Gramm-Leach-Bliley Act

From The Secure Arc Wiki

Jump to: navigation, search

Information in italics below is referenced from wikipedia, reproduced in accordance with the GNU Free Documentation License.

The Gramm-Leach-Bliley Act, is an Act of the United States Congress which repealed the Glass-Steagall Act in November 1999, opening up competition among banks, securities companies and insurance companies. Each requirement of the law relating to Information Security is broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.


Legal Outline

Sections relevant to Information Security are as follows; (The following information is referenced from [Cornell Law School], as content in the public domain.)

  • Act 15
    • Chapter 94 (Privacy)
      • Subchapter I — Disclosure of Nonpublic Personal Information
        • Financial Privacy Rule - The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties per the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt-out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information.
        • Safeguards Rule - The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule also applies to information of those no longer consumers of the financial institution.) This plan must include: Denoting at least one employee to manage the safeguards, Constructing a thorough [risk management] on each department handling the nonpublic information, Develop, monitor, and test a program to secure the information, and Change the safeguards as needed with the changes in how information is collected, stored, and used. This rule is intended to do what most businesses should already be doing: protect their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLBA.
      • Subchapter II — Fraudulent Access to Financial Information
        • Pretexting Protection - Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a "phony" website or email to collect data). The GLBA has provisions that require the financial institution to take all precautions necessary to protect and defend the consumer and associated nonpublic information. Pretexting is illegal and punishable by law beyond any recognition by the GLBA.
    • Chapter 100 (Cyber Security Research and Development)

Requirements Outline

Companies listed on a stock exchange in the US must comply with the Gramm-Leach-Bliley Act. The degree of compliance usually requires an analysis phase, initiated by a company in conjunction with its Risk Management competency group.

Information Assets

Information assets relevant to the Gramm-Leach-Bliley Act should be identified. This will map directly into the Regulatory Requirements portion of the Information Asset Classification.


This legal publication is freely available on the internet. link


Personal tools