Compliance Regulatory Overview: Gramm-Leach-Bliley

In this lesson, we will explore the Gramm-Leach-Bliley Act: who it affects, what not complying could mean to your organization, and best practices for complying.

Lesson 3 of 7

The Gramm-Leach-Bliley Act, formally known as the Financial Modernization Act of 1999, is aimed at financial institutions and is enforced by eight separate federal agencies and the states. Gramm-Leach-Bliley provides for a fairly broad interpretation of the phrase "financial institution" and not only affects banks, insurance companies, and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.

10 things you should know about Gramm-Leach-Bliley

Here's a quick rundown of 10 things you should know about this act:

  • Gramm-Leach-Bliley covers a wide range of business, but not all businesses are required to comply.
  • Compliance is not an IT-only project.
  • You need to get your security policies in order.
  • Potential risks need to be continually identified.
  • Both non-public and public information must be protected.
  • Annual privacy policy information should include more than a Web page.
  • Businesses must keep tabs on third-party providers.
  • Data should be encrypted in storage and in transit.
  • Data you don't need should be destroyed.
  • Contact a lawyer or consultant.

For more details about these points, download 10 things you should know about the Gramm-Leach-Bliley Act.

Weekly tips in your inbox
For weekly information on a variety of subjects related to IT compliance, including regulations outlined by Sarbanes-Oxley, HIPAA, and e-mail, sign up for TechRepublic's free Compliance Issues newsletter.
Automatically sign up today!

How does this act affect your storage systems?

One major component of Gramm-Leach-Bliley requires that safeguards be in place to protect your customers' private financial information. According to this section of the act, safeguards must be in place in order to:

  • insure the security and confidentiality of customer records and information;
  • protect against any anticipated threats or hazards to the security or integrity of such records; and
  • protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

For the full text, see the Gramm-Leach-Bliley Act.

What should you do to comply?

This overview of Gramm-Leach-Bliley looks at the specific aspects of the act that deal with storage and data security. Author Scott Lowe explains the requirements this way:

"Today's interpretation of Gramm-Leach-Bliley calls for controls on customer data, the strength of which are proportional to the sensitivity of the information being stored. What this means is that your data security goes well beyond your storage device alone and, in fact, encompasses a company's policies and procedures as well as the hardware that maintains the storage infrastructure.

"When it comes to policies and procedures, you need to define who can access which data, and under what circumstances. Further, you should log access to sensitive customer information to help provide accountability and provide a deterrent to insiders that threaten customer privacy."

To learn more about how to comply with the act, read Are you in compliance with Gramm-Leach-Bliley storage requirements?

For a comprehensive list of Gramm-Leach-Bliley resources, including free downloads, see page two.

Gramm-Leach-Bliley resources

White papers

  • Remote Service and Support After Gramm-Leach-Bliley
    This white paper from Enexity discusses key Gramm-Leach-Bliley requirements as they relate to electronic access to a financial institutions, customer information, and how the SecureLink Virtual Support Network product suite can help a financial institution comply with Gramm-Leach-Bliley guidelines, while also realizing the benefits of a robust remote support solution.
  • Conducting an electronic information risk assessment for Gramm-Leach-Bliley Act compliance
    In this white paper from the SANS Institute, Kevin Bong describes a process he developed for conducting an electronic risk assessment in accordance with the Gramm-Leach-Bliley Act, which he used to conduct a risk assessment for Johnson Financial Group.
  • E-mail Content Filtering Strategies for GLBA Compliance
    E-mail management systems must provide tools and techniques that enable companies to comply with the Gramm-Leach-Bliley Act. This white paper from Tumbleweed Communications outlines a strategy that will enable companies to meet their compliance obligations as they relate to the transmission and disclosure of Nonpublic Personal Information through an e-mail system.
  • The Gramm-Leach-Bliley Act versus Best Practices in Network Security
    In this white paper from the SANS Institute, the author focuses on Title V, section 501 of Gramm-Leach-Bliley, which mandates that financial institutions implement "administrative, technical, and physical safeguards" for customer records and information.


Course list

  • Lesson 1: Sarbanes-Oxley
  • Lesson 2: HIPAA
  • Lesson 3: Gramm-Leach-Bliley
  • Lesson 4: FERPA
  • Lesson 5: U.S. Patriot Act
  • Lesson 6: European legislation
  • Lesson 7: What's next?

Sign up for the Compliance Regulatory Overview series

If you haven't subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.

We want your feedback

Lesson 3 on Gramm-Leach-Bliley was:

 Very helpful
 Somewhat helpful
 Not helpful