Standards for safeguarding customer information, issued by several government regulatory agencies in response to Section 501 of the Gramm-Leach-Bliley Act (GLBA), require that financial institutions implement an information security program that considers specific technical safeguards for securing their customers’ nonpublic personal information (NPI). With the increasingly strict enforcement of the interagency guidelines for protecting customer information, financial institutions lacking the appropriate level of controls will find themselves having to deal with audit comments from agencies exerting substantial pressure to comply.
Complying with the interagency guidelines for NPI protection can be greatly facilitated by implementing a security solution that focuses on the protection of the data itself. An enterprise class system with centralized management and local enforcement of policies controlling access to NPI can provides consistent enforcement of those policies throughout the IT environment, facilitating both compliance and auditor verification of policy enforcement for NPI protection.
Enforcing Policies for NPI
Protection in Compliance with GLBA
Along with opening up the financial services industries by removing the restrictions that prevented the affiliation of banks, brokerages and insurance companies, the Gramm-Leach-Bliley Act (GLBA) mandates controls over customers’ nonpublic personal information with respect to usage, protection and distribution. Section 501 specifically requires the protection of nonpublic personal information, with Section 505(a) providing a list of specific agencies and authorities tasked with establishing and enforcing the standards outlined in Section 501(b) requiring administrative, technical and physical safeguards to:
- Ensure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of such records; and
- Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.1
1 Senate Banking Committee, “Conference Report and Text of Gramm-Leach-Bliley Bill,”http://banking.senate.gov/conf/confrpt.htm, 4/21/04.
Guidelines. These documents provide a clear description of the methods and technologies that regulators expect to be considered for appropriateness in meeting the outlined risk control guidelines. In effect since July 1, 2004, these GLBA guidelines for technical safeguards under Section 501 are being enforced with increasing rigor. This enforcement is requiring institutions to implement security controls to address the dynamic and escalating risk environment surrounding their customers’ personal information.