The Gramm-Leach-Bliley Act is aimed at financial institutions and is enforced by eight separate federal agencies and the states. Gramm-Leach-Bliley provides for a fairly broad interpretation of the phrase "financial institution" and not only affects banks, insurance companies, and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.
How does this Act affect your storage systems? One major component of Gramm-Leach-Blileyrequires that safeguards be in place to protect your customers' private financial information. Here is an excerpt from the Act, the full text of which can be found at the link above.
In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards -
(1) to insure the security and confidentiality of customer
records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer."
Another section of Gramm-Leach-Bliley indicates that institutions must "develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any customer information."
What should you do to comply?
At present, the language in the Act is fairly broad and could be interpreted as providing a pretty loose standard by which institutions must protect customer information. I would anticipate that the recent problems with companies like ChoicePoint, LexisNexis, and at many colleges and universities will eventually lead to changes in this wording that make it stricter, even though the affected companies aren't necessarily covered by Gramm-Leach-Bliley.
Today's interpretation of Gramm-Leach-Bliley calls for controls on customer data, the strength of which are proportional to the sensitivity of the information being stored. What this means is that your data security goes well beyond your storage device alone and, in fact, encompasses a company's policies and procedures as well as the hardware that maintains the storage infrastructure.
When it comes to policies and procedures, you need to define who can access which data, and under what circumstances. Further, you should log access to sensitive customer information to help provide accountability and provide a deterrent to insiders that threaten customer privacy.
Your actual storage system should actually be secondary. As long as it's protected from unauthorized access, and you know who has permissions, when someone accessed information, and why, your company will be able to conduct business, even with Gramm-Leach-Bliley in place.
The short version: Your storage system should be protected from any and all outside and unauthorized access. Most intrusions are accomplished from inside the corporate firewall, so a single layer of defense is not enough. Further, don't forget about VPN access, which can be used for both legitimate as well as nefarious purposes. You must have technical solutions and policies in place that protect data. Anything less is both illegal, and—in these days of data and identity theft—irresponsible.
TechRepublic's free Storage NetNote newsletter is designed to help you manage the critical data in your enterprise. Automatically sign up today!