Scott & Scott | Software Compliance Counsel
Scott & Scott Scott & Scott

« Intellectual Property Enforcement or Witch-hunt? | Main | Preventing Data Breach and the GLBA: The Privacy Rule »

Preventing Data Breach and the GLBA: The Safeguards Rule

“Safeguarding information is not a product, but a process.” – Thomas J. Smedinghoff

The GLBA’s Safeguards Rule requires financial institutions to conduct a thorough risk assessment of its security measures and design a comprehensive information security program to protect nonpublic personal information. Specifically, the Safeguards Rule requires financial institutions to “develop, implement, and maintain a comprehensive information security program that is written… and contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” The statutory objective of the Safeguards Rule is to: (1) ensure the security and confidentiality of customer information; (2) protect against anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

An Information Security Program Must be Appropriate.

The Safeguards Rule requires an institution to develop, implement, and maintain a comprehensive information security program that is written, contains administrative, technical and physical safeguards, is “appropriate” to the institution’s size and complexity, as well as the nature and scope of its activities, and is appropriate to the sensitivity of the customer information at issue. Therefore, an institution may exercise some latitude in developing its security program. While some critics may view this subjective standard as unenforceable, the FTC places a high level of responsibility upon financial institutions to keep up with the latest technology and the constant bombardment of potential identity thieves.

A Thorough Risk Assessment is Required.

The FTC requires companies to conduct a thorough risk assessment and address such risks to customer information in all areas of their operation, including administrative, technical, and physical safeguards. As part of the risk assessment, the Safeguards Rule requires an institution to:


  • Designate someone to coordinate the information security program;

  • Perform a thorough risk assessment and identify reasonably foreseeable
    internal and external risks to the security, confidentiality, and integrity of customer information that could result in unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.


Reactions to the Safeguards Rule were mixed. Many companies carefully considered the costs of compliance compared to the costs of non-compliance. In fact, John Eubank, president of Nationwide Mortgage Group, evaluated whether to close his company because it would cost him $70,000 to comply with the Safeguards Rule and approximately $250,000 to fight the FTC if he elected not to comply. The $250,000 did not include potential fines.

Another important factor for institutions to consider is the potential discoverability of risk assessments. If internal employees prepare the risk assessments, those assessments could be admitted as evidence, if they are relevant in court proceedings. For example, if a technical professional prepared a risk assessment indicating that the company should replace the firewall, and a security breach or data breach resulted due to the firewall before it could be replaced, the security assessment may be a damaging piece of evidence. To avoid potential discovery issues, companies should determine whether they could have their risk assessments covered by the attorney-client or the attorney work-product privileges. The rules regarding these privileges are state specific and should be examined carefully with experienced counsel.

Employee Training and Management.

The cost of compliance is related to employee training and management. A financial institution’s risk assessment should:


  • Check employee references and perform background checks;

  • Require employees to sign a confidentiality agreement;

  • Limit employee access to sensitive customer information;

  • Use password-activated screen savers to lock employee computers;

  • Encrypt customer files on laptops and other computers in case of theft;

  • Impose disciplinary measures for security policy violations;

  • Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names.


The FTC noted in one of its publications that “the success of your information security plan depends largely upon the employees who implement it.”

Information Systems.

Second, the Safeguards Rule requires a financial institution to assess its information systems, including network and software design, as well as information processing, storage, transmission, and disposal. A financial institution’s written information security plan should include both technology concerns and the physical storage and destruction of nonpublic personal information. For example:


  • Know where sensitive customer information is stored and stored securely;

  • Ensure that the computer or server is accessible only by using a “strong” password and is kept in a physically secure area;

  • Maintain secure backup records and keep archived data secure by storing it off-line and in a physically secure area;

  • Take affirmative steps to secure transmission of customer information;

  • Encrypt customer data if it is necessary for you to transmit such information by email or Internet;

  • If you collect information online directly from customers, secure the data transmission automatically;

  • Dispose of customer information consistent with the FTC’s Disposal Rule.


      • Plan for System Attacks.

      Third, the Safeguards Rule requires a financial institution to detect, prevent, and respond to attacks, intrusions, or other system failures. A financial institution must remain constantly vigilant, and employ the latest security measures and technology in order to adequately protect its network. The FTC Guidance report suggests that financial institutions:

    • Monitor the websites of software vendors and relevant industry publications for news about emerging threats and available defenses;

      • Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information;
    • Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information;

    • Take affirmative steps to preserve the security, confidentiality, and integrity of customer information and consider notifying consumers, law enforcement, and credit bureaus in the event of a security breach or data breach;

    • Oversee service providers by ensuring that they are able to take appropriate security precautions and in fact do so;

    • Update the security program as necessary in response to frequent monitoring and material changes in the business.

      • Implementing and Maintaining the Information Security Program.

      Finally, the Safeguards Rule requires a financial institution to design and implement information safeguards to control the risks identified and regularly test and monitor the effectiveness of the information security program’s key controls, systems, and procedures. This duty also
      includes overseeing third-party service providers by taking reasonable steps to ensure that the service provider is capable of maintaining appropriate safeguards and requiring the service providers to contractually agree to implement and maintain such controls. The Safeguards Rule requires a financial institution to evaluate and adjust its information security program in response to its system test results or in response to any changes in its operations or business circumstances.

      As Congress attempts to keep pace with the information age and balance the needs of commerce with those of individual protection, the Gramm-Leach-Bliley Act continues to evolve. Financial institutions must be aware of new Federal agency opinions as well as changing state laws. The Privacy and Safeguards Rules allow financial institutions to adopt policies and procedures that are appropriate for their specific needs and size, but the costs of compliance are often great. The costs of non-compliance can be even greater. As technology advances, so does the level of appropriateness a financial institution is required to maintain. Protecting the privacy of consumer information is not only good for business, it’s a legal duty.

Posted on June 19, 2007 5:12 PM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on June 19, 2007 5:12 PM.

The previous post in this blog was Intellectual Property Enforcement or Witch-hunt?.

The next post in this blog is Preventing Data Breach and the GLBA: The Privacy Rule.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.32