The breadth of financial industry regulations has left some institutions struggling to keep up — and keep in compliance. The Gramm-Leach-Bliley Act, more commonly known as GLBA, includes a long list of requirements that banks and other organizations must follow. Since missteps here lead to hefty fines levied by regulators, take a few minutes to review common mistakes in complying with GLBA.
What Does GLBA Say?
GLBA mandates that financial institutions safeguard consumer data using a written security plan. These institutions must also notify consumers in writing of their information security practices, such as what personal information is kept and how it is stored. The Safeguards Rule of GLBA requires financial institutions to prevent the distribution and unauthorized use of this sensitive consumer data, including illegal access from, for instance, a data breach.
Staying in compliance with GLBA is complicated since it puts financial institutions in a battle with hackers, who want to gain access to consumer data. In 2017, the IRS estimates that as many as five accounting firms per day suffered data breaches—placing sensitive consumer data at significant risk.
One all-too-common misstep is that financial firms do not adhere to GLBA at all, because they mistakenly believe that it does not apply to them. Accounting firms, in particular, may believe that GLBA only affects large banks or investment firms. In truth, GLBA does apply to accounting firms, including small firms or sole practices. Accountants who do not comply with GLBA not only risk the exposure of sensitive client data, they could be held liable by the Federal Trade Commission.
Safeguards Rule Violations
The Safeguards Rule requires institutions to develop a written plan for safeguarding consumer information that is appropriate to the firm’s activities, size, complexity, and to the nature and sensitivity of the consumer data. The written plan should denote an individual to manage safeguards, change safeguards as needed to keep up with shifts in data management and retrieval, and show risk assessments for every department that handles sensitive data.
If your organization’s written plan is out of date and does not reflect the reality of your firm’s data usage, it could cost you. Needs change, and a financial institution may need to modernize their plan to remain in full compliance with GLBA.
Flawed Risk Assessment
Some institutions do not do a through risk assessment, which means the resulting plan cannot be complete. Common risk assessment flaws include failure to account for data processing, data storage, or data transition.
Best practice is for a risk assessment to focus on risk of where the sensitive data is located and what controls are in place. Not every piece of consumer information is sensitive, so it’s important to drill down to what information must be safeguarded and what does not need protection. Narrowly defining where these risks are allows regulators to focus on protection rather than assuming that sensitive data is everywhere.
Since many institutions rely on third party vendors, vendor management is a top issue with GLBA compliance. While an organization cannot mandate their vendor get in compliance with GLBA if gaps exist, they can add stipulations in the contract that protect their interests.
For instance, an organization can add a contract clause that lets them review vendor compliance with GLBA. This gives them a way out of a bad contract, so they can choose a vendor who does comply with regulations.
Not Protecting Copiers and Printers
Copiers and printers may store copies of sensitive data on their hard drives. This means anyone who hacks into your printer’s hard drive—whether the machine is in office or out for repair—can access stored customer data. To stay in full compliance with GLBA, you must protect copier and printer hard drives.
Use overwriting or encryption to protect sensitive data that may be printed, faxed, or copied. Password-protect copiers and printers, if you haven’t already.
GLBA Plan Isolated From Corporate Culture
Some companies have plans in place that seem great on paper, but are just that—paper plans that were designed to please auditors, rather than protect consumers. If an examiner digs into such a plan, they may find that it does not adequately protect consumer data.
Rather than keep a plan that’s isolated from corporate culture and consumer data as managed at your financial institution, invest in a plan that protects your needs, your reputation, and your customers. Developing a proper GLBA plan will also protect your financial interests, since data breaches lead to loss of trust and reputation.
Insufficient Staff Training
Employees can be the weak link in the chain if organizations do not invest in education and training regarding regulations. All it takes is one employee giving out sensitive information because they do not realize the risk to make the organization vulnerable to a data breach.
Train staff on what the requirements mean, what data needs protection, and how to recognize common threats, such as phishing emails that attempt to gain access credentials.
Lack of Top-Down Leadership
Organizations that are in compliance with GLBA all start with the Board of Directions. If your financial institution does not have Board of Directors buy-in, then you may not be fully compliant.
Why? Well, if leadership on this issue does not come from the Board, then Board members do not prioritize compliance to the detriment of the organization. GLBA mandates that either the Board of Directors or a committee of the Board oversee the development and implementation of the information security program and review reports on its success. The Board takes accountability that consumer information is protected at the highest levels.
Incomplete Incident Response Plan
Your incident response plan should outline how to deal with problems, how to help customers, and what actions employees should take after an incident. A strong plan includes detailed and specific information on what to do, covers all types of data loss situations — not just data breaches — and is tested at least once per quarter, then actively improved after each test.
If your organization’s incident response plan falls short, staff can struggle when something goes wrong. Too many plans are written as if they are policies, instead of action steps. These plans provide little to no direction on what to do after an incident. Delays in reporting incidents can cause problems for employees and for customers, who may grow disillusioned when the incident—and the insufficient response—later comes to light.
Lack of Follow-Through
Part of GLBA compliance is testing that the plan works as intended. If your organization has never done a test, how can you know your safeguards work?
Make it a priority to test your safeguards and revise your plan as needed before you fall victim to a data breach—and to continue to test your GLBA safeguards from time to time.
Get a GLBA Audit
One overlooked issue is often a sign that more problems are lurking under the surface. Every GLBA violation comes with a fine of up to $100,000 for the organization and up to $10,000 for every officer and director.
If you’re not sure whether your institution is complying with all GLBA regulations—or if you know you need to make improvements to your plan—you may be interested in a GLBA audit.
A GLBA audit reviews your policies and procedures for compliance, then tests internal controls to see whether they are effective. GLBA assessments let you know whether you are meeting all GLBA mandates and, if not, what needs to change. An audit can provide a road map to full GLBA compliance, reducing uncertainties and risk. In the audit process, your organization will find out where you have gaps to fill and how to make changes, bringing your institution in line with full compliance. Your written policies can be updated to full compliance, and this can increase customer satisfaction and trust.
Given the devastating effects of a data breach, it is smart business sense to stay in compliance with GLBA by protecting customer data to the fullest extent.
I.S. Partners offers GLBA audits that can deliver peace of mind and best-in-class protection of customer data. Learn more about an audit by calling us at (215) 631-3452, requesting a quote, or launching a live chat to start a conversation!