Understanding Gramm Leach Bliley in Order to Secure Consumer Personally Identifiable Information

What is the Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLBA) is a law that requires all financial institutions in the United States to safeguard their consumers’ sensitive data. GLBA applies to financial institutions such as organizations that offer financial or investment advice, provide consumer loans, or process consumer financial information.

Regardless of the type of institution, under the Safeguards Rule, GLBA lays out four techniques that all financial institutions must follow in order to ensure the security of consumers’ personally identifiable information (PII). In each sector of the financial industry, regulators such as the Office of the Comptroller of the Currency (OCC) and the Federal Trade Commission (FTC) enforce these requirements. For example, if you’re a pawn shop, you would want to comply with the version of the Safeguards Rule that is published by the FTC. On the other hand, if you’re a bank, you would use the version of the Safeguards Rule that is published by the OCC.

What is Included in the Safeguards Rule?

Though the versions of the Safeguards Rule can vary based on your regulator, the Safeguards Rule has typically required that these five points be included in a financial institution’s security program:

  1. Designate a Coordinator: The coordinator should be an official within your organization who has the authority to implement and review controls and ensure that the controls are actually in place for securing data.
  2. Conduct a Risk Assessment: The risk assessment should identify and evaluate the risks that a breach could compromise the privacy of PII.
  3. Implement Logical Controls Based on the Risk Assessment: The controls implemented should be logical and proportional to the risks that have been identified. Controls will vary based on the type of institution, though. For example, the risks a pawn shop faces are generally much different than the risks that a bank would face.
  4. Ensure Appropriate Vendor Controls are in Place: The organizations that process data on your behalf should be carefully vetted. Do you have an appropriate contract with your vendors? Do you have an audit of your vendors? Are you aware of any security incidents or breaches that your vendors have suffered?
  5. Maintain an Ongoing Process for Reviewing and Updating Security Controls: The security program that’s in place should be constantly under review. GLBA requires that organizations are always reviewing and ensuring that they are secure and that their vendors have appropriate security for PII.

For more tips on GLBA and how it’s used to secure PII, follow @BenjaminWright on Twitter or contact us today!

Video Transcript

In the financial industry, an important law related to privacy and data security is Gramm-Leach-Bliley. Gramm-Leach-Bliley applies to all financial institutions in the United States, which is a broadly defined concept. Financial institutions include not only banks and credit institutions, but other organizations, such as a pawn shop that provides consumer loans. It also includes organizations that process consumer financial information.

Gramm-Leach-Bliley provides four techniques that all of these financial institutions need to follow in order to secure consumer personally identifiable information. These expectations for security are generally incorporated into something that is known as the Safeguards Rule. The Safeguards Rule has been adopted by the various regulators that would apply within your part of the financial industry. For example, if you are a bank, you would look to the Office of the Comptroller of the Currency for the particular version of the Safeguards Rule that applies to you. If you are a pawn shop, you would look to the version of the Safeguards Rule that is published by the Federal Trade Commission.

Broadly speaking, the Safeguards Rule has five major points that it expects a financial institution to cover in its security program. The first point is to designate a coordinator. A coordinator would be an official within your organization who has the authority to implement and review controls and ensure that the controls are actually in place for securing data. The second point is that the financial institution needs to have a risk assessment. A risk assessment evaluates the risks that some breach of security could compromise the privacy of personally identifiable information. Based on that risk assessment, the organization needs to have, what I call, the third major point of the Safeguards Rule: logical controls that are based on the risk assessment. So, the risk assessment for a pawn shop is going to be different from the risk assessment that applies to a large bank. In each case, though, the bank and the pawn shop need  to implement logical, proportional controls that respond to the risks that have been identified in the risk assessment. The fourth point in the Safeguards Rule is that the financial institution needs to ensure that it has appropriate controls with its vendors – those organizations who process data on behalf of the financial institution. The way to achieve those controls would be to have an appropriate contract with the vendor, have an audit of the vendor, have certifications from the vendor to confirm that the vendor is implementing the appropriate types of controls, and maybe reporting any security incidents or breaches that the vendor suffers. Finally, the fifth point in the Safeguards Rule is that the financial institution needs to maintain an ongoing process for reviewing and updating its security controls.

Thus, Gramm-Leach-Bliley is not a snapshot requirement. It’s not the requirement to go, “Snap! I’m looking at my security. I’ve confirmed my security is good. I’m done.” Instead, Gramm-Leach-Bliley emphasizes through the Safeguards Rule that organizations have a never-ending requirement to be reviewing their controls and ensuring that they are secure and that their vendors have appropriate security for personally identifiable information.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Advice for Making Legal Agreements via Electronic Communication

How Should I Make Legal Agreements via Electronic Communication?

