Lesson 3 of 7
The Gramm-Leach-Bliley Act, formally known as the Financial Modernization
Act of 1999, is aimed at financial institutions and is enforced by eight
separate federal agencies and the states. Gramm-Leach-Bliley provides for a
fairly broad interpretation of the phrase “financial institution” and
not only affects banks, insurance companies, and security firms, but also
brokers, lenders, tax preparers, and real estate settlement companies, among
10 things you should know about Gramm-Leach-Bliley
Here’s a quick rundown of 10 things you should know about
covers a wide range of business, but not all businesses are required to
is not an IT-only project.
need to get your security policies in order.
risks need to be continually identified.
non-public and public information must be protected.
must keep tabs on third-party providers.
should be encrypted in storage and in transit.
you don’t need should be destroyed.
a lawyer or consultant.
For more details about these points, download 10 things you should
know about the Gramm-Leach-Bliley Act.
How does this act affect your storage systems?
One major component of Gramm-Leach-Bliley
requires that safeguards be in place to protect your customers’ private
financial information. According to this section of the act, safeguards must be in
place in order to:
the security and confidentiality of customer records and information;
against any anticipated threats or hazards to the security or integrity of
such records; and
- protect against unauthorized access to or use of such
records or information which could result in substantial harm or inconvenience
to any customer.
For the full text, see the Gramm-Leach-Bliley Act.
What should you do to comply?
This overview of Gramm-Leach-Bliley looks at the specific aspects of the
act that deal with storage and data security. Author Scott Lowe explains the
requirements this way:
“Today’s interpretation of Gramm-Leach-Bliley calls for
controls on customer data, the strength of which are proportional to the
sensitivity of the information being stored. What this means is that your data
security goes well beyond your storage device alone and, in fact, encompasses a
company’s policies and procedures as well as the hardware that maintains the
“When it comes to policies and procedures, you need to
define who can access which data, and under what circumstances. Further, you
should log access to sensitive customer information to help provide
accountability and provide a deterrent to insiders that threaten customer
To learn more about how to comply with the act, read Are
you in compliance with Gramm-Leach-Bliley storage requirements?
For a comprehensive list of Gramm-Leach-Bliley resources,
including free downloads, see page two.
Frequently Asked Questions
The staff of the Federal Trade Commission developed this FAQ to assist financial institutions in complying with the privacy provisions of
the Gramm-Leach-Bliley Act and the Commission’s financial
- In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act
The Federal Trade Commission offers a brief look at the basic financial
privacy requirements of the law.
- Download: 10
things you should know about the Gramm-Leach-Bliley Act
This handy, two-page list describes 10 things that IT professionals should
know about the Gramm-Leach-Bliley Act.
The Direct Marketing Association (DMA) walks you through the process of
of Gramm-Leach-Bliley through this interactive generator.
of the Gramm-Leach-Bliley Act
This is a detailed overview of Gramm-Leach-Bliley from the Federal Reserve Bank of
- Careless Web
site content can place your company at risk
With all the new accountability laws being enforced today (e.g.,
Sarbanes-Oxley Act, Gramm-Leach Bliley Act, etc.), lax security on your
Web site might leave you open to downstream liability.
IT should work with Legal Dept.
In an excerpt from this discussion post, TechRepublic
member kdrungilas says: “Section
501 of the Gramm-Leach-Bliley (GLB) Act mandates that financial services
firms implement and enforce a written ‘information security program’ to
protect non-public customer data. Thus, it is imperative that your company
be able to monitor and track any electronic information entering or
exiting your messaging system as an integral part of IT security.” Read
this peer’s entire post.
Records Management Implications for Financial Institutions
Iron Mountain examines records management implications of the
Service and Support After Gramm-Leach-Bliley
This white paper from Enexity discusses key Gramm-Leach-Bliley requirements as they relate to
electronic access to a financial institutions, customer information, and
how the SecureLink Virtual Support Network
product suite can help a financial institution comply with Gramm-Leach-Bliley guidelines, while also realizing
the benefits of a robust remote support solution.
- Conducting an electronic
information risk assessment for Gramm-Leach-Bliley Act compliance
In this white paper from the SANS Institute, Kevin Bong describes a
process he developed for conducting an electronic risk assessment in
accordance with the Gramm-Leach-Bliley Act, which he used to conduct a
risk assessment for Johnson Financial Group.
Content Filtering Strategies for GLBA Compliance
E-mail management systems must provide tools and techniques that enable
companies to comply with the Gramm-Leach-Bliley Act. This white paper from
Tumbleweed Communications outlines a strategy that will enable companies
to meet their compliance obligations as they relate to the transmission
and disclosure of Nonpublic Personal Information through an e-mail system.
- The Gramm-Leach-Bliley
Act versus Best Practices in Network Security
In this white paper from the SANS Institute, the
author focuses on Title V, section 501 of Gramm-Leach-Bliley, which
mandates that financial institutions implement “administrative, technical,
and physical safeguards” for customer records and information.
(SG Series and Gramm-Leach-Bliley solutions)
- SmartSoftKey (AMPLock)
- BindView (Policy Operations Center)
- Vericept (Vericept Intelligent Early Warning, or VIEW)
5: U.S. Patriot Act
6: European legislation
7: What’s next?
Sign up for the Compliance Regulatory Overview series
If you haven’t subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.
We want your feedback
Lesson 3 on Gramm-Leach-Bliley was: