 |
 |
 |
 |
 |
 |
Financial institutions are also required to provide security and integrity of customers' non-public information by way of physical and electronic means. This act gives authority to eight federal agencies and the states to administer and enforce its provisions. There are three important components to the privacy requirements: the Financial Privacy Rule, the Pretexting Rule, and the Safeguards Rule. The Financial Privacy Rule and the Pretexting Provisions are mainly outside the scope of information security professionals' responsibilities. However, the Safeguards Rule mandates that financial institutions protect customer information from unauthorized use and is the portion of the Gramm-Leach-Bliley Act that mainly impacts the information management industry. The Safeguards Rule, which became effective on May 2003, requires all financial institutions to design, implement and maintain safeguards to protect customer information. Financial institutions are required to create a written information security plan that describes how they protect customer information. The scope of the organization's security plan may be dependant upon its overall size. Each financial institution's plan must: Designate at least one employee to coordinate the safeguards and bear responsibility for compliance Identify internal and external risks to the security, confidentiality, and integrity of customer information among all relevant areas of operations, including: employee training and management; information systems, processing, storage and disposal; response, prevention, and detection of threats and attacks Design, implement, and regularly test or monitor safeguards that control and limit risks to information Select and contract with service providers that are capable of performing up to the same standards. What Industries Are Affected? The Gramm-Leach-Bliley Act regulates financial institutions, which are defined as "businesses significantly engaged in providing financial products and/or service." Examples are banks, , insurance companies, lenders, credit card firms, accountants, financial planners, etc. Basically, an organization that maintains personal information regarding its customers is affected. Key executives within an organization can also be held accountable for noncompliance. Penalties for Violation Are Strict The Gramm-Leach-Bliley Act calls for civil and criminal penalties for noncompliance. This includes fines and even imprisonment, such as the following: Civil penalties for businesses can include fines up to $100,000 for each violation Officers and directors can be held personally liable for a civil penalty for up to $10,000 per violation Criminal penalties may include up to five years in prison Compliance With the Act When developing an information security plan, an organization should measure how this impacts employee training, internal information systems, and managing system failures. To help comply, organizations should consider implementing the following: Thorough background checks of employees who will be handling information Signed agreements from all employees stating that they will follow the confidentiality and security procedures addressed in the information security plan Outsourcing document management, destruction and data protection to a secure provider, and locking rooms and file cabinets for any records that are stored in-house Password protection on computers, changing them periodically Limit access to customer information only to authorized users. To maintain security throughout the life cycle of an organization's information, all documents should be securely stored in a location that is locked when unattended. This location should be protected against destruction and natural physical damage. Any electronic customer information should be accessible via a password and contain strict security protections. In addition, it is important to keep secure backup media and archived data. When the information has reached the end of its life cycle, it must be destroyed in a secure manner. At the end of its life cycle, all documents and media containing NPI should be effectively destroyed, including computers, diskettes, magnetic tapes and hard drives. This information is to provide clarity and should not be construed as legal advice.
|
|
