The Gramm-Leach Bliley ActThe Gramm-Leach Bliley Act

Presented By:Team II

Catherine KingAlex KelleySaahil Goel

Steven Irvine

• The Financial Services Modernization Act or the Gramm-Leach-Bliley Act (GLBA) was introduced in November 1999

• Main goal: remove regulations (especially Glass Steagall Act of 1933) that did not allow banks, insurance firms and stock brokerage firms to merge

• Contains 7 titles

• Title V refers to Privacy• Introduced because:– Merged financial institutions would have access to

a large quantity of citizens’ personal information– Could sell information to third parties

• Three requirements in GLBA:– Comprehensive information security for storing

personal data– Disclosure of privacy policy to clients– Customers given the right to opt out of information

sharing schemes• Compliance deadline: May 23, 2003

• Information security program coordinator

• Identity risks• Safeguard to control the risks• Oversee service providers• Evaluate and adjust the program• GLBA requires administrative,

technical and physical safeguards

• Financial Institutions:– Companies that offer financial products or

services to individuals including:• Loans

• Financial or Investment Advice

• Insurance

• Other Companies:– Non Financial Institutions who receive

customers’ personal financial information

• Non Financial Institution Examples– Retailers• American Eagle Outfitters

• Macy’s

• Dell

– All companies that information is shared with

• Businesses’ Protection– A business is not an individual with

personal nonpublic information

– Not Protected under GLBA

• Individuals’ Protection– Customer – those with a continuing

relationship

– Consumer – those with a non continuing relationship

• Companies that fall under the GLBA must create and distribute a Privacy Policy

• Governs the collection and disclosure of customers’ personal financial information

• A Privacy Policy must achieve the following:– Clear, Conspicuous, and Accurate

– Explanation of personal nonpublic information collected

– Explanation of how the information is shared

– Explanation of how the information is used

– Explanation of how the information is protected

• Privacy Policy must be provided to a customer:– In person delivery or by mail

– Relationship is established

– Annually thereafter

– Upon policy changes

• Opt-Out Rights– Customers and Consumers have the right to

say No to having their information shared.

– Does not include information sharing with company affiliates

• No Opt-Out Rights– Information sharing is essential

– Disclosure is legally required

– Outside service providers that market the company’s products/services.

• Safeguard Rule requires financial institution to develop, implement, and maintain a “comprehensive information security program” that is written “in one or more readily accessible parts”, which contains “administrative, technical and physical safeguards” designed to “to protect the security confidentiality, and integrity of customer information”.

• Ensure security and confidentiality of customer info

• Protect against anticipated threats or hazards

• Protect against unauthorized access or use of customer info (that can harm/inconvenience customer)

• Designate one of more employees to coordinate its information security program

• Identify and assess risks to customer info in each relevant part of the company OPS

• Evaluate current safeguards• Regularly monitor and test it• Designed to be flexible• Different company divisions and unique

risks raised by their business OPS

• Employee Management and Training– Background checks on new employees

– Confidentiality agreement

– Training

– Disciplinary Action

– Knowing were sensitive info is and keeping it secure

• Information Systems

- Encrypting sensitive info

- Proper disposal of customer info

- Maintaining up-to-date firewalls

- Monitor websites of your software vendors

• Detecting and Managing System Failures– Oversight and audit procedures

– Notifying those affected and law if a breach occurs

GLBA Agency Financial Institutions

Board of Governors of the Federal Reserve System

Bank holding companies; member banks of the Federal Reserve System

Commodity Futures Trading Commission

Commodities brokers

Department of the Treasury, Office of the Comptroller of the Currency (OCC)

National banks; federal branches of foreign banks

Department of the Treasury, Office of Thrift Supervision (OTS)

Savings associations insured by the FDIC

Federal Deposit Insurance Corporations (FDIC)

Banks they insure, not including Federal Reserve System members

Securities and Exchange Commission (SEC)

Securities brokers and dealers; investment companies

National Credit Union Administration Federally insured credit unions

Federal Trade Commission (FTC)Institutions not covered by the other agencies

• Varieties of fines – 5 years of imprisonment• GLBA – Company liable for $100,000 for each violation– Company directors liable for $10,000 for each

violation• Section 8 of the Federal Deposit Insurance

Act. • Termination of FDIC insurance • Cease and Desist Orders• Removal of management• Fines of $1000,000 or > of 1% of total assets

• Reputation: customer trust, lost future business

• Impacted Systems– Vulnerability assessment tests– Intrusion detection monitors– Password management programs– System and physical access control systems– Encryption of customer data

• Business Continuity Plans– Floods, fire, earthquakes, etc.

• Security Policies– Constantly re-evaluate, measure and update– Set benchmarks and enforce those

• People– 75% of breaches are due to insiders

– Top management awareness and absolute buy-in

– Strict security policies

– Internal process to enforce policies• Segregation of duties – better access control

– Training• Awareness

• Process, impact, scope, actions

– Surveys, assessments and internal certifications

• 1997: Charter Pacific Bank: sold credit cards to adult website

• 1998: NationsBank shared customer information with its subsidiary affiliate, NationsSecurities

• June 1999: US Bank shared customer data with a telemarketer, in violation of its own policy

• Sunbelt (2004): did not provide privacy information to its online customers– FTC imposed biannual audits of Sunbelt’s

information security program by independent professionals for 10 years

• Goal Financial (2008): as a result of security failures, employees transferred files containing consumer information to third parties

• Questions?