1 / 29

Legal Issues in Information Security Weeks 4 & 5 The Gramm-Leach-Bliley Act

Legal Issues in Information Security Weeks 4 & 5 The Gramm-Leach-Bliley Act. Gary A Bannister FCMA, AICPA. Learning Objectives. An understanding of Title 5 –Privacy requirements. Understand the differences between a consumer & customer.

clara
Download Presentation

Legal Issues in Information Security Weeks 4 & 5 The Gramm-Leach-Bliley Act

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Legal Issues in Information SecurityWeeks 4 & 5 The Gramm-Leach-Bliley Act Gary A Bannister FCMA, AICPA

  2. Learning Objectives • An understanding of Title 5 –Privacy requirements. • Understand the differences between a consumer & customer. • Understand the Pre Texting concept and how it ties into e discovery and forensics. • Understand notices of privacy and how to implement them and the exceptions.

  3. The Gramm-Leach-Bliley Act (GLBA) Congress enacted GLBA In November 1999, allows banks, insurance companies and investment firms to merge into single financial entities, for the first time since the Great Depression.

  4. Summary of GLBA Requirements • Bars any financial institution from disclosing a consumer's nonpublic personal information (NPPI) to an unaffiliated third party unless the institution: • Furnishes the consumer with a notice describing the institution's privacy policies • Notifies the consumer that personal information may be disclosed to unaffiliated third parties • Provides the consumer with the opportunity to opt-out.

  5. The Gramm-Leach-Bliley Act Subtitles • Title 1 - Facilitating affiliation among banks, securities firms and insurance companies • Title II - Functional Regulation • Title III – Insurance • Title IV – Unitary Savings and Load Holding Companies • Title V – Privacy • Title VI – Federal Home Loan Bank System Modernization • Title - VII Other Provisions

  6. Who is Required to Comply with the Act’s Security Rules & Guidelines? Financial institutions or companies that offer financial products and services to individuals have to comply with GLBA. GLBA regulations define a financial institution to include "any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1965.“ • Banks and other depository institutions • Mortgage companies and other lenders • Credit card issuers • Insurance Companies • Some Investment firms • Tax planners • Securities brokers & Loan brokers • Debt collectors • Providers of real estate settlement services.

  7. Consumer and Customer Distinction According to the Act, a “consumer” is any individual "who obtains a financial product or service from a financial institution that will be used primarily for personal, family, or household purposes, excluding businesses. " A "customer" is a consumer who has an ongoing relationship with a financial institution, in which the institution continues to provide financial products or services to the consumer.

  8. Consumer and Customer Distinction For example, an individual who uses an ATM at a bank but does not have an account with that bank is considered a consumer rather than a customer. An individual who opens a bank account or takes out a loan at a bank is considered a customer under GLB. When applying for a mortgage, a consumer becomes a customer when the consumer "provides any personally identifiable financial information in an effort to obtain a mortgage loan.”

  9. GLBA Title V – Privacy Rule • Subtitle A: Rules regarding privacy policies must be issued by regulators within 6 months of the date of enactment. The rules will become effective 6 months later. • Subtitle B: Criminal penalties for pretext calling are effective immediately • Any financial institution that provides financial products or services to consumers must comply with the Privacy Rule. • All U.S. offices of financial institutions that are subject to the FTC authority must comply with the privacy regulation, regardless of where the consumer lives.

  10. Subtitle B Criminalizes Pretexting • Pretexting is a practice used by some data collection services of obtaining personal financial information from financial institutions by misrepresenting their right to such information. • Pretexting can lead to identity theft • GLBA makes it a crime to use false, fraudulent, lost or stolen documents (or statements) to get customer information.

  11. Personal Information Covered by GLB • GLB only applies to NPPI, defined broadly to include most consumer information obtained by a financial institution in the course of providing a financial product or service. • NPPI does not include any "publicly available information," which means "any information one would have a reasonable basis to believe is made available to the general public."

  12. Personally Identifiable Information • Information provided by the consumer to obtain a financial product or service • Related to consumer resulting from any financial transaction with the institution • Information collected by the financial institution via the Internet using cookies • Examples: medical information, account balances, overdraft history, credit/debit card purchased.

  13. Public Information Defined by the Privacy Rule as “information that the institution has a reasonable basis to be believe is lawfully made available to the general public from: - Government records - Widely distributed media - Disclosures to the general public required by law

  14. GLBA Provisions-Timing of Notices • A financial institution must provide a customer with an initial privacy notice no later than the time the customer begins a relationship with the institution, such as opening an account. • After the initial notice, the financial institution must provide a privacy notice annually. • A consumer who is not a customer of a financial company must be provided with the privacy notice and an opportunity to opt-out before the company may disclose any NPPI about the consumer to an unaffiliated third party.

