Coping with the Gramm-Leach-Bliley Act
We speak with one of the GLBA's five authors to discuss the challenges organizations face as they struggle to stay GLBA-compliant.
Financial services firms know well the dangers of misusing (or allowing misuse of) any personally identifying customer information they have. Or at least they should, since under the Gramm-Leach-Bliley Act (GLBA), they must protect that information or face fines.
Although the law is already a reality—as of July 2001—it was also written without specifying the precise kinds of technology organizations should use to protect themselves. Companies today also face a range of threats that the law’s creators probably never envisioned, such as file-sharing software as a medium for bringing viruses and worms into the enterprise.
To gauge the challenges organizations face as they struggle to stay GLBA-compliant, Security Strategies spoke with Paul Reymann, CEO and founder of The Reymann Group, a financial services risk management and consulting company. Reymann is in a unique position—he was one of the five authors of GLBA.
How long did it take to write the GLBA rules?
It took us about a year and a half to author the rule, and get through the comment period. It actually got published just after I left the agency.
Just for background, what was the law’s impetus?
Today, when we're transferring bits and bytes of information about us as individuals, our background, and funds, all this value is being found in information besides just our financial information. Senators Gramm, Leach, and Bliley understood that; they said you can't have privacy without some form of security. In short, no privacy equals no security. And they said, we're … going to make sure there are proper security controls in place behind the scenes—because consumers can't see [back] there. That's one of the reasons they wrote the law.
How’s the industry coping?
[From a security standpoint], the banking industry is ahead of the curve. They've been doing good information security practices for years, not because there's a rule about it, but because they recognize the value of information security up front. Now what they've had to do is bring their security up a notch. And a lot of other organizations that are [now] defined as “financial services organizations” did not have as good security.
What do organizations need to do to stay GLBA compliant?
You need to cover the three objectives: having administrative, technical, and physical safeguards in place to protect customers’ personally identifying information. And we laid out a process-oriented approach on how to get there.
What’s changed since GLBA was written?
At the time, in 1999 and 2000, we didn't really see technology out there that could monitor employees on the network, as well as what they're doing outside the network. That's what I call the black hole [of security monitoring]. [Now, however,] companies like Vericept—its VIEW for Privacy Protection—can say there's non-public information being moved from point A to point B, and it's not authorized. Now you can monitor it.
Where are we today?
A lot of financial institutions are well underway with trying to comply with the intent of the rules. They're finding that this is one area where they really need to appoint the right people—able to “talk techie” and communicate that to the senior management and board of directors. A lot of institutions are creating chief information security officer positions. And these are the people who can really bridge that gap. The other change I really see going forward is the cultural change not only of the customer, but the employees; as they learn what their role and responsibilities are.
How has employee culture changed as a result of GLBA?
Clean desk policies are required now at almost every bank I go to, and when you talk to an employee, how does that affect your job, the employee says I never had a clean desk before … things have to be locked up, you can 't have a password on a sticky, have to be careful what's on the screen that someone else can see. And if they violate these policies, it's part of their performance evaluations.
Does GLBA mandate any specific technology?
There are many areas under managing and controlling risk, where we outlined a number of areas you should at least have considered—access controls, monitoring, through to things like disaster recovery. What do you do when something breaks? You need to think about what's likely for the organization when that happens. What's the risk to the customer? [And] we didn't mandate that you have to do A to Z; you need to consider what works. And if you determine that it's not appropriate, you need to articulate it to the regulator.
Is GLBA enforcement underway?
A lot of banks will play a wait-and-see game when it comes to new rules that have been passed, because they know that bank regulators need to train their examiners. [But] the Office of Comptroller of the Currency in April of this year sent a warning shot across the bow, and took action against two loan officers who emailed themselves their entire customer list at their next job. That was a clear violation.
How frequently should companies audit themselves for compliance?
Regulators have come out and said it can't be point in time … it has to be an ongoing risk assessment. This is something new—banks have done risk assessments for years, but to do it in an ongoing fashion will require a big change. In the past, it might have been just a project team. Now it's ongoing, you have to get everyone involved. And a new product can change your risk profile, your information security profile can be affected; then too you need to reassess your risk. So they say “continuous risk assessment,” but they mean, as events occur that are significant and could affect your information security program, you need to reassess.
How does GLBA change?
Regulators [issue] guidance, then say [whether] this guidance is supplemental to an existing rule, which attaches it to the rule. They’ll update it as the industry changes over time.
What are they looking at now?
Some of those areas they've [said] to keep an eye on include: managing third-party relationships, business continuity, terrorist activities, incidence response capabilities, and very importantly in 2003, they're calling it the number-one financial crime of the year, identity theft, which links directly to information security.
The average consumer doesn't have enough money in their account to justify identity activities. What [thieves] want to do is go into a bank disguised as the consumer, so they can open new credit cards, get loans. The consumer is protected, [however] financial institutions aren’t.
Do banks see GLBA as a way to protect against identity theft?
Most banks are starting to make the connection; they hadn't originally.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.