The GLB Act gives authority to eight federal agencies and the States to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These regulations apply to "financial institutions," which include not only banks, securities firms, and insurance companies, but also companies providing many other types of non-traditional financial products and services to consumers. Among these services are those in the business of lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, residential real estate settlement services, collecting consumer debts, providing health insurance and an array of other activities. Such non-traditional financial institutions are also regulated by the FTC.
The Right to Privacy
The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. The Financial Privacy rule requires covered institutions to spell out, in the form of a privacy notice, their information sharing practices. Most of us have seen these notices included with correspondence related to loan applications, account servicing, or credit card statements. Using a process detailed in the institutional privacy notices, consumers have the right to limit some - but not all - sharing of their information.
The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The rule applies not only to financial institutions that collect information from their own customers, but also to businesses - such as credit reporting agencies - that receive customer information from those institutions. It is within the Safeguards section of GLB that the parameters for data safety at these institutions are clarified, and it is here also that the deficiencies of 'legacy' data protection methods are exposed. The section addresses distinct areas of safeguards which must be implemented, including Administrative, Technical, and Physical.
As in HIPAA regulations, many of the Administrative safeguards are designed to verify that reasonable steps are being taken to secure the sensitive data stores maintained by covered institutions. While most of these steps should be (and in many cases are already) taking place at the institutions, the Safeguards Rule mandates that the administrative steps be encapsulated in a written information security plan. The plan is required to include an assessment of risks and an evaluation of existing safeguards, the establishment of a comprehensive safeguards plan, contracting with vendors to facilitate the plan when appropriate, and regular testing and evaluation of the plan and practices as the covered entity's business scope or volume changes.
The Federal Trade Commission (FTC), which is a major oversight body for GLB, also indicates the need for employee education and training, information systems management, and managing system failures. These measures help to insure that data safeguards are robust and that all parties who come into contact with sensitive information are aware of company policies and the law.
On Lockdown
The Information Systems component of GLB addresses the company's technological interfaces with client data, and can include analyses of network and software design, information processing, storage, transmission, retrieval, and disposal. Here again, The FTC strongly suggests several procedural and technological steps ranging from basic security like locked file drawers and server rooms to backing up client data to a secure, encrypted and password-protected server.
Many of GLB's provisions are designed to ensure that basic steps are taken to ensure client data is only available to those employees who need it in the course of their work, and that it is securely off-limits to others. The Financial Privacy provisions were put in place to insure that the data is properly maintained and protected. The provisions related to information systems and managing systems failures help to insure that the institution maintains access to the data in order to resume operations after data loss, and to be able to provide documentation that would normally have been lost when and if the need or requirement arises.
As Federal agencies are empowered to enforce GLB under existing codes such as the Federal Deposit Insurance Act, penalties for non-compliance are substantial. Fines levied at guilty institutions can be up to $100,000 per violation at the national level and can also expose the covered institutions, especially those in the insurance sector, to state-level sanctions in many cases. In addition, the officers and directors of these companies can be held personally liable for civil penalties up to $10,000. For companies or individuals that employ 'pretexting' (the use of fraudulent or deceptive tactics to obtain private financial information) the monetary penalties can go even higher, and violators can face prison terms of 5 to 10 years in addition to the fines.
Federal Trade Commission, Financial Privacy: The Gramm-Leach Bliley Act, online at ftc.gov
|
