Legal Issues in Information Security Weeks 4 & 5 The Gramm-Leach-Bliley Act
description
Transcript of Legal Issues in Information Security Weeks 4 & 5 The Gramm-Leach-Bliley Act
Legal Issues in Information SecurityWeeks 4 & 5 The Gramm-Leach-Bliley Act
Gary A Bannister FCMA, AICPA
Learning Objectives An understanding of Title 5 –Privacy
requirements. Understand the differences between a
consumer & customer. Understand the Pre Texting concept and
how it ties into e discovery and forensics. Understand notices of privacy and how to
implement them and the exceptions.
The Gramm-Leach-Bliley Act (GLBA)
Congress enacted GLBA In November 1999, allows banks, insurance companies and investment firms to merge into single financial entities, for the first time since the Great Depression.
Summary of GLBA Requirements
Bars any financial institution from disclosing a consumer's nonpublic personal information (NPPI) to an unaffiliated third party unless the institution:
Furnishes the consumer with a notice describing the institution's privacy policies
Notifies the consumer that personal information may be disclosed to unaffiliated third parties
Provides the consumer with the opportunity to opt-out.
The Gramm-Leach-Bliley Act Subtitles
Title 1 - Facilitating affiliation among banks, securities firms and insurance companies
Title II - Functional Regulation Title III – Insurance Title IV – Unitary Savings and Load Holding
Companies Title V – Privacy Title VI – Federal Home Loan Bank System
Modernization Title - VII Other Provisions
Who is Required to Comply with the Act’s Security Rules & Guidelines?
Financial institutions or companies that offer financial products and services to individuals have to comply with GLBA. GLBA regulations define a financial institution to include "any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1965.“
Banks and other depository institutions Mortgage companies and other lenders Credit card issuers Insurance Companies Some Investment firms Tax planners Securities brokers & Loan brokers Debt collectors Providers of real estate settlement services.
Consumer and Customer Distinction
According to the Act, a “consumer” is any individual "who obtains a financial product or service from a financial institution that will be used primarily for personal, family, or household purposes, excluding businesses.
" A "customer" is a consumer who has an ongoing relationship with a financial institution, in which the institution continues to provide financial products or services to the consumer.
Consumer and Customer Distinction
For example, an individual who uses an ATM at a bank but does not have an account with that bank is considered a consumer rather than a customer. An individual who opens a bank account or takes out a loan at a bank is considered a customer under GLB.
When applying for a mortgage, a consumer becomes a customer when the consumer "provides any personally identifiable financial information in an effort to obtain a mortgage loan.”
GLBA Title V – Privacy Rule
Subtitle A: Rules regarding privacy policies must be issued by regulators within 6 months of the date of enactment. The rules will become effective 6 months later.
Subtitle B: Criminal penalties for pretext calling are effective immediately
Any financial institution that provides financial products or services to consumers must comply with the Privacy Rule.
All U.S. offices of financial institutions that are subject to the FTC authority must comply with the privacy regulation, regardless of where the consumer lives.
Subtitle B Criminalizes Pretexting
Pretexting is a practice used by some data collection services of obtaining personal financial information from financial institutions by misrepresenting their right to such information.
Pretexting can lead to identity theft
GLBA makes it a crime to use false, fraudulent, lost or stolen documents (or statements) to get customer information.
Personal Information Covered by GLB
GLB only applies to NPPI, defined broadly to include most consumer information obtained by a financial institution in the course of providing a financial product or service.
NPPI does not include any "publicly available information," which means "any information one would have a reasonable basis to believe is made available to the general public."
Personally Identifiable Information
Information provided by the consumer to obtain a financial product or service
Related to consumer resulting from any financial transaction with the institution
Information collected by the financial institution via the Internet using cookies
Examples: medical information, account balances, overdraft history, credit/debit card purchased.
Public Information
Defined by the Privacy Rule as “information that the institution has a reasonable basis to be believe is lawfully made available to the general public from:
- Government records- Widely distributed media- Disclosures to the general public
required by law
GLBA Provisions - Timing of Notices
A financial institution must provide a customer with an initial privacy notice no later than the time the customer begins a relationship with the institution, such as opening an account.
After the initial notice, the financial institution must provide a privacy notice annually.
A consumer who is not a customer of a financial company must be provided with the privacy notice and an opportunity to opt-out before the company may disclose any NPPI about the consumer to an unaffiliated third party.
