FINANCIAL SERVICES COMPLIANCE
GRAMM-LEACH-BLILEY ACT (GLBA)
GBLA requires financial institutions doing business in the U.S. to establish appropriate standards for protecting the security and confidentiality of customers’ non-public personal information.
GLBA REQUIRES ORGANIZATIONS TO:
- Ensure the security and confidentiality of customer records and information
- Protect against anticipated threats or hazards to the security or integrity of such records
- Protect against unauthorized access to information which could result in substantial harm or inconvenience to any customer
The Federal Financial Institutions Examination Council (FFIEC) states the following: “Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.” Financial institutions that do not deploy encryption may be called upon by the FFIEC to prove that it considered deploying encryption and justify why it decided against it.
DATA FIELDS THAT REQUIRE PROTECTION
GLBA requires protection and recommends protecting:
- Customer names
- Social Security numbers
- Email address
- Account numbers
- Login IDs, passwords, and answers to personal questions
- Customer locator numbers and IDs
If the information above is encrypted, the following fields do not require protection because this data is considered anonymized:
- Dollar amounts
- Transaction dates
- Call center data such as duration of calls, date or time of call
- Bank or associated branch
- Officer codes
- Categorizations such as industry, SEC code, issue type, etc.