SUMMARY OF THE GRAMM-LEACH-BLILEY ACT & FEDERAL TRADE COMMISSION’S SAFEGUARDING RULE

 

On May 23, 2003, the Federal Trade Commission (FTC) adopted the “Standards for Safeguarding Customer Information” Rule promulgated under the authority of the Gramm-Leach-Bliley Act (GLBA). 

 

OBJECTIVE OF THE SAFEGUARDING RULE (INFORMATION SECURITY PROGRAM)

 

The GLBA safeguarding rule requires all financial institutions, including institutions of higher education, to develop and draft a comprehensive, written Security Information Program that includes administrative, technical and physical safeguards designed to protect the confidentiality of customers’ nonpublic financial information that is held in the institution’s possession.  Therefore, under this new federal law, all Tennessee Board of Regents institutions must draft a Program that is specific to its operations to ensure that its customers’ nonpublic financial information (e.g., personal information that is maintained by the institution to provide a financial product or service) is safeguarded and kept confidential. The Program must delineate a security information program to ensure the confidentiality of customers’ nonpublic financial information that is in keeping with the rule’s objective and specifically designed to:

(i)                 insure the security and confidentiality of customer information;

(ii)               protect against any anticipated threats or hazards to the security or integrity of such information; and

(iii)             protect against unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.

MANDATORY COMOPNENTS OF THE INFORMATION SECURITY PROGRAM

 

The following are mandatory components of an institution’s Program:

 

(i)                 the designation of the responsibility to one or more employees to coordinate the information security program;

(ii)               a method by which to periodically identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control those risks.  At a minimum, the risk assessment plan must include consideration of the risks in the following areas: (a) employee training and management; (b) information systems (including network and software design) processing, storage, transmission and disposal; and (c) detecting, preventing, and responding to attacks, intrusions, or other system failures.    

(iii)             the design and implementation of information safeguards to control the risks identified through the risk assessment described in the previous element, (ii), and regularly test or otherwise monitor the effectiveness of the safeguards’ key control systems, and procedures;

(iv)              the development of a methodology to oversee and supervise the institution’s service providers (nonaffiliated and affiliated third-parties) with access to customer information by:

a.      taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and

b.      requiring service providers by contract to implement and maintain such safeguards (contracts with nonaffiliated third-parties in existence prior to June 24, 2002 need not be amended to include provisions requiring the service provider to implement and maintain appropriate confidentiality safeguards until May 24, 2004); and

(v)                 the evaluation and adjustment the information security program in light of the results of the testing and monitoring required by element (iii); any material changes to the institution’s operations; or any other circumstances that the institution knows or has reason to know may have a material impact on its information security program.

 

The Program may consist of several written documents, including those detailing existing security procedures, provided that all of the documents are compiled in one location.

 

FEDERAL TRADE COMMISSION ENFORCEMENT

 

Institutions are not required to file their Programs with the FTC; however, if the commission suspects that an institution is not complying with the GLBA, it may audit the institution to determine whether it has developed adequate safeguarding measures. The standard that the FTC will use to determine whether an institution has violated the safeguarding rule is a standard of reasonableness.

Therefore, the FTC will consider what it deems to be reasonable safeguarding to protect customers’ nonpublic financial information measures under the circumstances at each institution. Institutions that fail to develop a written Program may be subject to sanctions imposed by the FTC.  Development of a comprehensive Program could protect an institution from FTC sanctions and / or negligence lawsuits due to an inadvertent breach of security that results in the release of customers’ nonpublic financial information.