The Gramm-Leach-Bliley (GLB) Act, enacted in November 1999, requires financial institutions collecting personal information from their customers to secure this type of information from unauthorized access by May. Personal customer information includes name, address and phone number; bank and credit-card account numbers; income and credit histories; and Social Security numbers. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule.
"The purpose of the Safeguards Rule is to ensure that sensitive personal information does not get into the wrong hands," said Jessica Rich, assistant director of the FTC's Division of Financial Practices. "Security is fundamental to meaningful privacy protection and the Rule emphasizes reasonable procedures to assure security that is appropriate to the circumstances."
To comply with the Safeguards Rule, financial institutions must develop a written information security plan that describes their program for protecting customer information. According to the FTC, there are three areas that present special challenges and risks to the security of customer data: 1) employee training and management; 2) information systems, including network and security design and information processing, storage, transmission and retrieval and disposal; and 3) the prevention, detection and response to attacks, intrusions or other system failures.
According to Dr. Larry Ponemon, partner at Peppers and Rogers Group and founder of the Ponemon Institute, the Safeguards Rule is important for business because it provides specific guidance on what it means for companies to protect consumer data. Moreover, "It is a reasonable standard and a practical approach for businesses," he says.
The Safeguards Rule requires companies to:
- designate an employee or employees to coordinate the safeguards
- identify and assess the risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of current safeguards for controlling these risks
- design a safeguards program and detail the plans to monitor it
- select appropriate service providers and require them (by contract) to implement the safeguards
- evaluate the program and explain adjustments in light of changes to business arrangements or the results of security tests.
Since the rule was developed in May 2002, the FTC has been actively involved in creating awareness among businesses affected. "We believe the rule's approach to protecting customer data works because it takes into account differences that exist in the many companies that must adhere to the rule," said Rich. "Different standards may be appropriate for different types of companies and different types of information."
For example, a firm with a small staff may design and implement a more limited employee training program than a firm with a large number of employees. And a financial institution that doesn't receive or store any information online may take fewer steps to assess risks to its computers than a firm that routinely conducts business online. "Furthermore, compliance is not dependent on any particular technology. A company can use the technology that works best for its own organization," Rich noted.
As part of its outreach to the business community, the FTC has published guidelines for compliance on its Web site. The Commission is also meeting with trade groups to help them prepare their members for compliance. To determine if your organization is considered a financial institution by the rule's definition, the FTC suggests you review section 313.3(k) of the commission's privacy rule.
To read more articles like this one, visit Peppers and Rogers Group's Web site at www.1to1.com.
All materials copyright 2003 Peppers and Rogers Group - 1:1 Marketing.