Privacy II: Gramm-Leach-Bliley Strikes Again

The latest in the requirements set forth in the GLB Act on Privacy have been issued. Called the Safeguards Rule, they have an effective date of May 23, 2003. By then, according to the final rule, each financial institution in the United States must have, in writing, a security plan that describes their program to protect customer information.

We'll have plenty of company in complying with this mandate. Under the Safeguards Rule, a financial institution is described as "individuals or organizations that are significantly engaged in providing financial products or service to consumers, including check-cashing businesses, data processors, mortgage brokers, nonbank lenders, personal property or real estate appraisers, and retailers that issue credit cards to consumers."

In addition to the written plan, there must be a designated employee to coordinate the information security program. Just as the security officer and the compliance officer jobs have grown in the past months, the privacy officer also just got additional duties. Among them is to perform an internal and external risk evaluation, identifying areas where customer information could be disclosed, misused, altered, destroyed, or compromised.

Under the external investigation and evaluation, the officer must be satisfied that contractors or service providers are also capable of protecting customer information. A contract requiring such protection will be needed.

It will also be necessary in the written plan to describe how continuous oversight and adjustments will be maintained in light of changes to business arrangements or the results of security tests.

Copyright © 2002 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 12, No. 5, 6/02