The Gramm-Leach-Bliley Act of 1999 (GLBA)

How to comply when disposing of computer equipment

What Is the Gramm-Leach-Bliley Act of 1999 (GLBA)?

The Gramm-Leach-Bliley Act of 1999 (GLBA) was a bi-partisan regulation under President Bill Clinton, passed by Congress on November 12, 1999. The GLBA was an attempt to update and modernize the financial industry. The GLBA is most well-known as the repeal of the Glass-Steagall Act of 1933, which stated that commercial banks were not allowed to offer financial services—like investments and insurance-related services—as part of normal operations.

Many businesses collect personal information from customers. This might include names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Gramm-Leach-Bliley Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of personal information. As part of its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. Safeguarding customer information is the law and disregarding that law can have major consequences for you, your customers, and your business.

Enforcement

The FTC, the federal banking agencies, other federal regulatory authorities, and state insurance authorities enforce the GLB Act. Each agency has issued substantially similar rules implementing GLB’s privacy provisions. The states are responsible for issuing regulations and enforcing the law with respect to insurance providers. The FTC has jurisdiction over any financial institution or other person not regulated by other government agencies.
The FTC may bring enforcement actions for violations of the Privacy Rule. The FTC can bring actions to enforce the Privacy Rule in federal district court, where it may seek the full scope of injunctive and ancillary equitable relief. The FTC also has authority under Section 5 of the FTC Act to examine privacy policies and practices for deception and unfairness.

Who must comply with the Gramm-Leach-Bliley Act?

All “financial institutions”, of any size must comply with the GLBA. A “financial institution” may include businesses that are “significantly engaged” in providing financial products or services. While this refers to banks and investment houses, it also includes check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions. Financial institutions must maintain their own safeguards, but they are also responsible for taking steps to ensure that their vendors, affiliates, downstream partners, and service providers safeguard customer information in their care as well.

How to comply:

The Safeguards Rule requires companies to develop a written information security plan that outlines their customer information protection program. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. The customer information protection program has multiple section, but each company must:

• Designate one or more employees to coordinate its information security program;
• Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
• Design and implement a safeguards program, and regularly monitor and test it;
• Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
• Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

“…select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information…”

Securing customer information is critical to compliance with GLBA. This effort must be made in all areas of operation, including the appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices. Those devices must be secure while in use, but also after disposal.

As it pertains to the disposal of computer equipment Financial Institutions must:

• Maintain a careful inventory of your company’s computers and any other equipment on which customer information may be stored.
• Dispose of customer information in a secure way
• Destroy or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing customer information.

GLBA data privacy compliance requires that any 3rd party service provider that comes in contact with your clients sensitive information must sign a “GLB Security Agreement” This agreement requires the vendor to provide the same level of data care and protection that your organization provides.

Over 25 Years of experience with more than 1000 clients

Back Thru The Future® specializes in providing secure onsite data destruction services to the financial industry in the Northeast business corridor. Our clients include some of the largest international banking enterprises as well as the Federal Reserve. In the State of NJ we service nearly 70% of the entire community banking industry. This specific experience, along with our unique credentials as a Federal EPA permitted universal waste destination facility electronic recycler and NAID AAA certified secure data destruction provider, meet with the OCC requirements for a qualified third party service provider.