Legal Issues in Information SecurityWeeks 4 & 5 The Gramm-Leach-Bliley Act

Gary A Bannister FCMA, AICPA

Learning Objectives An understanding of Title 5 –Privacy

requirements. Understand the differences between a

consumer & customer. Understand the Pre Texting concept and

how it ties into e discovery and forensics. Understand notices of privacy and how to

implement them and the exceptions.

The Gramm-Leach-Bliley Act (GLBA)

Congress enacted GLBA In November 1999, allows banks, insurance companies and investment firms to merge into single financial entities, for the first time since the Great Depression.

Summary of GLBA Requirements

Bars any financial institution from disclosing a consumer's nonpublic personal information (NPPI) to an unaffiliated third party unless the institution:

Furnishes the consumer with a notice describing the institution's privacy policies

Notifies the consumer that personal information may be disclosed to unaffiliated third parties

Provides the consumer with the opportunity to opt-out.

The Gramm-Leach-Bliley Act Subtitles

Title 1 - Facilitating affiliation among banks, securities firms and insurance companies

Title II - Functional Regulation Title III – Insurance Title IV – Unitary Savings and Load Holding

Companies Title V – Privacy Title VI – Federal Home Loan Bank System

Modernization Title - VII Other Provisions

Who is Required to Comply with the Act’s Security Rules & Guidelines?

Financial institutions or companies that offer financial products and services to individuals have to comply with GLBA. GLBA regulations define a financial institution to include "any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1965.“

Banks and other depository institutions Mortgage companies and other lenders Credit card issuers Insurance Companies Some Investment firms Tax planners Securities brokers & Loan brokers Debt collectors Providers of real estate settlement services.

Consumer and Customer Distinction

According to the Act, a “consumer” is any individual "who obtains a financial product or service from a financial institution that will be used primarily for personal, family, or household purposes, excluding businesses.

" A "customer" is a consumer who has an ongoing relationship with a financial institution, in which the institution continues to provide financial products or services to the consumer.

Consumer and Customer Distinction

For example, an individual who uses an ATM at a bank but does not have an account with that bank is considered a consumer rather than a customer. An individual who opens a bank account or takes out a loan at a bank is considered a customer under GLB.

When applying for a mortgage, a consumer becomes a customer when the consumer "provides any personally identifiable financial information in an effort to obtain a mortgage loan.”

GLBA Title V – Privacy Rule

Subtitle A: Rules regarding privacy policies must be issued by regulators within 6 months of the date of enactment. The rules will become effective 6 months later.

Subtitle B: Criminal penalties for pretext calling are effective immediately

Any financial institution that provides financial products or services to consumers must comply with the Privacy Rule.

All U.S. offices of financial institutions that are subject to the FTC authority must comply with the privacy regulation, regardless of where the consumer lives.

Subtitle B Criminalizes Pretexting

Pretexting is a practice used by some data collection services of obtaining personal financial information from financial institutions by misrepresenting their right to such information.

Pretexting can lead to identity theft

GLBA makes it a crime to use false, fraudulent, lost or stolen documents (or statements) to get customer information.

Personal Information Covered by GLB

GLB only applies to NPPI, defined broadly to include most consumer information obtained by a financial institution in the course of providing a financial product or service.

NPPI does not include any "publicly available information," which means "any information one would have a reasonable basis to believe is made available to the general public."

Personally Identifiable Information

Information provided by the consumer to obtain a financial product or service

Related to consumer resulting from any financial transaction with the institution

Information collected by the financial institution via the Internet using cookies

Examples: medical information, account balances, overdraft history, credit/debit card purchased.

Public Information

Defined by the Privacy Rule as “information that the institution has a reasonable basis to be believe is lawfully made available to the general public from:

- Government records- Widely distributed media- Disclosures to the general public

required by law

GLBA Provisions - Timing of Notices

A financial institution must provide a customer with an initial privacy notice no later than the time the customer begins a relationship with the institution, such as opening an account.

After the initial notice, the financial institution must provide a privacy notice annually.

A consumer who is not a customer of a financial company must be provided with the privacy notice and an opportunity to opt-out before the company may disclose any NPPI about the consumer to an unaffiliated third party.

GLBA Provisions - Content of Notices

The categories of NPPI collected

The categories of the financial institution's affiliates and unaffiliated third parties to which NPPI may be disclosed

The categories of former customers' NPPI disclosed and categories of affiliates and unaffiliated third parties that such information may be disclosed to

An explanation of the consumer's opt-out rights

The financial institution's confidentiality and security policies

GLBA ProvisionsDelivery of Privacy Notices

Financial institutions can provide privacy notices to consumers in the following ways:

Hand Delivery U.S. Mail Posting the privacy notice on the financial

institution's Web site in a manner that attracts a consumer's attention

If the consumer agrees, the notice may be sent electronically.