Electronic communications have become an integral component of conducting business in today’s society. Agreements and contracts are formed over email, text messages, and other various collaborative platforms such as Office 365 or Google Drive. Though hard copy paper contracts still exist, digital contracts offer more accessibility, the ability to track changes, and a way to collaborate via electronic communication.

Digital contracts can be impacted by the electronic communications between organizations and their vendors/customers as time goes by. When organizations or their vendors/customers communicate through email, text messages, or in some other mode of electronic communication about performance under the contract, the final details of the agreement can potentially be affected.  For example, some of the electronic communication might identify a need to modify a certain aspect of the agreement, a party might directly amend a clause of the agreement, or the interpretation of the agreement might change.

For organizations who enter into legal agreements via electronic communication, we suggest following these three key steps:

  1. Read all of the electronic communications that relate to the business contract. Electronic communications might be more legally binding than you think.
  2. Document and keep copies of all electronic communications (emails, text messages, etc.) with your vendors/customers. In the event that a legal dispute arises, you can refer back to those communications.
  3. Understand that informal electronic communications, such as texting, can be a useful tool to help tilt a contractual relationship more in favor of what you want. Over time, when you communicate with vendors/customers to document your up-to-date interpretation of an agreement, it can be persuasive in court or negotiations if a dispute arises.

To learn more about the intricacies of using electronic communication to make legal agreements, follow @BenjaminWright on Twitter. For additional information, contact us today!

Video Transcript

In the business world today, we operate in a fascinating world of electronic contracting. When I say it’s fascinating, I mean that I’m a lawyer who’s been practicing law for a long time, and I remember the old days when all contracts for business were almost all written on pieces of paper. Today, we now live in this world of electronic mail, text messages, and Office 365 where our agreements with customers and vendors are negotiated, communicated, and recorded in many different media. So, yes, we still use paper documents for contracts, but a lot of times, we may just exchange a Word document through electronic mail.

After we’ve actually signed an agreement with a vendor or customer, times goes by and the relationship evolves. As it evolves, the two parties to the agreement communicate with each other in a very rich way – a way that we didn’t communicate in the 1980s, for example. Today, we’re able to and do use text messages, for example, to communicate about performance under the agreement. We might have some kind of an online environment, such as Office 365, where the vendor and the corporate customer exchange messages and comments. Comments can even be embedded in Word documents. All of these electronic communications can affect the final agreement, so you may have a regional paper contract with your vendor, but then the years go by, and a rich collection of electronic records come to modify the agreement. They may amend the agreement in a direct sense, or they may amend the interpretation of the agreement.

It’s very important for organizations to fully recognize all the different ways that electronic records can impact the contract that they have with their trading partners. Therefore, organizations are wise to 1) read all of the electronic communications that relate to that business contract, because those electronic communications may be more legally binding than you might think; 2) try to make records of all of the relevant electronic communications, including emails and text messages, so that you know what the deal is if you end up in a dispute, you can refer back to that email; and 3) recognize the informal types of communications that are available today like text messages can be a powerful way to help tilt a contractual relationship a little bit more in favor of what you want. As time goes by in a relationship, you can send text messages and emails that help to document your up-to-date interpretation of what that old paper contract actually means. This can help, ultimately, to be persuasive in court or negotiations in the future to make clear that contract was given to me the kinds of support and expectations that I really need.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Non-Disclosure Agreement Risks – When and How to Sign a Non-Disclosure Agreement

What Risks are Associated with Signing a Non-Disclosure Agreement?

Non-disclosure agreements (NDA) are often used in the technology world as a form of legal control. Many organizations even exchange NDAs amongst themselves; however, an NDA is never risk-free. When looking at an NDA from the perspective of an organization that is asked to sign an NDA that favors another party, that organization is being asked to agree to the following:

  • Agree that another organization is giving them some sort of sensitive information
  • Agree that they won’t disclose that sensitive information to unauthorized people
  • Agree that they are not going to use that sensitive information in their organization without authority

Although these stipulations may appear to be cut-and-dry, they are not. These conditions can often be hard to comply with, regardless of the size of your organization, and it is typically recommended that an organization who has been asked to sign an NDA seek the advice of legal counsel. In most cases, legal counsel will be able to assist you in negotiating the terms of an NDA to avoid any potential breaches of contract and reduce the risks of signing an NDA.

For example, many NDAs have a clause that defines the amount of time that you are not to disclose the sensitive information. If an organization asks that you won’t disclose their information forever, that  places you at a greater risk of violating the NDA. You might instead offer that you would be willing to sign a limited NDA, and request that the obligation for disclosure be only six months. You might also include a clause that limits your liability so that you aren’t exposed to unlimited liability if you breach the NDA.