  15. GLBA Provisions -Content of Notices • The categories of NPPI collected • The categories of the financial institution's affiliates and unaffiliated third parties to which NPPI may be disclosed • The categories of former customers' NPPI disclosed and categories of affiliates and unaffiliated third parties that such information may be disclosed to • An explanation of the consumer's opt-out rights • The financial institution's confidentiality and security policies

  16. GLBA ProvisionsDelivery of Privacy Notices Financial institutions can provide privacy notices to consumers in the following ways: • Hand Delivery • U.S. Mail • Posting the privacy notice on the financial institution's Web site in a manner that attracts a consumer's attention • If the consumer agrees, the notice may be sent electronically.

  17. GLBA's Application to Affiliates GLBA defines an affiliate of a financial institution as any company that is controlled by the financial institution, any company that controls the financial institution, or any company related to the financial institution through common ownership.

  18. How to Provide Reasonable Opt-Out • A hard copy reply form which includes the return address • An e-form or a reply form on the institution's Web site. • A toll free number • A financial institution cannot require consumers to write their own opt-out letter as the sole method for exercising their opt-out rights under GLB. • A consumer may elect to opt-out at any time

  19. Exceptions to the Privacy Notice and Opt-Out Requirements • To process transactions, financial products and services at the request of the consumer • With the consent of the consumer • To protect the confidentiality and security of a consumer's information • To prevent fraud • For institutional risk control or resolution of customer disputes • For people who hold a legal, beneficiary or fiduciary interest relating to the consumer

  20. Exceptions to the Privacy Notice and Opt-Out Requirements • To insurance rate advisory organizations, guaranty funds or agencies, bank rating agencies in order to assess compliance with industry standards. • According to the Right to Financial Privacy Act (RFPA), and the Bank Secrecy Act • To consumer reporting agencies in accordance with FCRA • In connection with the financial institution's sale or merger • In compliance with a subpoena

  21. Compliance Best Practicesfor Safeguarding Customer Information The federal banking agencies have adopted interagency guidelines, which document specific security measures for financial institutions to consider. • Measures to ensure that any modifications are consistent with the financial institution's security program • “Dual control procedures," segregation of duties, and employee background checks • Monitoring systems to prevent attacks • Established response procedures for any actual or suspected unauthorized disclosures • Protections against destruction, loss or damage of customer information

  22. Compliance Best Practicesfor Safeguarding Customer Information The federal banking agencies have adopted interagency guidelines, which document specific security measures for financial institutions to consider. • Access controls that limit access to information systems • Methods to prevent employees from mistakenly giving customer information to unauthorized persons • Physical access controls for the facilities in which customer information may be found • Encrypting customer information in electronic form, in transit or in storage • Staff training on the bank’s security program

  23. GLBA Safeguarding Rule • Issued by the FTC, May 2003 • The GLBA Safeguarding Rule requires all financial institutions, including institutions of higher education, to develop and draft a comprehensive, written Information Security Program that includes administrative, technical and physical safeguards designed to protect the confidentiality of customers’ nonpublic financial information that is held in the institution’s possession.

  24. Mandatory Components of the Information Security Program • The designation of one or more employees to coordinate the program • A method to periodically identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information • Assess the sufficiency of any safeguards in place to control those risks. • Assess the design and implementation of information safeguards to control the risks identified through the risk assessment • Regular testing to monitor the effectiveness of the safeguards’ key control systems, and procedures • A methodology to oversee and supervise the institution’s service providers (nonaffiliated and affiliated third-parties) with access to customer information

  25. Mandatory Components of the Information Security Program • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. • Assure that contractors or service providers maintain appropriate safeguards for the customer information • Adjust the information security program in light of developments that may materially affect the entity’s safeguards • The ongoing evaluation of the information security program • Implement, test and adjust the security plan on a continuing basis

  26. ComplianceRegulatory Agencies All federal and state bodies that regulate the financial services industry are responsible for enforcing compliance with the privacy provisions of GLB, (FDIC, FTC, SEC), and state insurance departments). The Federal Trade Commission, as well as the other regulatory entities, require financial institutions over which the FTC has jurisdiction to develop, implement, and maintain a comprehensive information security program.

  27. What is Appropriate Protection? Appropriateness is assessed on a risk basis, or consideration of the degree of harm suffered if there is a security breach; the threats likely to cause an impact; and the organization’s vulnerability to the threats manifested in a breach. Each financial institution must adopt those measures it believes to be relevant, given the institution's scope and complexity, identified risks, and the sensitivity of the information that needs protection.

  28. Why Do Organizations Need to Comply? GLBA Section III.F. - the guidelines require the board to review its information security measures annually. It’s not just a question of financial loss due to fraud or other unauthorized activity; it’s concern over the degradation of brand that has cost millions to build, not to mention loss of customer and shareholder confidence. The agencies may enforce GLBA with the same sanctions that they currently use to regulate financial institutions.

  29. Questions?

More Related