Greetings and welcome back! In this week’s blog we look at the Gramm Leach Bliley Requirements for Data Rack Security. The Gramm Leach Bliley Act (GLBA) covers security requirements for all organizations that handle confidential information related to loans. This Act is broad-based and covers everything from data about student loans, auto loans and home mortgages. In short, just about everyone from college age and above has at least one set of data stored somewhere that is covered by GLBA.
Who are the companies that are specifically covered by GLBA? These include the following:
- Insurance companies, brokers and their agents
- Colleges and universities, student loan providers and brokers
- Mortgage providers, brokers and title insurance companies
- Stock brokers, financial advisors and banks
Because GLBA covers such a large group of organizations, many may not be fully aware of the specifics of the GLBA requirements as they relate to the protection of data security. The protections required by GLBA include:
- Physical Security of the room and data rack(s) in which data is stored
- Cybersecurity for all networked devices (regardless of type) that are on the data network
- Operational Security for all servers and supporting power and environmental systems
Under GLBA Safeguard Rule, all specific security requirements for financial organizations are listed under the Federal Financial Institutions Examination Counsel’s (FFIEC) IT Examination Handbook. This is literally “The Book” that an examiner uses to judge whether financial records are being kept in accordance with the GLBA. This book is fully online and can be seen in full here. Over the next few weeks we will be looking at the specifics in what we will simply refer to as the Handbook. As we will see, it provides very specific requirements and leaves little to the imagination in the 3 areas of security listed above.
Because the Handbook for GLBA requirements is so specific, courts do not look kindly on the excuse of “I didn’t know about that requirement”. Its a classic case where the judge says: “Ignorance of the Law is NO Excuse.” Just as the HIPAA regulations are now very clear and penalties are very harsh, so too, penalties under GLBA are quite severe. Here is a summary of the penalties for a violation of GLBA:
- The organization can be for fined for up to $100,000 for each violation.
- Officers and directors of the financial institution can be fined up to $10,000 for each violation.
- Criminal penalties include Imprisonment for up to 5 years IN ADDITION to the fine.
- Fines and penalties can be DOUBLED if shown that another law has also been violated in the process.
In sum, the Gramm Leach Bliley Act was put in place to protect the private financial information for individuals. Significant fines have been levied because of data breaches and other actions are likely. In addition, the government is studying further requirements to GLBA that would require organizations to put in place a written plan to protect customer data and a written plan to respond in case of a data breach.
We want our readers to know that GLBA means business and we at AlphaGuardian mean business as well. We are the only company that provides full physical, cyber and operational security solutions for GLBA. The unique blend of both financial and IT backgrounds of the principals of the company allow us to address your needs as no other company can do. Think about this and, if you would like a confidential discussion on how you can better protect the data that has been entrusted to you, please feel free to give us a call.
Until Next Time,