FINANCIAL SERVICES COMPLIANCE

GRAMM-LEACH-BLILEY ACT (GLBA)

GBLA requires financial institutions doing business in the U.S. to establish appropriate standards for protecting the security and confidentiality of customers’ non-public personal information.

GLBA REQUIRES ORGANIZATIONS TO:

  • Ensure the security and confidentiality of customer records and information
  • Protect against anticipated threats or hazards to the security or integrity of such records
  • Protect against unauthorized access to information which could result in substantial harm or inconvenience to any customer

The Federal Financial Institutions Examination Council (FFIEC) states the following: “Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.” Financial institutions that do not deploy encryption may be called upon by the FFIEC to prove that it considered deploying encryption and justify why it decided against it.


DATA FIELDS THAT REQUIRE PROTECTION

GLBA requires protection and recommends protecting:

  • Customer names
  • Addresses
  • Social Security numbers
  • Email address
  • Account numbers
  • Login IDs, passwords, and answers to personal questions
  • Customer locator numbers and IDs
  • Attachments

If the information above is encrypted, the following fields do not require protection because this data is considered anonymized:

  • Dollar amounts
  • Transaction dates
  • Call center data such as duration of calls, date or time of call
  • Bank or associated branch
  • Officer codes
  • Categorizations such as industry, SEC code, issue type, etc.

BREACH NOTIFICATION REQUIREMENTS & EXEMPTIONS

GLBA requires public notification of breaches. However, the loss of adequately encrypted data is not generally considered a breach, and exempt from notification requirements.