Posts

Understanding Gramm Leach Bliley (GLBA) Compliance and Personally Identifiable Information

What is the Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLBA) is a law that requires all financial institutions in the United States to safeguard their consumers’ sensitive data. GLBA applies to financial institutions such as organizations that offer financial or investment advice, provide consumer loans, or process consumer financial information.

Regardless of the type of institution, under the Safeguards Rule, GLBA lays out four techniques that all financial institutions must follow in order to ensure the security of consumers’ personally identifiable information (PII). In each sector of the financial industry, regulators such as the Office of the Comptroller of the Currency (OCC) and the Federal Trade Commission (FTC) enforce these requirements. For example, if you’re a pawn shop, you would want to comply with the version of the Safeguards Rule that is published by the FTC. On the other hand, if you’re a bank, you would use the version of the Safeguards Rule that is published by the OCC.

What is Included in the Safeguards Rule?

Though the versions of the Safeguards Rule can vary based on your regulator, the Safeguards Rule has typically required that these five points be included in a financial institution’s security program:

  1. Designate a Coordinator: The coordinator should be an official within your organization who has the authority to implement and review controls and ensure that the controls are actually in place for securing data.
  2. Conduct a Risk Assessment: The risk assessment should identify and evaluate the risks that a breach could compromise the privacy of PII.
  3. Implement Logical Controls Based on the Risk Assessment: The controls implemented should be logical and proportional to the risks that have been identified. Controls will vary based on the type of institution, though. For example, the risks a pawn shop faces are generally much different than the risks that a bank would face.
  4. Ensure Appropriate Vendor Controls are in Place: The organizations that process data on your behalf should be carefully vetted. Do you have an appropriate contract with your vendors? Do you have an audit of your vendors? Are you aware of any security incidents or breaches that your vendors have suffered?
  5. Maintain an Ongoing Process for Reviewing and Updating Security Controls: The security program that’s in place should be constantly under review. GLBA requires that organizations are always reviewing and ensuring that they are secure and that their vendors have appropriate security for PII.

For more tips on GLBA and how it’s used to secure PII, follow @BenjaminWright on Twitter or contact us today!

Video Transcript

In the financial industry, an important law related to privacy and data security is Gramm-Leach-Bliley. Gramm-Leach-Bliley applies to all financial institutions in the United States, which is a broadly defined concept. Financial institutions include not only banks and credit institutions, but other organizations, such as a pawn shop that provides consumer loans. It also includes organizations that process consumer financial information.

Gramm-Leach-Bliley provides four techniques that all of these financial institutions need to follow in order to secure consumer personally identifiable information. These expectations for security are generally incorporated into something that is known as the Safeguards Rule. The Safeguards Rule has been adopted by the various regulators that would apply within your part of the financial industry. For example, if you are a bank, you would look to the Office of the Comptroller of the Currency for the particular version of the Safeguards Rule that applies to you. If you are a pawn shop, you would look to the version of the Safeguards Rule that is published by the Federal Trade Commission.

Broadly speaking, the Safeguards Rule has five major points that it expects a financial institution to cover in its security program. The first point is to designate a coordinator. A coordinator would be an official within your organization who has the authority to implement and review controls and ensure that the controls are actually in place for securing data. The second point is that the financial institution needs to have a risk assessment. A risk assessment evaluates the risks that some breach of security could compromise the privacy of personally identifiable information. Based on that risk assessment, the organization needs to have, what I call, the third major point of the Safeguards Rule: logical controls that are based on the risk assessment. So, the risk assessment for a pawn shop is going to be different from the risk assessment that applies to a large bank. In each case, though, the bank and the pawn shop need  to implement logical, proportional controls that respond to the risks that have been identified in the risk assessment. The fourth point in the Safeguards Rule is that the financial institution needs to ensure that it has appropriate controls with its vendors – those organizations who process data on behalf of the financial institution. The way to achieve those controls would be to have an appropriate contract with the vendor, have an audit of the vendor, have certifications from the vendor to confirm that the vendor is implementing the appropriate types of controls, and maybe reporting any security incidents or breaches that the vendor suffers. Finally, the fifth point in the Safeguards Rule is that the financial institution needs to maintain an ongoing process for reviewing and updating its security controls.

Thus, Gramm-Leach-Bliley is not a snapshot requirement. It’s not the requirement to go, “Snap! I’m looking at my security. I’ve confirmed my security is good. I’m done.” Instead, Gramm-Leach-Bliley emphasizes through the Safeguards Rule that organizations have a never-ending requirement to be reviewing their controls and ensuring that they are secure and that their vendors have appropriate security for personally identifiable information.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Advice for Making Legal Agreements via Electronic Communication

How Should I Make Legal Agreements via Electronic Communication?

