Gramm Leach Bliley Act - GLBA

In recognition of the importance of protecting personal financial information, the GLBA was signed into law on November 12, 1999. The act dictates that financial institutions must, under 15 USC 6801 Section 501, 505(b) and 507, establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, physical, and technical safeguards. GLBA further states that "it is the policy of the Congress (and now the United States) that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information." These safeguards must be sufficient to:

ensure the security and confidentiality of customer records and information;
protect against any anticipated threats or hazards to the security or integrity of such records; and
protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

These general compliance objectives have been further refined by financial institution regulatory agencies in subsequent guidelines. Information Risk Group has developed specific work programs to assist financial institutions in achieving GLBA compliance per each agency's policies. Please contact IRG if you have questions about what steps are required for your institution.

Annual Privacy Notice Requirement - Exception

As of December 4, 2015, Section 75001 of the Fixing America’s Surface Transportation Act (FAST Act) amended Section 503 of GLBA to establish an exception to the annual privacy notice requirements whereby a financial institution that meets certain criteria is
not required to provide an annual privacy notice to customers. The amendment was effective upon enactment.

Please contact Info Risk Group to assist you with this analysis, we have partnered with privacy counsel who can assist you.

Compliance Dates have all past

The effective date for implementing these guidelines were dependent upon which government agency was responsible for regulating your financial institution. See the chart below for a further explanation:

Regulatory Agency	Financial Institutions Regulates	Implementation Compliance Date	Outsourced Technical Services Compliance Date
CFPB	The Consumer Financial Protection Bureau (CFPB) is mainly focuses on financial institutions that interact with consumers. Specifically, they are focused on the Privacy Rule and the Opt-Out requirements. Note: The CFPB enforces GLBA through the FTC.	Oct 28, 2014	Oct 28, 2014
FDIC	Primary federal regulator of state-chartered "nonmember" banks--commercial and savings banks that are not members of the Federal Reserve System.	July 1, 2001	July 1, 2003
OCC	Charters regulates, and supervises all national banks. Thr OCC also supervises the federal branches and agencies of foreign banks. Additionally, since 2011 all thrift institutions (formerly managed by the OTS) are also regulated by the Treasury Department. The OTS, a Bureau of the Department of the Treasury, was abolished by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act or Act) ^[1] on October 19, 2011.	July 1, 2001	July 1, 2003
FTC	FTC considers each of the following to be financial institutions (per Section 314.2(h)) retailers that extend credit by issuing their credit cards directly to consumers automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days personal property or real estate appraiser credit counselors and other financial advisors businesses that print and sell checks for consumers businesses that regularly wire money to and from consumers check cashers accountant or other tax preparation service business that operates a travel agency in connection with financial services entity that provides real estate settlement services mortgage brokers investment advisory company and a credit counseling service company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate	May 23, 2003	May 23, 2006 (To conform third-party service contracts entered into before July 24, 2002)
FRB	Primary federal regulator for state-chartered banks that are members of the Federal Reserve System, as well as for all bank and financial holding companies and certain operations of foreign banking organizations.	July 1, 2001	July 1, 2003
NCUA	Charters and supervises federal credit unions and insurers the deposits in all federal and many state-chartered credit unions.	July 1, 2001	July 1, 2003
State Banks	Supervise state-chartered banks, savings institutions, and credit unions.	July 1, 2001	July 1, 2003
State Insurance Authorities	Insurance companies are regulated at the state level.	varies by state	varies by state

How can Information Risk Group assist your company in complying with these guidelines?

Regardless of size or complexity, all financial institutions must take specific actions to comply with GLBA. The steps that must be taken vary slightly by regulating agencies; however, each agency has based its guidelines around a common set of information security principles.

Each financial institution must develop a written information security plan that includes:

designate one or more employees to coordinate the safeguards
identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks
design and implement a safeguards program, and regularly monitor and test it
select appropriate service providers and contract with them to implement safeguards
evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business arrangements or operations, or the results of testing and monitoring of safeguards.

Information Risk Group has developed several specific offerings to aid financial institutions in complying with the requirements of GLBA. Our methodologies are based on years of experience as technical auditors with large financial firms and major accounting agencies. IRG reviews are performed in an efficient and timely manner to minimize any impact from our assessment on your company and its personnel. Our present offerings with respect to GLBA are as follows:

Information Security Plan Development
Execution of a security assessment designed to comply with Sections 501 and 505(b) of the GLBA
Incident Response to security penetrations in line with GLBA guidance
Annual host and perimeter vulnerability assessments
Implementation and design review of Intrusion Detection Systems, Incident Response, and Business Continuity Plans

Contact IRG today for further information on how we can help you comply with GLBA.

Info Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Offering information security and risk management services to companies throughout the Americas.