Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act of 1999) is a comprehensive, federal law affecting financial institutions. The law requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of customer information. The GLBA is composed of several parts including the Privacy Rule (16 CFR 313) and the Safeguards Rule (16 CFR 314). The Safeguards Rule is aimed at ensuring the safeguarding and confidentiality of customer information held in the possession of covered “financial institutions,” and requires all covered financial institutions to have had in place by May 23, 2003, a written information security program designed to:
Financial institutions are defined by GLBA as companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to and including the below, which must comply with GLBA:
Breach Notification Laws – Currently 46 states require that a customer be notified if a company suspects that their Personally Identifiable Information (PII) has been compromised.
Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. At the core of the PCI DSS is a group of principals and accompanying requirements, organized around the below goals:
Goals | PCI DSS Requirements |
Build and Maintain a Secure Network and Systems |
|
Protect Cardholder Data |
|
Maintain a Vulnerability Management Program |
|
Implement Strong Access Control Measures |
|
Regularly Monitor and Test Networks |
|
Maintain an Information Security Policy. |
|
References
Gramm-Leach-Bliley Safeguards Rule - http://www.ftc.gov/os/2002/05/67fr36585.pdf
Sarbane-Oxley (public company accounting reform and investor protection act of 2002) - http://www.soxlaw.com/
Payment Card Industry Data Security Standard (PCI DSS) - https://www.pcisecuritystandards.org/security_standards/index.php
IO 27001 & 27002 (IT security best practice standards)
Breach notification laws in 46 states (must notify affected individuals when a breach occurs)