Electronic communications have become an integral component of conducting business in today’s society. Agreements and contracts are formed over email, text messages, and other various collaborative platforms such as Office 365 or Google Drive. Though hard copy paper contracts still exist, digital contracts offer more accessibility, the ability to track changes, and a way to collaborate via electronic communication.

Digital contracts can be impacted by the electronic communications between organizations and their vendors/customers as time goes by. When organizations or their vendors/customers communicate through email, text messages, or in some other mode of electronic communication about performance under the contract, the final details of the agreement can potentially be affected.  For example, some of the electronic communication might identify a need to modify a certain aspect of the agreement, a party might directly amend a clause of the agreement, or the interpretation of the agreement might change.

For organizations who enter into legal agreements via electronic communication, we suggest following these three key steps:

  1. Read all of the electronic communications that relate to the business contract. Electronic communications might be more legally binding than you think.
  2. Document and keep copies of all electronic communications (emails, text messages, etc.) with your vendors/customers. In the event that a legal dispute arises, you can refer back to those communications.
  3. Understand that informal electronic communications, such as texting, can be a useful tool to help tilt a contractual relationship more in favor of what you want. Over time, when you communicate with vendors/customers to document your up-to-date interpretation of an agreement, it can be persuasive in court or negotiations if a dispute arises.

To learn more about the intricacies of using electronic communication to make legal agreements, follow @BenjaminWright on Twitter. For additional information, contact us today!

Video Transcript

In the business world today, we operate in a fascinating world of electronic contracting. When I say it’s fascinating, I mean that I’m a lawyer who’s been practicing law for a long time, and I remember the old days when all contracts for business were almost all written on pieces of paper. Today, we now live in this world of electronic mail, text messages, and Office 365 where our agreements with customers and vendors are negotiated, communicated, and recorded in many different media. So, yes, we still use paper documents for contracts, but a lot of times, we may just exchange a Word document through electronic mail.

After we’ve actually signed an agreement with a vendor or customer, times goes by and the relationship evolves. As it evolves, the two parties to the agreement communicate with each other in a very rich way – a way that we didn’t communicate in the 1980s, for example. Today, we’re able to and do use text messages, for example, to communicate about performance under the agreement. We might have some kind of an online environment, such as Office 365, where the vendor and the corporate customer exchange messages and comments. Comments can even be embedded in Word documents. All of these electronic communications can affect the final agreement, so you may have a regional paper contract with your vendor, but then the years go by, and a rich collection of electronic records come to modify the agreement. They may amend the agreement in a direct sense, or they may amend the interpretation of the agreement.

It’s very important for organizations to fully recognize all the different ways that electronic records can impact the contract that they have with their trading partners. Therefore, organizations are wise to 1) read all of the electronic communications that relate to that business contract, because those electronic communications may be more legally binding than you might think; 2) try to make records of all of the relevant electronic communications, including emails and text messages, so that you know what the deal is if you end up in a dispute, you can refer back to that email; and 3) recognize the informal types of communications that are available today like text messages can be a powerful way to help tilt a contractual relationship a little bit more in favor of what you want. As time goes by in a relationship, you can send text messages and emails that help to document your up-to-date interpretation of what that old paper contract actually means. This can help, ultimately, to be persuasive in court or negotiations in the future to make clear that contract was given to me the kinds of support and expectations that I really need.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Monitoring Employee Records and Communications Best Practices

Should Companies Monitor Employee Records and Communications?

When organizations supply their employees with personal electronic devices, such as laptops, cell phones, or tablets, they will often have a policy or contract that explains that the employer reserves the right to monitor employee records and communications while they’re using company-owned equipment. Although these devices are used for personal communication as well as work reasons, such policies exist to ensure that company-owned devices are not abused by employees through participating in unauthorized activities. Even with policies or contracts in place, there is still a potential for an invasion of privacy, which makes such policies controversial.

When Should a Company Investigate an Employee’s Electronic Devices?

Just because an employer has the legal might to look at their employees’ emails or text messages does not mean that it is right to exercise that right often. Remember: might does not make it right. If an employer frequently goes through their employees’ text messages, emails, or other modes of electronic communication, employees may become unhappy with the company and feel like their personal privacy has been invaded.

Take, for example, the administration at Harvard University. Believing that someone was leaking information about a cheating scandal, the administration opened an investigation and determined they had the right to read the emails of 16 deans at Harvard. Without getting authorization to search the emails, the administration searched emails by looking only at subject lines within a specific time period. While the administration was legally within its rights to investigate the deans’ emails, it was the wrong political decision. The deans were very unhappy about the investigation into their emails and complained vocally about it. Because of the public attention that the investigation received, the administration ultimately issued a public apology to the deans.

