The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, was enacted by the United States Congress in 1999.
GLBA is used primarily for organizations in the financial sector.
Note
The information in GLBA sections to follow is compiled from "Compliance and Risk Management: GLBA" at http://www.cisco.com/en/US/netsol/ns625/net_value_proposition0900aecd80380856.html.
Organizations that engage in financial activity or any type of activities that can be classified as financial institutions qualify for the GLBA assessments.
The GLBA defines "financial institutions" as companies that offer financial products or financial services, such as loans, investment advice, or insurance providers. Examples include the following:
Banks
Securities firms
Insurance companies
Mortgage lenders
Brokers
Check cashers and payday lending services
Credit counseling service
Financial advisors
Medical-services providers
Financial or investment advisory services, including tax planning, tax preparation, and individual financial management
Companies issuing their own credit cards
Auto dealers that lease or finance purchases
Educational and academic institutions providing financial aid or student loans
Collection agencies
Government entities that provide financial products such as student loans or mortgages
GLBA compliance is mandatory and requires United States–based financial institutions to
Establish administrative, technical, and physical safeguard mechanisms to protect information
Ensure the confidentiality and integrity of customer records and information
Establish and enforce policies and controls, to protect the security and confidentiality of nonpublic information from foreseeable threats in security and data integrity
Establish procedures for governing the collection, disclosure, and protection of consumers' nonpublic personal information and personally identifiable information
Protect against commonly anticipated threats to information security
Protect against unauthorized access to or use of information
Establish a continuous risk-based information security program for ongoing monitoring, auditing, and reporting
Section 501(b) of the GLBA defines the high-level privacy and security requirements and objectives for financial institutions to comply with.
To comply with this act, organizations are required to
Identify and assess security risks
Plan and implement security solutions to protect sensitive information
Establish measures to monitor and manage security systems
The internationally recognized ISO/IEC 27002 (ISO/IEC 17799) provides a best-practice framework for achieving these objectives, coupled with the Cisco Self-Defending Network solution that aligns itself with the controls recommended by ISO/IEC 27002.
Violation of the GLBA may result in severe penalties and litigation in a civil action brought by the United States Attorney General. The penalties, as amended under the Financial Institution Privacy Protection Act of 2003, include the following:
The financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation.
The officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation.
The Federal Trade Commission (FTC) was authorized to execute and implement the GLBA, and a Final Rule (16 CFR Part 314) was developed in May 2002 accordingly.
The effective date of compliance for this act for all financial institutions was May 23, 2003, and May 24, 2004, for existing service contracts.
Table 25-1 lists the Cisco products and solutions that help address the GLBA requirements.
In summary, financial institutions need a system-based approach that is collaborative and adaptive, offering an effective governance framework to protect sensitive information and providing guidelines to meet GLBA compliance requirements.
For more details about GLBA, refer to the following documentation URLs:
http://banking.senate.gov/conf/
http://www.epic.org/privacy/glba/