Gramm-Leach-Bliley
Financial Services Modernization Act

Penalties for Non Compliance to the Gramm-Leach-Bliley Act

Gramm-Leach-Bliley Financial Services Modernization Act General Civil Penalty for Failure to Comply ▪ Officers and Directors personally liable for not more than $10,000 for each violation ▪ The financial institution liable for penalties not to exceed $100,000 foreach violation Criminal Penalties ▪ Fines in accordance with Title 18 of the United States Code,imprisonment for not more than 5 years, or both ▪ Where a violation occurs while violating another federal law, or as part ofa pattern of any illegal activity involving more than $100,000 within a 12 month period, fines of up to twice the amount provided in Title 18 of theUSC and imprisonment for more than 10 years, or both FDIC Sanctions (specified in Section 8 of the FDIC) ▪ Termination of FDIC insurance ▪ Cease and Desist Orders barring policies or practices deemed in violation of the: Act’s Privacy Provisions ▪ Removal of management, directors, officers etc. and potentially barring them, permanently, from working in the banking industry ▪ Fines of up to $1,000,000 for an individual or the lesser of $1,000,000 or 1% of the total assets of the financial institution

Links to Resources for the Gramm-Leach-Bliley Act

http://www.ftc.gov/privacy/glbact/glb-faq.htm

1. Financial institutions, products, and services that are covered under the Privacy Rule (q. 1-5)
2. Individuals who are entitled to receive notices (q. 1-5)
3. Delivering your privacy notices (q. 1-9)
4. Providing notices to joint account holders (q. 1-5)
5. Complying with the opt out provisions for joint account holders (q. 1-4)
6. Delivering opt out notices and providing consumers with a reasonable opportunity to opt out (q. 1-7)
7. Complying with the limitations on redisclosure and reuse of nonpublic personal information (q. 1-7)
8. Complying with the limitation on disclosing account numbers (q. 1-2)
9. Disclosing nonpublic personal information under the exceptions to the notice and opt out provisions (q. 1-12)
10. Complying with the exception to the opt out provisions for joint marketing arrangements (q. 1-5)

Gramm-Leach-Bliley Act - Wikipedia, the free encyclopedia

Safeguards Rule, as Required by Section 501(b)

Part VII Federal Trade Commission
Trade Commission
16 CFR Part 314
Standards for Safeguarding Customer
Information; Final Rule

PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION Sec.
§ 314.1 Purpose and Scope.
§ 314.2 Definitions.
§ 314.3 Standards for Safeguarding Customer Information.
§ 314.4 Elements.
§ 314.5 Effective Date.
Authority: 15 U.S.C. 6801(b), 6805(b)(2).

§ 314.1 Purpose and Scope.
(a) Purpose. This part, which implements sections 501 and 505(b)(2) of the Gramm-Leach-Bliley Act, sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.

(b) Scope. This part applies to the handling of customer information by all financial institutions over which the Federal Trade Commission (‘‘FTC’’ or ‘‘Commission’’) has jurisdiction. This part refers to such entities as ‘‘you.’’ This part applies to all customer information in your possession, regardless of whether such information pertains to individuals with whom you have a customer relationship, or pertains to the customers of other financial institutions that have provided such information to you.

§ 314.2 Definitions.
(a) In general. Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Commission’s rule governing the Privacy of Consumer Financial Information, 16 CFR part 313.

(b) Customer information means any record containing nonpublic personal information as defined in 16 CFR 313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.

(c) Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

(d) Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.

§ 314.3 Standards for Safeguarding Customer Information.
(a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.

(b) Objectives. The objectives of section 501(b) of the Act, and of this part, are to:

(1) Insure the security and confidentiality of customer information;

(2) Protect against any anticipated threats or hazards to the security or integrity of such information; and

(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

§ 314.4 Elements.
In order to develop, implement, and maintain your information security program, you shall:

(a) Designate an employee or employees to coordinate your information security program.

(b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including:

(1) Employee training and management;

(2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and

(3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.

(c) Design and implement information safeguards to control the risks youidentify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.

(d) Oversee service providers, by:

(1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customerinformation at issue; and

(2) Requiring your service providers by contract to implement and maintain such safeguards.

(e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program.

§ 314.5 Effective Date.
(a) Each financial institution subject to the Commission’s jurisdiction must implement an information security program pursuant to this part no later than May 23, 2003.

(b) Two-year grandfathering of service contracts. Until May 24, 2004, a contract you have entered into with a nonaffiliated third party to perform services for you or functions on your behalf satisfies the provisions of § 314.4(d), even if the contract does not include a requirement that the service provider maintain appropriate safeguards, as long as you entered into the contract not later than June 24, 2002.

By Direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 02–12952 Filed 5–22–02; 8:45 am]
BILLING CODE 6750–01–P
Source: Federal Trade Commission
May 22, 2002

Gramm-Leach-Bliley Financial Services Modernization Act How to Comply The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the financial institution's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each financial institution must:

Designate one or more employees to coordinate the safeguards; Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks; Design and implement a safeguards program, and regularly monitor and test it; Select appropriate service providers and contract with them to implement safeguards; and Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business arrangements or operations, or the results of testing and monitoring of safeguards.

Information Systems Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Here are some suggestions on how to maintain security throughout the life cycle of customer information - that is, from data entry to data disposal: Dispose of customer information in a secure manner. For example:

Hire or designate a records retention manager to supervise the disposal of records containing nonpublic personal information; Shred or recycle customer information recorded on paper and store it ina secure area until a recycling service picks it up; Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain customer information; Effectively destroy the hardware; and Promptly dispose of outdated customer information.