Private Eye For Financial

Tamper Proof privacy filters in financial environments Client data is stored on secure servers and files are password protected, but is confidential financial information protected on the computer monitor? Whenever a customer’s personal information is displayed, it should be protected from prying eyes. The need for visual privacy has increased the need for physical safeguards to keep customer’s financial data secure.

Privacy Laws Impacting Financial Institutions:

Gramm Leach Biley Law IllustrationBreach Laws Illustration Payment Card Industry Standards

Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act of 1999) is a comprehensive, federal law affecting financial institutions. The law requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of customer information. The GLBA is composed of several parts including the Privacy Rule (16 CFR 313) and the Safeguards Rule (16 CFR 314). The Safeguards Rule is aimed at ensuring the safeguarding and confidentiality of customer information held in the possession of covered “financial institutions,” and requires all covered financial institutions to have had in place by May 23, 2003, a written information security program designed to:

  • Ensure the security and confidentiality of customer records.
  • Protect against any anticipated threats or hazards to the security of such records.
  • Protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.
  • Financial institutions are defined by GLBA as companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to and including the below, which must comply with GLBA:

    • Non-bank mortgage lenders
    • Real estate appraisers
    • Loan brokers
    • Some financial or investment advisors
    • Debt collectors
    • Tax return preparers
    • Banks
    • Real estate settlement service providers
    • Retailers that issue their own credit card
    • Auto dealers that lease and/or finance
    • Government entities that provide financial products such as student loans and mortgages

    Breach Notification Laws – Currently 46 states require that a customer be notified if a company suspects that their Personally Identifiable Information (PII) has been compromised.

    Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. At the core of the PCI DSS is a group of principals and accompanying requirements, organized around the below goals:

    Goals PCI DSS Requirements
    Build and Maintain a Secure Network and Systems
    • 1. Install and maintain a firewall configuration to protect cardholder data
    • 2. Do not use vendor-supplied defaults for system passwords and other security parameters.
    Protect Cardholder Data
    • 3. Protect stored cardholder data.
    • 4. Encrypt transmission of cardholder data across open, public networks.
    Maintain a Vulnerability Management Program
    • 5. Protect all systems against malware and regularly update anti-virus software or programs.
    • 6. Develop and maintain secure systems and applications.
    Implement Strong Access Control Measures
    • 7. Restrict access to cardholder data by business need-to-know.
    • 8. Identify and authenticate access to system components.
    • 9. Restrict physical access to cardholder data.
    Regularly Monitor and Test Networks
    • 10. Track and monitor all access to network resources and cardholder data.
    • 11. Regularly test security systems and processes.
    Maintain an Information Security Policy.
    • 12. Maintain a policy that addresses information security for all personnel


    References
    Gramm-Leach-Bliley Safeguards Rule - http://www.ftc.gov/os/2002/05/67fr36585.pdf
    Sarbane-Oxley (public company accounting reform and investor protection act of 2002) - http://www.soxlaw.com/
    Payment Card Industry Data Security Standard (PCI DSS) - https://www.pcisecuritystandards.org/security_standards/index.php
    IO 27001 & 27002 (IT security best practice standards)
    Breach notification laws in 46 states (must notify affected individuals when a breach occurs)