Gramm-Leach-Bliley Act

So what is Gramm-Leach-Bliley Act (GLBA) requirement for Protection of Customer Information. Here is simple guidelines based on section V and the ammendment of appendix B. This act require the institution not only to protect but also assess and then control the IT risk.

Section V of the Gramm-Leach-Bliley Act of 1999
Governs privacy in the context of Financial Institution Safeguards.

Section 501(a): It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic information.

Section 501(b): Establish appropriate standards for the financial institutions subject to their jurisdictions relating to administrative, technical, and physical safeguards
1. To insure the security and confidentiality of customer records and information;
2. To protect against anticipated threats or hazards to the security or integrity of such records; and
3. To protect against unauthorized access to use of such records or information which could result in substantial harm or inconvenience to any customer.

2. Appendix B to Part 570
Outlines the Agency’s expectations for the creation, implementation, and maintenance of an information security program. This program must include administrative, technical complexity of the institution and the nature and scope of its activities. The guidelines describe the oversight role of the board of directors in this process and management’s continuing duty to evaluate and report to the board on the overall status of this program.

The Gramm Leach Bliley Act (GLBA) is a comprehensive law affecting institutions and departments that deal with financial information which includes nonpublic personal information such as addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers.

Requirements
The GLBA includes requirements to protect the security, integrity, and confidentiality of this consumer information. To be GLBA compliant, organizations must develop, implement, and enforce a comprehensive information security program including administrative, technical, and physical safeguards as determined appropriate for the institution and data. In addition to developing their own safeguards, organizations are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

The Gramm-Leach-Bliley Act of 1999 is also known as the Financial Services Modernization Act. It is intended to protect consumers and customers who obtain "financial products or services to be used primarily for personal or other household purposes". The Risk assessment is an important element of GLBA and the Federal Trade Commission has identified four areas that must be addressed:

(1) Information Systems,
(2) Employee Management and Training,
(3) Managing System Failures and
(4) Service Providers.

Download Free How To Comply with the Privacy of Consumer Financial Information Rule of The Gramm-Leach-Bliley Act
A Guide for Small Business from the Federal Trade Commission July 2002 The Gramm-Leach-Bliley Act seeks to protect consumer financial privacy. Its provisions limit when a "financial institution" may disclose a consumer's "nonpublic personal information" to nonaffiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain "financial activities."

Download Free Gramm-Leach-Bliley Act Information Security Program Templates. This templates covers:

1. Risk Identification and Assessment.
The Institution intends, as part of the Program, to undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. In implementing the Program, the Program Officer will establish procedures for identifying and assessing such risks in each relevant area of the Institution's operations, including: