September 2002

Protecting Privacy: The Gramm-Leach-Bliley Act Takes Effect

By Rick Carey

Improper, unsecured disposal of confidential information can lead to fraud, identity theft, or a comprising situation. It is legal for anyone—including government agents—to go through trash to obtain information and use it.

Proper disposal has long been mandated for certain types of documents: personnel files, records of employee assistance programs (including treatment for mental health and substance abuse problems), and medical and credit files. Breach of confidentiality through improper disclosure opens up the originator to legal suits.

On July 1, 2001, the Gramm-Leach- Bliley Act (GLB) went into effect, lifting several long-standing restrictions on the activities of banks and financial holding companies, many dating back to the 1930s. While this new legislation provides opportunity for financial companies to expand their offerings, it also imposes significant requirements on entities affected by the rules. A key provision of the law is that institutions must diligently protect their customers’ privacy.

Agencies responsible for enforcing the new rules, including the Federal Reserve Board, the Office of the Comptroller of the Currency, the FDIC, the Office of Thrift Supervision, the SEC, the National Credit Union Administration, and the FTC, have developed a privacy and security standard. Several of these agencies are adding the GLB requirements to the list of items that determine a financial institution’s essential and basic “soundness” to do business. Liability for violations of privacy rests squarely on the shoulders of these businesses.

GLB outlines the standards businesses must follow to safeguard customer information. The first step is to implement a comprehensive, written information security program. This program should be tailored to include safeguards appropriate to a business’ size and the type of information it handles. An institution is not required to have an information security officer, but some individual must be designated to oversee security and have staff appropriate to the risk to the business’ customers. Lines of authority and responsibility for developing and implementing the program must be well defined.

Each business is responsible for assessing, managing, and controlling the risk to its customers. Factors to consider are access control, physical security at locations where information is stored, and encryption of electronic information. A change management process for customer information system modifications is essential as well. Duties should be segregated, and all employees with access to customer information should receive background checks. Monitoring systems must be in place to detect intrusions on customer information systems, and an incident response program should be ready to deal with any situation. A business must also protect against the destruction of customer information due to physical hazards or technical failures. The final step is the secure and proper disposal of information.

The legislation requires all employees to attend security awareness training, with a special emphasis on training employees about what they need to do to protect customer information. Businesses are also required to regularly test their information security procedures and controls. An outside professional or qualified employee should do this testing. It is also essential for all businesses to stay ahead of changes in technology and new threats by consistently monitoring, evaluating, and adjusting the information security program.

The mandates are also particularly demanding when vendors have access to nonpublic information about a company’s customers. A company must determine that a vendor has adequate controls to ensure the security and privacy of customer records and information. Businesses should contract with service providers to implement and maintain appropriate measures designed to meet the GLB guidelines. Due diligence examinations are a critical part of ensuring that vendors perform as expected.

Companies are increasingly using the services of professional security– shredding firms, which has several advantages over in-house shredding, archive storaging, or recycling: high level of security; no investment in shredding machines; access to specialized equipment for shredding tapes, film, and other media; no space needed for a shredding operation; and generally a lower cost than in-house solutions.

Although on-site services may appear to offer a higher level of security than off-site services, neither is absolute. The records manager needs to oversee both types on a regular basis.


Rick Carey is president of Datasafe Information Services, a full-service information security firm that assists businesses in complying with the requirements of the Gramm-Leach-Bliley Act and other mandates, based in West Bridgewater, Mass. He can be reached at rick@destruction.com.


Home | Contact | Subscribe | Advertise | Archives | NYSSCPA | About The CPA Journal

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2006 The CPA Journal. Legal Notices

Visit the new cpajournal.com.