|
|
|
The Right to Privacy: Protecting Your Customers’ Information
By Raj Patel
Regulatory Compliance
Universal Advisor , 2004 Issue No. 1
When consumers open an account, complete an on-line credit application, register to receive information, or purchase a product from your business, they are entrusting your business with their personal information. If that information is compromised, the consequences can be far-reaching: Consumers may become victims of identity theft; thus, they may become less willing — or even unwilling — to continue to do business with you. Therefore, businesses collecting personal information from consumers must likewise have a security plan in place to protect the confidentiality and integrity of that information. It’s crucial. It’s common sense. And it’s the law.
The Gramm-Leach-Bliley Act
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA), includes provisions to protect consumers’ personal financial information held by financial institutions (see definition in the next column). There are three principal parts to the privacy requirements:
- The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions (such as auto dealers and higher educational institutions), who receive such information. The Financial Privacy Rule requires institutions to give their customers privacy notices that explain the institution’s information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Also, financial institutions and other companies that receive personal financial information from a financial institution may be limited in their ability to use that information.
- The Safeguards Rule requires institutions to design, implement, and maintain safeguards to protect customer information. The organization is required to have a security plan to protect the confidentiality and integrity of personal consumer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to credit reporting agencies that receive customer information from other financial institutions.
- The Pretexting provisions of the GLBA protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as “pretexting.”
The GLBA gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to financial institutions, which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering, or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts, and an array of other activities. Such non-traditional “financial institutions” are regulated by the FTC.
How To Comply
The GLBA requires institutions to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each institution must:
- Designate one or more employees to coordinate the safeguards.
Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks.
Design and implement a safeguards program, and regularly monitor and test it.
Select appropriate service providers, and contract with them to implement safeguards.
Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business arrangements or operations or the results of testing and monitoring safeguards.
These requirements are designed to be flexible. Each institution should implement safeguards appropriate to its own circumstances. For example, some institutions may choose to describe their safeguards programs in a single document, while others may dictate their plans in several different documents, such as one to cover information technology and another to describe the training program for employees. Similarly, a company may decide to designate a single employee to coordinate safeguards or may spread this responsibility among several employees who will work together. In addition, an organization with a small staff may design and implement a more limited employee training program than an organization with a large number of employees, and an institution that doesn’t receive or store any information online may take fewer steps to assess risks to its computers than a firm that routinely conducts business online.
Best Practices
When an organization implements safeguards, the Safeguards Rule requires it to consider all areas of its operation, including three areas that are particularly important to information security: employee management and training, information systems, and managing system failures. Firms should consider implementing the following practices in these areas:
In Conclusion
Regardless of the GLBA, becoming more diligent in protecting customer information is good practice. By safeguarding customer information, you’re likewise safeguarding something just as valuable and equally vulnerable — your organization’s reputation.
|
|
|
