Think again! The Federal Trade Commission uses an extremely broad definition of the term "financial institution" for the purposes of GLB compliance. In fact, almost any organization that works with people's money is considered a financial institution. Some inclusions are obvious – nobody would question whether a bank, credit union or brokerage would need to comply with GLB. However, there are many less obvious inclusions as well. Some examples from the FTC include:
- Preparers of income tax returns
- Consumer credit reporting agencies and credit counseling services
- Real estate transaction settlement services
- Debt collection agencies
In addition to the direct providers of those services, any organization that receives data from those providers must also comply with GLB requirements. For more detailed listings of the types of activities covered under the Act, consult the FTC Web site.
So, you've determined that GLB's provisions do apply to your business. What does that mean to you as an information security professional? There are three provisions of GLB that restrict the collection and use of consumer data. The first two, the Financial Privacy Rule and the Pretexting Provisions, detail responsible business practices and are mainly outside the scope of information security duties. The Safeguards Rule, which went into effect during 2003, requires that included institutions take proactive steps to ensure the security of customer information. At a minimum, institutions must:
- Appoint an individual or group to bear specific responsibility for GLB compliance.
- Identify risks to customer information and assess existing safeguards.
- Implement safeguards that are needed to fill any gaps.
- Monitor the effectiveness of all safeguards.
- Ensure service providers are capable of meeting GLB requirements.
- Adjust the organization's security program as necessary when circumstances change.
Compliance with the Gramm-Leach-Bliley Act is a serious matter. Failure to comply has serious consequences for individuals and organizations found guilty. If GLB applies to your organization, you should definitely consult legal counsel to determine any steps that may be necessary to bring your activities into compliance with the law.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
This was first published in January 2008