Ultimately, even though organizations might have statements in place that explain that they have the right to monitor employee records and communications, exercising that right is not always cut-and-dry. We suggest very carefully evaluating the reasons why you want to investigate or monitor your employees’ communications so that you can avoid potentially ruining the work environment.

To learn more about monitoring employee records and communications, follow @BenjaminWright on Twitter or contact us today!

Video Transcription

It is common for an employer to have a policy or a contract with its employees stating that the employer reserves the right to monitor the communications and activities of employees while they’re using company-owned equipment. The reason for the employer to do this, of course, is to ensure that the employer is able to maintain a disciplined workplace where unauthorized activities are not happening. Unauthorized activities could be, for example, the exchange of pornography or the running of a side business while the employee is actually in the workplace and is supposed to be doing work.

However, these policies and contracts with employees can be controversial. Employees can be really unhappy when the employer, in fact, exercises its right and starts reading employees’ emails or looking at pictures that are on a company-owned device. Employees, naturally, may feel that even though they’ve signed an agreement saying that the employer has the right to look, they may still feel personally that they have some kind of a zone of privacy.

A common lesson for employers to bear in mind is what I call “Might Does Not Make Right.” What that means is just because the employer has the legal might to look at emails or text messages doesn’t necessarily mean that it is wise for the employer to actually exercise that right very often. A real good example comes from Harvard University. A few years ago, Harvard University was conducting an investigation where it believed that someone amongst the deans of the university was leaking important information out about a scandal related to students who had allegedly been cheating. The administration at Harvard decided that they needed to find out who was leaking the information and that they had the right under policy to actually read the emails of 22 deans at Harvard. The administration decided that it would conduct a limited search of emails of those deans by just searching not the content of emails, but the subject lines of emails within a specific time period.

Well, the deans at Harvard are very politically powerful people, and they were not happy about this. The deans complained very publicly and vocally about the administration exercising its right. Legally speaking, the administration was within its rights; however, politically speaking, the administration made a mistake and was embarrassed. Ultimately, the administration apologized to the deans publicly for looking at their subject lines without going through the appropriate channels, such as getting authority from the new faculty senate.

The larger message here for all kinds of employers is your wise to have an appropriate statement with employees saying that you reserve the right to look at their communications, but actually exercising that right is a very delicate process that you need to evaluate very carefully to ensure that you’re not spooking your employees or poisoning the work environment with your workforce.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Who has the Legal Right to Employee Mobile Phones, Tablets, and Computers?

What are the Challenges of a Bring-Your-Own-Device Policy?

Given that personal electronics are so prevalent in today’s society, navigating how to implement and enforce policies in the workplace regarding the use of devices (such as cell phones, tablets, and computers) can be challenging. It is often questioned who has the control over the records that are created and stored on such devices – is it the employee or the employer? Employees argue that they have the legal rights to the digital records since they are the ones who physically own and pay for the devices. Employers, on the other hand, maintain that because they pay their employees to create those records and the work product is created specifically for the organization’s use, they have the legal rights to the digital records.

Organizations that offer a bring-your-own-device (BYOD) policy are faced with establishing appropriate legal relationships with their employees that explicitly makes clear the ownership of the digital records created on employees’ devices. This policy should also explain that the employer has the right to take control of a device, right to confiscate a device, and the right to conduct a full investigation of a device. Because employees are likely to be more sensitive about having their personal property confiscated or investigated, it is paramount that employers make policies as clear as possible to avoid any possible issues with employees.

To avoid the challenges of a BYOD policy, organizations might instead opt to implement a program that supplies employees with devices. These programs, commonly referred to as company-owned personal-enabled (COPE), limit the amount of personal purposes that an employee can use the device for. However, even with a COPE program in place, organizations should still establish policies clarifying the authorized uses of the device, the possibility for confiscation and/or investigation, and the legal rights to the digital records kept on the device.

For additional tips on BYOD policies in the workplace, follow @BenjaminWright on Twitter. To learn more, contact us today!

Video Transcript

A controversial topic in the modern workplace is bringing your own device to work. Many employees today use their own smartphone or tablet in order to do work on behalf of their employer. Questions arise about who has control over the records that are created and stored through these devices. In a physical sense, the employee has control; however, the employer may maintain that they paid their employee a salary to write a spreadsheet or create a video, so they own that work product and need access to it. An employer may argue that if an employee doesn’t work for them in the future, they should have the legal right to take control of that work product.

