How to Comply with the Privacy of Consumer Financial Information Rule
The Gramm-Leach-Bliley Act is a federal act that requires financial institutions who offer financial products or services (like loans) as well as insurance or financial and investment advice to explain their information-gathering and sharing practices to customers. The goal is to protect sensitive information and consumer safety.
The Act has been expanded and clarified in some areas to note how it works with other federal regulations, such as the FTC’s privacy rules for auto dealers that extend credit or work with customers on financing and leasing, including financial advice.
Like the rest of the Gramm-Leach-Bliley Act, this effort is designed to tell customers what data is collected, who it is shared with, and how this data is protected.
This page will look at some overall points in the Gramm-Leach-Bliley Act as well as how Securis can help you ensure that you’re properly protecting consumer data during data migration and moving to new assets, as well as the disposal of old assets.
General Gramm-Leach-Bliley Act Information
Under the Gramm-Leach-Bliley Act’s Safeguards Rule, financial institutions must protect the consumer data they collect. Read on to see if your business is a “financial institution” under the Rule and, if so, the steps you need to take to comply with the Act.
Who needs to comply
Under the Act, a financial institution includes a wide range of businesses – many of which would not consider themselves a financial institution.
So, to know if you must comply, consider this: the rule applies to all businesses of any size which are “significantly engaged” in providing financial products or services. There are no restrictions on financial products or services so covered groups include traditional lenders and brokers as well as payday lenders, non-bank lenders, real estate and personal property appraisers, professional tax preparers, and even courier services.
The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions.
If you fall into these categories, you must follow the Act.
If you work with these kinds of businesses, reach out to them because they must provide you with guidance to ensure that you are properly safeguarding customer information on your digital systems.
How do you comply
The Gramm-Leach-Bliley Act’s Safeguards Rule requires compliance with written information on security plans and customer data protection, with guidance on how to create such a complex plan based on your size, here: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
As part of your plan, you must:
- design and implement a safeguards program plus regularly monitor and test it;
- designate one or more employees to coordinate your information security program;
- evaluate and adjust the program considering relevant circumstances and current business practices, including changes in your business or operations, plus results of security testing and monitoring.
- identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
- select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
While the requirements are flexible, you will need to provide significant coverage that the FTC will use to review your capabilities, customer needs, and current circumstances.
What does the Act recommend?
The Act provides a variety of recommendations and requirements. We’ve collected just a few of the highlights here:
- Checking references or doing background checks before hiring employees who will have access to customer information.
- Asking every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling customer information.
- Limiting access to customer information to employees who have a business reason to see it.
- Controlling access to sensitive information by requiring employees to use “strong” passwords that must be changed on a regular basis.
- Using password-activated screensaver to lock employee computers after a period of inactivity.
- Developing policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices.
- Training employees to take basic steps to maintain the security, confidentiality, and integrity of customer information.
- Regularly reminding all employees of your company’s policy — and the legal requirement — to keep customer information secure and confidential.
- Developing policies for employees who telecommute.
- Imposing disciplinary measures for security policy violations.
- Preventing terminated employees from accessing customer information by deactivating their passwords and username.
- Know where sensitive customer information is stored and store it securely. Make sure only authorized employees have access.
- Take steps to ensure the secure transmission of customer information.
- Monitoring the websites of your software vendors and reading relevant industry publications for news about emerging threats and available defenses.
- Maintaining up-to-date and appropriate programs and controls to prevent unauthorized access to customer information.
What if a breach happens?
Taking steps to preserve the security, confidentiality, and integrity of customer information in the event of a breach. If a breach occurs:
- Take immediate action to secure any information that has or may have been compromised. For example, if a computer connected to the Internet is compromised, disconnect the computer from the Internet and deliver it to a forensic analysis scene.
- Preserve and review files or programs that may reveal how the breach occurred.
- If feasible and appropriate, bring in security professionals to help assess the breach as soon as possible.
Also, you should consider notifying consumers, law enforcement, and business partners in the event of a security breach.
What about old data and equipment?
You must dispose of customer information in a secure way and, where applicable, consistent with the FTC’s Disposal Rule.
For your old equipment, this means certifying that it has been properly destroyed. Monitoring the data destruction and ensuring that no partner had the ability to review or record the customer data.
Securis provides thorough shredding and destruction of these devices because it is a simple and effective way to prevent information from getting into the wrong hands. For financial service providers, this means safe and secure disposal that also helps you comply with today’s regulations.
Special: FTC’s Privacy Rule and Auto Dealers
Here’s a quick look at some of the special carve-outs for auto dealers that the FTC has covered in a special update and FAQ. You can see the entire clarification here: https://www.ftc.gov/system/files/documents/plain-language/bus64-ftcs-privacy-rule-and-auto-dealers-faqs.pdf
Does the Privacy Rule cover you?
For car dealers, there are 3 aspects you need to consider in which you might be covered by the privacy rule:
- If you extend credit to someone in connection with any purchase of a car — for personal, family, or other household use.
- Arrange for someone to finance or lease a car for personal, family, or household use; or
- Provide financial advice or counseling to individuals.
Where do privacy statements need to be given or shown?
The main area where privacy notices and information need to be provided is anywhere where a person provides their personal information in connection with any potential transaction. Even if they aren’t completing an application, but are giving you something like a driver’s license, you have an obligation to tell them how the information is going to be used.
So, you don’t need information posted in your showroom but you do need a policy statement that is given to people whenever they hand over personal information that you use. Showing them this policy is best following any action where you take information from them — even if you don’t use it right away.
You’ll also need to let people know that when they purchase a vehicle, you’re required by law to report certain information of the sale for recall purposes. If they choose to opt-out, you need to provide them with the means and relevant notices.
What happens to the old equipment I used for this process?
Congrats on upgrading your business! But, what does it mean for the old places that stored data, from PCs and servers to laptops and even your company printer?
You need to provide a clear path to the destruction of that equipment, or at least its storage mechanisms. To protect your business, the Act notes that you need to be able to show customers where their data was stored and used.
If you change storage, it is best to have proof of data destruction. Securis can offer you such protection, by not only destroying your data but also providing a clear path of destruction and assurance that no one is being given customer data simply by purchasing old equipment.
It’s an added layer of protection that your business will need.