assistant director of the Federal Trade Commission's Division of Privacy and Identity Protection, and one of the authors of the security-specific Safeguards rule in GLBA. "Before 2000, data security was an area characterized by enormous ignorance and negligence -- there wasn't much accountability. This law, along with others, has changed that. But enforcement is part of bigger effort that includes ambitious education initiatives."
Passed in 1999, GLBA -- also known as the Financial Services Modernization Act -- legalized consolidations and mergers among financial services companies and allowed individual firms to offer a much wider range of services, which greatly increased competition in the sector. The market freedoms allowed by GLBA were accompanied by strict rules requiring financial institutions to establish privacy policies for their customers' data and to implement an information security plan to safeguard their clients' personal information.
Stronger data security was critical because the law opened the door to the creation of complex financial holding companies with information interfaces between their diverse subsidiaries, said Edward Kane, professor of finance at the Boston College Carroll School of Management.
"The more interfaces you have, the more ways there are for you to be broken into," said Kane. "You have duties to stakeholders, both your customers and your investors. A hack into your information systems is tremendously damaging to both those groups."
Before GLBA and related regulations -- such as breach notification laws at the state level -- went into effect, Rich said it was difficult for corporate security officers to get the funding they needed to build and harden their information security infrastructures.
"Upper management at some companies didn't see data security as affecting the bottom line," she said. "Now they know that information security problems bring liabilities to their companies and to them personally -- and that the public will find out about them."
GLBA has had more significant effect on data security than similar legislation, such as the Health Insurance Information Portability and Accountability Act (HIPAA), said analyst Michael Rasmussen, president of Corporate Integrity LLC.
"Gramm-Leach-Bliley is a very positive, well-written piece of legislation, and there has been lots of guidance for companies about how to comply with it," he said. "It's also a well-policed regulation -- in contrast to HIPAA, which nobody has ever done much with in terms of enforcement or guidance."
Christopher Mansfield, general counsel for Liberty Mutual Insurance Company in Boston, said that GLBA has not substantially changed his company's information security practices.
"Clearly, the law brought renewed emphasis on what was already a focus of our company," he said. "I'd say information security is better now than it was eight years ago for a lot of reasons, including better technology, but it wasn't bad eight years ago. Well before the law, we were focused on ensuring the privacy of our customers. Compliance has not been a difficult task."
Large financial institutions generally have the legal and IT resources to comply with GLBA's data security provisions, but Rich said many smaller companies lag behind in compliance. She said regulators may seek increased power to extract civil penalties from companies whose data security systems allow a breach and the loss of customer data.
Rich added that the FTC is also backing new legislation that extends mandates like the GLBA privacy and data security safeguards rules beyond financial services to all industries that deal with sensitive customer data.
"We need clear authority for outreach and education, and also enforcement," said Rich. "Enforcement is a form of education -- but louder."
About the author:
Tommy Peterson is a freelance writer and editor in Newton, Mass., who specializes in technology, business and science topics.