A challenge today is having an appropriate legal relationship between the employee and the employer, expressing ownership rights with respect to the records that are created through bring-your-own-device (BYOD). Some organizations will have very stringent agreements with employees that makes clear that the employer has the right to take control of a device, to confiscate a device, and to conduct a full investigation of the device. However, this is controversial in the sense that a lot of employees think, “That’s my personal phone. I pay for the service. I own that phone. I use that phone for family and personal matters. I don’t want my employer seizing my phone. I don’t want them digging around looking at pictures.” Therefore, for an employer to work out the appropriate type of agreement can be a very sensitive topic. What I see in the workplace is that many different employers have many different outcomes in what is actually stated in a BYOD policy or contract with employees.

As a result of this controversy, I see another option. I see some organizations decide that they are going to own the device. They buy and pay for the service, but they give it to the employee to use for limited personal purposes. That formula is called COPE: company-owned personal-enabled. If an organization decides to have a COPE relationship with employees, the organization is often wise to have an appropriate contract and/or policy. For example, the organization would want to make clear in a COPE agreement that the employee will not use the company-owned product in a way that would be offensive to the employer or other employees. You wouldn’t want the employer to find that the employee is using the company-owned equipment to create a hostile work environment where discriminatory messages and pictures and so on are exchanged in the workplace.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Understanding the Importance of Information Security and Personal Privacy for Your Employees

Why Do You Need a Security Awareness Program?

Continuous education is a key way that organizations can ensure that their employees stay up-to-date with current industry best practices, and teaching employees and contractors the importance of information security and personal privacy should be an integral part of it. For organizations who process personally identifiable information (PII) and protected health information (PHI), maintaining a security awareness program allows organizations to ensure that their employees and contractors are fully aware of the obligation to and importance of keeping such data secure. Because employees and contractors so frequently come into contact with PII and PHI, they are the frontline troops that secure protected information and thus must be trained on the sensitivity of the information they control, as well as the risks associated with the information. Ultimately, in this day and age, it’s irresponsible to not have a security awareness program in place.

What Should Your Security Awareness Program Include?

Instituting a culture of compliance is the first step towards establishing an effective security awareness program. Leadership should set the tone for compliance and inspire employees to uphold security best practices. If employees see management’s focus on creating a secure work environment, that attitude will spread.

Aside from establishing a culture of compliance, your security awareness program should act as a comprehensive overview of security best practices. For example, you might hold a monthly meeting to discuss recent breaches in the news and what your employees could learn from them. This would allow leadership to engage employees’ in conversation to ask questions about potential security threats and what they could do in the event that a breach occurs.

A security awareness program is also just as much about educating as it is implementing. So, you might review with employees’ updates to your password expiration policies, and then practice creating passwords that would meet the new requirements. You might teach employees how to identify phishing attempts made via email, and then practice such phishing attempts through mock attacks. Using mock breaches during your security awareness program also allows for organizations to review and practice policies and procedures for reporting breaches and identify any issues with your organization’s incident response plan.

For additional tips on how you can plan and implement a security awareness program, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you establish a security awareness program, contact us today!

Video Transcript

These days, an important program for any kind of employer to maintain is a security awareness program to help employees and contractors in the workplace understand the importance of information security and personal privacy. As organizations control and process personally identifiable information such as credit card numbers or Social Security numbers, the organization often has an obligation and a need to secure that information. The frontline troops on securing information are the employees as well as contractors who might be in the workplace. These employees and contractors need to be aware of the sensitivity of the information they control and the risks associated with this information, such as the possibility that an unauthorized person will trick the employee into disclosing personally identifiable information. The employer today is wise to have an awareness program that covers all employees and contractors that are handling this kind of sensitive information.

One kind of awareness program is the program that’s called “Securing the Human,” which is offered by the SANS Institute. The SANS Institute is an educational organization in the information security world, and it publishes a whole range of videos that employees can watch and can click on to indicate that they’ve actually watched them and understood the content of the video. The video will warn employees about clicking on strange attachments from unexpected electronic mail where the attachment might have a virus or a Trojan built into it. Employees are trained through these videos that they should be suspicious when they get a strange telephone call from someone asking for their password, for example. These are just a few examples with many kinds of topics that need to be addressed in a security awareness program in the modern workplace.

The videos are not the only way to have a good awareness program; there are many creative things that a wise organization could implement. For example, you could have a brown bag seminar where you invite employees to come during lunch and hear your security awareness team explain the kinds of risks and threats that are most prevalent within your organization. Maybe another form of security awareness training could be to periodically send email updates to employees that notify them of different kinds of attacks and how to avoid them. In these updates, you could also remind employees that if they ever have a question, they need to contact your security team.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.