GLBA's Application to Affiliates

GLBA defines an affiliate of a financial institution as any company that is controlled by the financial institution, any company that controls the financial institution, or any company related to the financial institution through common ownership.

How to Provide Reasonable Opt-Out

A hard copy reply form which includes the return address

An e-form or a reply form on the institution's Web site.

A toll free number

A financial institution cannot require consumers to write their own opt-out letter as the sole method for exercising their opt-out rights under GLB.

A consumer may elect to opt-out at any time

Exceptions to the Privacy Notice and Opt-Out Requirements

To process transactions, financial products and services at the request of the consumer

With the consent of the consumer

To protect the confidentiality and security of a consumer's information

To prevent fraud

For institutional risk control or resolution of customer disputes

For people who hold a legal, beneficiary or fiduciary interest relating to the consumer

Exceptions to the Privacy Notice and Opt-Out Requirements

To insurance rate advisory organizations, guaranty funds or agencies, bank rating agencies in order to assess compliance with industry standards.

According to the Right to Financial Privacy Act (RFPA), and the Bank Secrecy Act

To consumer reporting agencies in accordance with FCRA

In connection with the financial institution's sale or merger

In compliance with a subpoena

Compliance Best Practicesfor Safeguarding Customer Information

The federal banking agencies have adopted interagency guidelines, which document specific security measures for financial institutions to consider.

Measures to ensure that any modifications are consistent with the financial institution's security program

“Dual control procedures," segregation of duties, and employee background checks

Monitoring systems to prevent attacks

Established response procedures for any actual or suspected unauthorized disclosures

Protections against destruction, loss or damage of customer information

Compliance Best Practicesfor Safeguarding Customer Information

The federal banking agencies have adopted interagency guidelines, which document specific security measures for financial institutions to consider.

Access controls that limit access to information systems

Methods to prevent employees from mistakenly giving customer information to unauthorized persons

Physical access controls for the facilities in which customer information may be found

Encrypting customer information in electronic form, in transit or in storage

Staff training on the bank’s security program

GLBA Safeguarding Rule

Issued by the FTC, May 2003

The GLBA Safeguarding Rule requires all financial institutions, including institutions of higher education, to develop and draft a comprehensive, written Information Security Program that includes administrative, technical and physical safeguards designed to protect the confidentiality of customers’ nonpublic financial information that is held in the institution’s possession.

Mandatory Components of the Information Security Program

The designation of one or more employees to coordinate the program

A method to periodically identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information

Assess the sufficiency of any safeguards in place to control those risks.

Assess the design and implementation of information safeguards to control the risks identified through the risk assessment

Regular testing to monitor the effectiveness of the safeguards’ key control systems, and procedures

A methodology to oversee and supervise the institution’s service providers (nonaffiliated and affiliated third-parties) with access to customer information

Mandatory Components of the Information Security Program

Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.

Assure that contractors or service providers maintain appropriate safeguards for the customer information

Adjust the information security program in light of developments that may materially affect the entity’s safeguards

The ongoing evaluation of the information security program

Implement, test and adjust the security plan on a continuing basis

ComplianceRegulatory Agencies

All federal and state bodies that regulate the financial services industry are responsible for enforcing compliance with the privacy provisions of GLB, (FDIC, FTC, SEC), and state insurance departments).

The Federal Trade Commission, as well as the other regulatory entities, require financial institutions over which the FTC has jurisdiction to develop, implement, and maintain a comprehensive information security

program.

What is Appropriate Protection?Appropriateness is assessed on a risk basis, or

consideration of the degree of harm suffered if there is a security breach; the threats likely to cause an impact; and the organization’s vulnerability to the threats manifested in a breach.

Each financial institution must adopt those measures it believes to be relevant, given the institution's scope and complexity, identified risks, and the sensitivity of the information that needs protection.

Why Do Organizations Need to Comply?

GLBA Section III.F. - the guidelines require the board to review its information security measures annually.

It’s not just a question of financial loss due to fraud or other unauthorized activity; it’s concern over the degradation of brand that has cost millions to build, not to mention loss of customer and shareholder confidence.

The agencies may enforce GLBA with the same sanctions that they currently use to regulate financial institutions.

Questions?