The Gramm-Leach-Bliley Act (GLBA) is a law that applies to financial institutions in the United States. It is designed to protect sensitive data such as names, addresses, credit histories, and so on. When we think of financial institutions, we tend to imagine large commercial banks, however, a “financial institution” can be any company that deals with loans, deposits, investments and currency exchange.
As such, a financial institution could include payday lenders, mortgage brokers, insurance companies, solicitors, etc. All US companies who meet this requirement, are bound by the GLBA, regardless of their size. Confusion over what constitutes a “financial institution” has resulted in some companies failing to comply and, given that they may be subject to penalties of up to $100,000 for each violation, it would be wise for them to take note.
The Safeguards Rule in GLBA
The most important requirement of the GLBA is the Safeguards Rule. The Safeguards Rule, which was issued by the Federal Trade Commission (FTC), is designed to ensure that financial institutions have a non-public personal information (NPI) protection plan in place, otherwise known as a Written Information Security Plan (WISP).
The plan must outline the administrative, technical, and physical safeguards used to protect sensitive customer information. I’m won’t go into too much detail about WISP, as there is already plenty of detailed information online. Instead, I’ll provide a very brief overview of the requirements, and highlight certain key areas that need to be addressed, along with the technical safeguards that can be used to address them.
To comply with GLBA, financial institutions are required to:
- Appoint an officer (a new or existing employee) to manage their data security program;
- Carry out a risk assessment to identify where sensitive data might be at risk;
- Implement, test and monitor a program to safeguard sensitive data;
- Ensure that affiliates/vendors/contractors are able to maintain the necessary safeguards;
Securing Sensitive Data
Keeping sensitive data secure requires a multi-pronged approach. It would be unlikely for any financial institution to not have already implemented the necessary physical safeguards, such as locks, alarms, CCTV cameras, and so on. Likewise, technical solutions such as anti-virus software and firewalls are commonplace. However, companies often fail to implement technical safeguards such a real-time auditing of sensitive data, which is crucial to comply with most (if not all) data protection regulations.
In order to keep track of who is accessing what data, and when, you obviously need to know where your sensitive data resides. To help with this, there are a number of solutions which can automatically discover and classify a wide range of data types, such as PII, PHI, PCI and more.
Knowing exactly what data you have, and where it resides, makes it a lot easier to assign the appropriate access controls. You will need a way to monitor access to sensitive data in real-time. Data Security Platforms, such as LepideAuditor, enable you to detect, alert and respond to a wide range of events, such as changes made to privileged accounts, suspicious file and folder activity, mailbox access and suspicious login attempts.
It also provides automated password expiration reminders and can automate the process of managing inactive user accounts. While it is technically possible to monitor access to sensitive data by analyzing the native server logs, doing so will be cumbersome, time-consuming and requires a specialized set of skills.