GLBA Compliance: It Can Make or Break a Career in Banking/SecurityThe Gramm-Leach-Bliley Act (GLBA) requires financial institutions to hold personal information of customers confidentially and securely against any reasonably anticipated internal or external threats or hazards and offer protection against unauthorized access etc to ensure integrity of customer information is not compromised.
Too frequently, though, we hear of data breaches within banks and other financial institutions caused because of inadequate training on GLBA, or lack of employee awareness of the potential risks that some of their actions can create. For example, employees will often mistakenly send confidential customer data such as Social Security Numbers or other sensitive information in an email without realizing that the data needs to be encrypted. There are many instances in which confidential data is buried in an email thread that is forwarded to others without being read thoroughly. Also, there are a variety of avenues through which confidential or sensitive information can be breached internally by employees, including:
GLBA Compliance: The Basics
So, what should a financial institution be doing from both a regulatory and reputational standpoint to protect sensitive customer information and how are they are educating and training their employees on GLBA compliance?
"Focusing on GLBA can be both a practice and a competitive advantage to an institution if they market and advertise correctly," says Nathan Johns, Executive with Crowe Chizek and Company LLC, and former Chief of Information Technology at the FDIC.
For overall Institution and employee focus on GLBA compliance, a bank needs to ensure that its information security guidelines/policies and program effectiveness rests with the Board of Directors, which needs to drive and oversee appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to management and employees.
The steps a bank needs to take to ensure a sound GLBA compliance program include:
What is most critical in focusing on GLBA compliance is providing effective training to employees; focusing resources on empowering employees with the knowledge they need to stay in compliance; and providing them with a bigger picture of building appropriate security controls and best practices, which will most likely help them to carry out their roles effectively within an institution. Training needs to address the importance of protecting customers' and employees' personally identifiable information, as well as understanding the problems an institution could face if data protection commitments are violated.
Incorporating proper training efforts and programs should also include social engineering aspects in the training program, which will help educate employees on human factors and relationships exploiting "social trust" leading to security breaches. Training every employee on proper privacy and security best practices is one of the most important and fruitful investment an institution can do. Also, taking a more proactive approach to compliance by trying to anticipate likely changes in regulatory policy will go a long way in ensuring GLBA compliance.