If you're an information security professional in the financial services industry, you've no doubt already heard about the Gramm-Leach-Bliley Act

    Requires Free Membership to View

(otherwise known as the Financial Modernization Act of 1999). If you don't work for a bank, brokerage or other financial institution, chances are you heard briefly about GLB and decided that it didn't apply to you.

Think again! The Federal Trade Commission uses an extremely broad definition of the term "financial institution" for the purposes of GLB compliance. In fact, almost any organization that works with people's money is considered a financial institution. Some inclusions are obvious – nobody would question whether a bank, credit union or brokerage would need to comply with GLB. However, there are many less obvious inclusions as well. Some examples from the FTC include:

  • Preparers of income tax returns
  • Consumer credit reporting agencies and credit counseling services
  • Real estate transaction settlement services
  • Debt collection agencies

In addition to the direct providers of those services, any organization that receives data from those providers must also comply with GLB requirements. For more detailed listings of the types of activities covered under the Act, consult the FTC Web site.

So, you've determined that GLB's provisions do apply to your business. What does that mean to you as an information security professional? There are three provisions of GLB that restrict the collection and use of consumer data. The first two, the Financial Privacy Rule and the Pretexting Provisions, detail responsible business practices and are mainly outside the scope of information security duties. The Safeguards Rule, which went into effect during 2003, requires that included institutions take proactive steps to ensure the security of customer information. At a minimum, institutions must:

  • Appoint an individual or group to bear specific responsibility for GLB compliance.
  • Identify risks to customer information and assess existing safeguards.
  • Implement safeguards that are needed to fill any gaps.
  • Monitor the effectiveness of all safeguards.
  • Ensure service providers are capable of meeting GLB requirements.
  • Adjust the organization's security program as necessary when circumstances change.

Compliance with the Gramm-Leach-Bliley Act is a serious matter. Failure to comply has serious consequences for individuals and organizations found guilty. If GLB applies to your organization, you should definitely consult legal counsel to determine any steps that may be necessary to bring your activities into compliance with the law.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.


This was first published in January 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.