Ultimately, before you agree to sign an NDA, we recommend that you pause and think carefully about it, seek legal counsel, and think about how you can negotiate a narrower scope for various obligations.

To learn more about the risks of signing an NDA, follow @BenjaminWright on Twitter. For more information, contact us today using the form below.

Video Transcript

In the technology world, a common form of legal control is a non-disclosure agreement. It’s very common that organizations will exchange non-disclosure agreements among themselves. It’s common, for example, that a vendor might come to a corporate customer and say, “I want you to take a look at my technology because you might want to license it, but first I want you to sign a non-disclosure agreement.”

From the point of view of an enterprise that is asked to sign a non-disclosure agreement that favors another party, the enterprise is wise to stop and think about this carefully. A non-disclosure agreement does not come along risk-free. When any kind of organization signs a non-disclosure agreement, they’re typically saying that they agree that another organization is going to give them some sensitive information, they’re going to make sure that it’s not disclosed to unauthorized people, and they’re not going to use it in their organization without authority. The non-disclosure agreement could go on to say that the organization will secure the information on.

All of these obligations can be actually very hard for any kind of organization – large or small – to fully comply with. Therefore, I commonly recommend to enterprises that when somebody else comes to you, and they ask you to sign a non-disclosure agreement, read that agreement carefully. Very possibly, you’re wise to get counsel to evaluate that agreement. Also, recognize that there can be significant risks associated with signing that non-disclosure agreement if you are the party that is going to be receiving that sensitive or confidential information.

Very commonly, if you read the agreement carefully, and maybe if you work with counsel, you can tailor the agreement to scale back the risks. For example, you could say that an organization is asking you to sign a non-disclosure agreement that I won’t disclose their information forever. Well, forever is a very long time. You, as an organization, may agree that you’re okay with signing a limited non-disclosure agreement, but you want to cut down the obligation to just six months. You may also include a limitation on the overall liability so that you’re not exposed to unlimited liability if you make a mistake. You might say that your maximum liability is $5,000 or something like that. The bottom line is that when someone asks your organization to sign some kind of a confidentiality agreement or clause, you’re wise to pause, think carefully about it, and think about how you can negotiate a narrower scope for that obligation.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Monitoring Employee Records and Communications Best Practices

Should Companies Monitor Employee Records and Communications?

When organizations supply their employees with personal electronic devices, such as laptops, cell phones, or tablets, they will often have a policy or contract that explains that the employer reserves the right to monitor employee records and communications while they’re using company-owned equipment. Although these devices are used for personal communication as well as work reasons, such policies exist to ensure that company-owned devices are not abused by employees through participating in unauthorized activities. Even with policies or contracts in place, there is still a potential for an invasion of privacy, which makes such policies controversial.

When Should a Company Investigate an Employee’s Electronic Devices?

Just because an employer has the legal might to look at their employees’ emails or text messages does not mean that it is right to exercise that right often. Remember: might does not make it right. If an employer frequently goes through their employees’ text messages, emails, or other modes of electronic communication, employees may become unhappy with the company and feel like their personal privacy has been invaded.

Take, for example, the administration at Harvard University. Believing that someone was leaking information about a cheating scandal, the administration opened an investigation and determined they had the right to read the emails of 16 deans at Harvard. Without getting authorization to search the emails, the administration searched emails by looking only at subject lines within a specific time period. While the administration was legally within its rights to investigate the deans’ emails, it was the wrong political decision. The deans were very unhappy about the investigation into their emails and complained vocally about it. Because of the public attention that the investigation received, the administration ultimately issued a public apology to the deans.

Ultimately, even though organizations might have statements in place that explain that they have the right to monitor employee records and communications, exercising that right is not always cut-and-dry. We suggest very carefully evaluating the reasons why you want to investigate or monitor your employees’ communications so that you can avoid potentially ruining the work environment.

To learn more about monitoring employee records and communications, follow @BenjaminWright on Twitter or contact us today!

Video Transcription

It is common for an employer to have a policy or a contract with its employees stating that the employer reserves the right to monitor the communications and activities of employees while they’re using company-owned equipment. The reason for the employer to do this, of course, is to ensure that the employer is able to maintain a disciplined workplace where unauthorized activities are not happening. Unauthorized activities could be, for example, the exchange of pornography or the running of a side business while the employee is actually in the workplace and is supposed to be doing work.

However, these policies and contracts with employees can be controversial. Employees can be really unhappy when the employer, in fact, exercises its right and starts reading employees’ emails or looking at pictures that are on a company-owned device. Employees, naturally, may feel that even though they’ve signed an agreement saying that the employer has the right to look, they may still feel personally that they have some kind of a zone of privacy.