GLBA Provisions - Content of Notices
The categories of NPPI collected
The categories of the financial institution's affiliates and unaffiliated third parties to which NPPI may be disclosed
The categories of former customers' NPPI disclosed and categories of affiliates and unaffiliated third parties that such information may be disclosed to
An explanation of the consumer's opt-out rights
The financial institution's confidentiality and security policies
GLBA ProvisionsDelivery of Privacy Notices
Financial institutions can provide privacy notices to consumers in the following ways:
Hand Delivery U.S. Mail Posting the privacy notice on the financial
institution's Web site in a manner that attracts a consumer's attention
If the consumer agrees, the notice may be sent electronically.
GLBA's Application to Affiliates
GLBA defines an affiliate of a financial institution as any company that is controlled by the financial institution, any company that controls the financial institution, or any company related to the financial institution through common ownership.
How to Provide Reasonable Opt-Out
A hard copy reply form which includes the return address
An e-form or a reply form on the institution's Web site.
A toll free number
A financial institution cannot require consumers to write their own opt-out letter as the sole method for exercising their opt-out rights under GLB.
A consumer may elect to opt-out at any time
Exceptions to the Privacy Notice and Opt-Out Requirements
To process transactions, financial products and services at the request of the consumer
With the consent of the consumer
To protect the confidentiality and security of a consumer's information
To prevent fraud
For institutional risk control or resolution of customer disputes
For people who hold a legal, beneficiary or fiduciary interest relating to the consumer
Exceptions to the Privacy Notice and Opt-Out Requirements
To insurance rate advisory organizations, guaranty funds or agencies, bank rating agencies in order to assess compliance with industry standards.
According to the Right to Financial Privacy Act (RFPA), and the Bank Secrecy Act
To consumer reporting agencies in accordance with FCRA
In connection with the financial institution's sale or merger
In compliance with a subpoena
Compliance Best Practicesfor Safeguarding Customer Information
The federal banking agencies have adopted interagency guidelines, which document specific security measures for financial institutions to consider.
Measures to ensure that any modifications are consistent with the financial institution's security program
“Dual control procedures," segregation of duties, and employee background checks
Monitoring systems to prevent attacks
Established response procedures for any actual or suspected unauthorized disclosures
Protections against destruction, loss or damage of customer information
Compliance Best Practicesfor Safeguarding Customer Information
The federal banking agencies have adopted interagency guidelines, which document specific security measures for financial institutions to consider.
Access controls that limit access to information systems
Methods to prevent employees from mistakenly giving customer information to unauthorized persons
Physical access controls for the facilities in which customer information may be found
Encrypting customer information in electronic form, in transit or in storage
Staff training on the bank’s security program
GLBA Safeguarding Rule
Issued by the FTC, May 2003
The GLBA Safeguarding Rule requires all financial institutions, including institutions of higher education, to develop and draft a comprehensive, written Information Security Program that includes administrative, technical and physical safeguards designed to protect the confidentiality of customers’ nonpublic financial information that is held in the institution’s possession.
Mandatory Components of the Information Security Program
The designation of one or more employees to coordinate the program
A method to periodically identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information
Assess the sufficiency of any safeguards in place to control those risks.
Assess the design and implementation of information safeguards to control the risks identified through the risk assessment
Regular testing to monitor the effectiveness of the safeguards’ key control systems, and procedures
A methodology to oversee and supervise the institution’s service providers (nonaffiliated and affiliated third-parties) with access to customer information
Mandatory Components of the Information Security Program
Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.
Assure that contractors or service providers maintain appropriate safeguards for the customer information
Adjust the information security program in light of developments that may materially affect the entity’s safeguards
The ongoing evaluation of the information security program
Implement, test and adjust the security plan on a continuing basis
ComplianceRegulatory Agencies
All federal and state bodies that regulate the financial services industry are responsible for enforcing compliance with the privacy provisions of GLB, (FDIC, FTC, SEC), and state insurance departments).
The Federal Trade Commission, as well as the other regulatory entities, require financial institutions over which the FTC has jurisdiction to develop, implement, and maintain a comprehensive information security
program.
What is Appropriate Protection?Appropriateness is assessed on a risk basis, or
consideration of the degree of harm suffered if there is a security breach; the threats likely to cause an impact; and the organization’s vulnerability to the threats manifested in a breach.
Each financial institution must adopt those measures it believes to be relevant, given the institution's scope and complexity, identified risks, and the sensitivity of the information that needs protection.
Why Do Organizations Need to Comply?
GLBA Section III.F. - the guidelines require the board to review its information security measures annually.
It’s not just a question of financial loss due to fraud or other unauthorized activity; it’s concern over the degradation of brand that has cost millions to build, not to mention loss of customer and shareholder confidence.
The agencies may enforce GLBA with the same sanctions that they currently use to regulate financial institutions.
Questions?