GLBA and the Finance Industry
ArticSoft PGP compabile products help you comply with the Gramm-Leach-Bliley (GLBA) Act:
- Complete client confidentiality
- Removes potential liability for disclosure
- Certainty information came from your firm
- Compliance with current privacy legislation
- Prevents viruses and hacking attacks
- Proof of source of documents
GLBA (Gramm-Leach-Bliley Act 2001) is one of the critical pieces of legislation from the USA, which, in the introductory words addresses, "enhanced protection of non-public personal information, including health information, and for other purposes". Its other name is the "Financial Institution Privacy Protection Act of 2001". As this name implies it is focused on the finance industry.
It is critical, in that it has created duties to provide adequate security, and rights for the consumer whilst their non-public personal data is being shared by financial institutions.
The duty to provide adequate security is interesting because it does not mandate specific actions. Rather it looks to principles of behavior. It may not specifically state that non-financial institutions must obey the same rules, but it does indicate that businesses receiving such data must be subject to similar standards of behavior.
Protecting customer personal information is now a critical activity that the finance community has to achieve with some urgency if they are to avoid being accused of governance failures as so many other organizations have so recently.
European legislation has often focused upon principles to be obeyed rather than specific actions to take. US legislation, by comparison, has often been more specific in terms of the method for compliance. As a result, for instance, GLBA does not say that passwords must be a specific length or that you must encrypt with a specific key length.
This kind of approach, saying what has to be achieved without saying how, seems to cause problems for compliance because judgment has to be used, and, of course, judgment may not always be right. (Actually it's difficult to sympathize with the nay Sayers, after all, management is all about judgment.) But management is not about piecemeal security activities. It is about a consistent and coherent approach that can be shown to be effective and to achieve results.
Of course there are always two sides to the coin. Whilst the GLB Act allows different financial institutions to share personal (non-public) information between themselves it implies the need to protect that personal information when it is collected. Also, it covers that data whenever it is being transferred, not merely when going between back-end computer systems.
What security approaches can you use?
Here the Europeans have taken the lead in how to solve regulation that does not impose specific standards. They use something called 'best practice', which has some synergy with the US concept of 'best of breed' although it is not identical.
Many global organizations are familiar with an international management standard called ISO/IEC 9000 / 14000. These are best practice standards (quality standards) which all global businesses are familiar with. Other best practice standards include ISO/IEC 17799, which addresses how to achieve best practice for information security.
Having such standards available and implemented is very good in that they give management justification for making specific decisions and actions. That is essential where litigation in the event of a failure is a significant possibility. But such standards don't spell out which products to buy or how to operate them in order to deliver the results the standard (or the legislation) requires.
Dealing with the customer - not just the business partner
Financial institutions are usually able to find secure ways of talking to each other and exchanging information. Banks and share dealing institutions have made substantial implementations to make sure that money cannot go missing. However, they may not have put in quite the same effort to identify and therefore protect personal information because it was previously an internal matter, not an external one.
However, few of these have done anything beyond providing SSL sessions when collecting customer personal data. This is despite the fact that financial institutions have been widely reported as having lost large sums as a result of spoofing and other attacks. Financial institutions have also been in the press for implementing systems that allowed customers to see each other's personal information. Much has been made of by those institutions about Identrus and the PKI security technology, but those are focused at businesses, which is not the same thing as personal information.
Customers could be provided with a product for dealing with each institution, but that would lead to a confusion of products, standards and methods of operation. In theory it could all be done using the security in Outlook Express. However, with each day exposing new failures in browsers, e-mail packages and even the mighty PGP, the customer is unlikely to be persuaded that all is well. Also, the security in those products is just too difficult to use.
Helping with compliance
ArticSoft PGP compatible products can ensure that you meet the requirements of the GLB Act easily and cost effectively when exchanging or storing files. Our low cost, simple to use PGP security software ensures that you can store and send personal information securely without the need for passwords (either for web information or files). Ease of use, something critical to success when dealing with customers, is built in to the products. The adoption of an independent product ensures that customers can continue to use their own e-mail and browser systems without creating any problems for compatibility.
More than that, ArticSoft PGP compatible products are not exposed to the possibility of being weakened by being integrated into specific products such as word processors or e-mail packages. As a result their security cannot be compromised by weaknesses in those products.