Gramm-Leach-Bliley and you

If you're an information security professional in the financial services industry, you've no doubt already heard about the Gramm-Leach-Bliley Act (otherwise known as the Financial Modernization Act of 1999). If you don't work for a bank, brokerage or other financial institution, chances are you heard briefly about GLB and decided that it didn't apply to you.

Think again! The Federal Trade Commission uses an extremely broad definition of the term "financial institution" for the purposes of GLB compliance. In fact, almost any organization that works with people's money is considered a financial institution. Some inclusions are obvious – nobody would question whether a bank, credit union or brokerage would need to comply with GLB. However, there are many less obvious inclusions as well. Some examples from the FTC include:

In addition to the direct providers of those services, any organization that receives data from those providers must also comply with GLB requirements. For more detailed listings of the types of activities covered under the Act, consult the FTC Web site.

So, you've determined that GLB's provisions do apply to your business. What does that mean to you as an information security professional? There are

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Red Flags Rule compliance How AML compliance applies to remote deposit capture Tokenization and PCI compliance Data governance and classification The PCI compliance case for source code review Identity management for financial firms in turbulent times PCI DSS: Best practices for compliance Red Flag Rules compliance demands a risk-based approach Understanding the impact of new state data protection laws Understanding the FFIEC remote deposit capture guidance GLBA compliance requirements Regulatory reform will require much work ahead Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment For financial firms, numerous compliance requirements demand baseline controls GLBA risk assessment steps to success GLBA's focus on data security has helped financial services, say industry observers Insuring compliance: Nationwide tackles GLBA Credit union takes top-down approach to compliance

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

three provisions of GLB that restrict the collection and use of consumer data. The first two, the Financial Privacy Rule and the Pretexting Provisions, detail responsible business practices and are mainly outside the scope of information security duties. The Safeguards Rule, which went into effect during 2003, requires that included institutions take proactive steps to ensure the security of customer information. At a minimum, institutions must:

Compliance with the Gramm-Leach-Bliley Act is a serious matter. Failure to comply has serious consequences for individuals and organizations found guilty. If GLB applies to your organization, you should definitely consult legal counsel to determine any steps that may be necessary to bring your activities into compliance with the law.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.