The Gramm-Leach-Bliley Act of 1999 (also known as the Gramm-Leach-Bliley Financial Services Modernization Act or “GLBA”) was designed to open up competition in the financial services industry. It applies to all “Financial Service Providers” which includes obvious groups such as insurance agencies, tax preparers and financial advisors, as well as less obvious groups such as universities and educational establishments (since they handle financial information relating to student loans).
The Safeguards Rule, issued in 2002, establishes standards for the protection of customer information and requires all “Financial Service Providers” to develop a written information security plan including:
- assigning at least one employee to manage the program,
- conducting risk assessments, and
- developing, implementing and monitoring a program to secure the information.
In the preamble to the Safeguards Rule, the Federal Trade Commission (FTC) identified employee training as one of the three areas that the Commission believes are particularly relevant to information security.
And, in April 2006, the FTC issued guidelines for organizations implementing measures to meet the Safeguards rule. In this document, the suggested security measures include:
Ask every new employee to sign an agreement to follow your organization’s confidentiality and security standards for handling customer information.
Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:
- locking rooms and file cabinets where paper records are kept;
- using password-activated screensavers;
- using strong passwords (at least eight characters long);
- changing passwords periodically, and not posting passwords near employees’ computers;
- encrypting sensitive customer information when it is transmitted electronically over networks or stored online;
- referring calls or other requests for customer information to designated individuals who have had safeguards training; and
- recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.
Instruct and regularly remind all employees of your organization’s policy – and the legal requirement – to keep customer information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information) and post reminders about their responsibility for security in areas where such information is stored – in file rooms, for example.