A common lesson for employers to bear in mind is what I call “Might Does Not Make Right.” What that means is just because the employer has the legal might to look at emails or text messages doesn’t necessarily mean that it is wise for the employer to actually exercise that right very often. A real good example comes from Harvard University. A few years ago, Harvard University was conducting an investigation where it believed that someone amongst the deans of the university was leaking important information out about a scandal related to students who had allegedly been cheating. The administration at Harvard decided that they needed to find out who was leaking the information and that they had the right under policy to actually read the emails of 22 deans at Harvard. The administration decided that it would conduct a limited search of emails of those deans by just searching not the content of emails, but the subject lines of emails within a specific time period.

Well, the deans at Harvard are very politically powerful people, and they were not happy about this. The deans complained very publicly and vocally about the administration exercising its right. Legally speaking, the administration was within its rights; however, politically speaking, the administration made a mistake and was embarrassed. Ultimately, the administration apologized to the deans publicly for looking at their subject lines without going through the appropriate channels, such as getting authority from the new faculty senate.

The larger message here for all kinds of employers is your wise to have an appropriate statement with employees saying that you reserve the right to look at their communications, but actually exercising that right is a very delicate process that you need to evaluate very carefully to ensure that you’re not spooking your employees or poisoning the work environment with your workforce.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Who has the Legal Right to Employee Mobile Phones, Tablets, and Computers?

What are the Challenges of a Bring-Your-Own-Device Policy?

Given that personal electronics are so prevalent in today’s society, navigating how to implement and enforce policies in the workplace regarding the use of devices (such as cell phones, tablets, and computers) can be challenging. It is often questioned who has the control over the records that are created and stored on such devices – is it the employee or the employer? Employees argue that they have the legal rights to the digital records since they are the ones who physically own and pay for the devices. Employers, on the other hand, maintain that because they pay their employees to create those records and the work product is created specifically for the organization’s use, they have the legal rights to the digital records.

Organizations that offer a bring-your-own-device (BYOD) policy are faced with establishing appropriate legal relationships with their employees that explicitly makes clear the ownership of the digital records created on employees’ devices. This policy should also explain that the employer has the right to take control of a device, right to confiscate a device, and the right to conduct a full investigation of a device. Because employees are likely to be more sensitive about having their personal property confiscated or investigated, it is paramount that employers make policies as clear as possible to avoid any possible issues with employees.

To avoid the challenges of a BYOD policy, organizations might instead opt to implement a program that supplies employees with devices. These programs, commonly referred to as company-owned personal-enabled (COPE), limit the amount of personal purposes that an employee can use the device for. However, even with a COPE program in place, organizations should still establish policies clarifying the authorized uses of the device, the possibility for confiscation and/or investigation, and the legal rights to the digital records kept on the device.

For additional tips on BYOD policies in the workplace, follow @BenjaminWright on Twitter. To learn more, contact us today!

Video Transcript

A controversial topic in the modern workplace is bringing your own device to work. Many employees today use their own smartphone or tablet in order to do work on behalf of their employer. Questions arise about who has control over the records that are created and stored through these devices. In a physical sense, the employee has control; however, the employer may maintain that they paid their employee a salary to write a spreadsheet or create a video, so they own that work product and need access to it. An employer may argue that if an employee doesn’t work for them in the future, they should have the legal right to take control of that work product.

A challenge today is having an appropriate legal relationship between the employee and the employer, expressing ownership rights with respect to the records that are created through bring-your-own-device (BYOD). Some organizations will have very stringent agreements with employees that makes clear that the employer has the right to take control of a device, to confiscate a device, and to conduct a full investigation of the device. However, this is controversial in the sense that a lot of employees think, “That’s my personal phone. I pay for the service. I own that phone. I use that phone for family and personal matters. I don’t want my employer seizing my phone. I don’t want them digging around looking at pictures.” Therefore, for an employer to work out the appropriate type of agreement can be a very sensitive topic. What I see in the workplace is that many different employers have many different outcomes in what is actually stated in a BYOD policy or contract with employees.

As a result of this controversy, I see another option. I see some organizations decide that they are going to own the device. They buy and pay for the service, but they give it to the employee to use for limited personal purposes. That formula is called COPE: company-owned personal-enabled. If an organization decides to have a COPE relationship with employees, the organization is often wise to have an appropriate contract and/or policy. For example, the organization would want to make clear in a COPE agreement that the employee will not use the company-owned product in a way that would be offensive to the employer or other employees. You wouldn’t want the employer to find that the employee is using the company-owned equipment to create a hostile work environment where discriminatory messages and pictures and so on are exchanged in the workplace.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.