(Part 7 in our series on IT Compliance Concerns.)
In the earlier posts in our compliance series, we covered SOX, HIPAA, and PCI DSS compliance. Here, we will examine what GLBA compliance is and how it might affect you and your company.

GLBA stands for Gramm-Leach-Bliley Act. This act is also referred to as the Financial Services Modernization Act. The GLBA primarily repealed parts of the Glass-Steagall Act by removing prohibitions against banking, insurance, and securities companies that prevented them from acting as combinations of investment banks, commercial banks, and insurance companies. The GLBA also regulates how financial institutions handle the private information of individuals.

The three sections of the GLBA that cover privacy issues are the financial privacy rule, the safeguards rule, and the pretexting provisions. The financial privacy rule deals with the collection and disclosure of private financial information. The safeguards rule requires financial institutions to implement security provisions to protect private financial information. The pretexting provisions prohibit accessing such information under false pretenses. The GLBA additionally requires financial institutions to provide their customers with privacy notices explaining the information sharing practices of the institution (although this requirement may be modified with recent legislation at the end of 2015).

Which companies are affected by GLBA compliance?
Financial institutions are the companies primarily affected. For example, a retail company would not need to be concerned about complying with GLBA rules, even though they might still have other obligations to protect their customers’ information. According to the University of Cincinnati’s Office of Information Security:

“GLBA covers businesses such as banks, appraisal companies, mortgage brokers, securities firms, insurance companies, credit card issuers, income tax preparers, debt collectors, real estate settlement firms, and other companies that may have self-financing plans… GLBA indicates that any business ‘significantly engaged’ in financial activities is subject to GLBA.”

In addition to this, companies affected by GLBA rules may also require their service providers to also follow them.

What are the penalties for failing to comply with GLBA?
There are severe civil and criminal penalties for noncompliance. These can include both fines and imprisonment. And it is not just the companies that can be penalized. Officers and directors can also face these penalties.

A financial institution violating GLBA rules may face:

●    Civil penalties of not more than $100,000 per violation.
●    Officers and directors of such a financial institution will be subject to, and personally liable for, a civil penalty of not more than $100,000 per violation.
●    Such an institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both.

What does a business need to do to comply with GLBA?
Remember that compliance cannot be handled by your IT department alone. GLBA requires executive management to participate in responsibility for compliance.

Your company will need to keep your information security policies up-to-date, devote resources to continually identify potential risks, follow GLBA provisions for the release of both public and private information, be aware of whether it is necessary to provide annual privacy notifications, monitor the actions of third-party service providers, encrypt data, keep careful track of when it is time to destroy data, and possibly hire a lawyer or consultant to help with complexities.

Coming soon: Part 8 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About GLBA Compliance?”

To learn more about GLBA and related issues:

●    Gramm-Leach-Bliley Act definition.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: What Does Your IT Team Need to Know About SOX Compliance?
●    Part 3: What Does HIPAA Mean?
●    Part 4: What Does Your IT Team Need to Know About HIPAA Compliance?
●    Part 5: Is Your Company PCI Compliant?
●    Part 6: What Does Your IT Team Need to Know About PCI DSS Compliance?

If you want to know more about What is glba stands for, Feel free to contact us. We will assist you.

As many of us are now used to working from anywhere from our preferred device, information protection controls need to evolve to protect data at the individual, file and service levels. The shift to mobility and personally-owned devices also means that the threat landscape is shifting with more individually targeted attacks that work across platforms. On this show, we take an early look at new controls for compliance, security and organizational search with next-generation information protection tools.

This week, Rudra Mitra, engineering lead for the Office 365 information protection team, takes a look at the core themes driving information protection investments and to give us an early look at what’s coming. Rudra describes the approach his teams are taking as they build new controls to be pervasive, transparent and people-centric.

Rudra highlight the new tools for Data Loss Prevention (DLP) coming to OneDrive for Business and SharePoint Online, as well as Advanced Threat Protection (ATP) in Exchange Online to show how they’ve evolved to provide pervasive, platform-agnostic protection. These tools also provide new audit capabilities to show things like URL traces when people follow embedded hyperlinks in email and actions taken against centrally-stored files, plus new APIs available to query activity—all in the name of transparency. Transparency extends to organizational search with new eDiscovery analysis capabilities coming in Equivio Zoom.

The controls cannot just exist in isolation from users and core to Office 365 is the inclusion of people in the compliance solution. DLP policy tips are presented to users within email, file sharing experiences and even coming to Office desktop apps. User education of policy along with options to help people securely work on their device and apps of choice are all part of being people-centric.

On the show, Rudra demonstrates all of this and more to give an early look at what’s coming in information protection and as we think about integration with other cloud services.  He also provides insights into things to come. Watch the show to learn more and see you next week!