Understanding Gramm Leach Bliley (GLBA) Compliance and Personally Identifiable Information
What is the Gramm-Leach-Bliley Act?
The Gramm-Leach-Bliley Act (GLBA) is a law that requires all financial institutions in the United States to safeguard their consumers’ sensitive data. GLBA applies to financial institutions such as organizations that offer financial or investment advice, provide consumer loans, or process consumer financial information.
Regardless of the type of institution, under the Safeguards Rule, GLBA lays out four techniques that all financial institutions must follow in order to ensure the security of consumers’ personally identifiable information (PII). In each sector of the financial industry, regulators such as the Office of the Comptroller of the Currency (OCC) and the Federal Trade Commission (FTC) enforce these requirements. For example, if you’re a pawn shop, you would want to comply with the version of the Safeguards Rule that is published by the FTC. On the other hand, if you’re a bank, you would use the version of the Safeguards Rule that is published by the OCC.
What is Included in the Safeguards Rule?
Though the versions of the Safeguards Rule can vary based on your regulator, the Safeguards Rule has typically required that these five points be included in a financial institution’s security program:
- Designate a Coordinator: The coordinator should be an official within your organization who has the authority to implement and review controls and ensure that the controls are actually in place for securing data.
- Conduct a Risk Assessment: The risk assessment should identify and evaluate the risks that a breach could compromise the privacy of PII.
- Implement Logical Controls Based on the Risk Assessment: The controls implemented should be logical and proportional to the risks that have been identified. Controls will vary based on the type of institution, though. For example, the risks a pawn shop faces are generally much different than the risks that a bank would face.
- Ensure Appropriate Vendor Controls are in Place: The organizations that process data on your behalf should be carefully vetted. Do you have an appropriate contract with your vendors? Do you have an audit of your vendors? Are you aware of any security incidents or breaches that your vendors have suffered?
- Maintain an Ongoing Process for Reviewing and Updating Security Controls: The security program that’s in place should be constantly under review. GLBA requires that organizations are always reviewing and ensuring that they are secure and that their vendors have appropriate security for PII.
In the financial industry, an important law related to privacy and data security is Gramm-Leach-Bliley. Gramm-Leach-Bliley applies to all financial institutions in the United States, which is a broadly defined concept. Financial institutions include not only banks and credit institutions, but other organizations, such as a pawn shop that provides consumer loans. It also includes organizations that process consumer financial information.
Gramm-Leach-Bliley provides four techniques that all of these financial institutions need to follow in order to secure consumer personally identifiable information. These expectations for security are generally incorporated into something that is known as the Safeguards Rule. The Safeguards Rule has been adopted by the various regulators that would apply within your part of the financial industry. For example, if you are a bank, you would look to the Office of the Comptroller of the Currency for the particular version of the Safeguards Rule that applies to you. If you are a pawn shop, you would look to the version of the Safeguards Rule that is published by the Federal Trade Commission.
Broadly speaking, the Safeguards Rule has five major points that it expects a financial institution to cover in its security program. The first point is to designate a coordinator. A coordinator would be an official within your organization who has the authority to implement and review controls and ensure that the controls are actually in place for securing data. The second point is that the financial institution needs to have a risk assessment. A risk assessment evaluates the risks that some breach of security could compromise the privacy of personally identifiable information. Based on that risk assessment, the organization needs to have, what I call, the third major point of the Safeguards Rule: logical controls that are based on the risk assessment. So, the risk assessment for a pawn shop is going to be different from the risk assessment that applies to a large bank. In each case, though, the bank and the pawn shop need to implement logical, proportional controls that respond to the risks that have been identified in the risk assessment. The fourth point in the Safeguards Rule is that the financial institution needs to ensure that it has appropriate controls with its vendors – those organizations who process data on behalf of the financial institution. The way to achieve those controls would be to have an appropriate contract with the vendor, have an audit of the vendor, have certifications from the vendor to confirm that the vendor is implementing the appropriate types of controls, and maybe reporting any security incidents or breaches that the vendor suffers. Finally, the fifth point in the Safeguards Rule is that the financial institution needs to maintain an ongoing process for reviewing and updating its security controls.
Thus, Gramm-Leach-Bliley is not a snapshot requirement. It’s not the requirement to go, “Snap! I’m looking at my security. I’ve confirmed my security is good. I’m done.” Instead, Gramm-Leach-Bliley emphasizes through the Safeguards Rule that organizations have a never-ending requirement to be reviewing their controls and ensuring that they are secure and that their vendors have appropriate security for personally identifiable information.
In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.