GrammLeachBliley Act Compliance Workshop

1
Gramm-Leach-Bliley Act Compliance Workshop
Terry Wooding Ellen Harris-Small
2
Gramm-Leach-Bliley Act Compliance Seminar
Objectives

• Defining GLBA
• Discuss role of FTC
• Compliance
• Designing a security plan
• Discuss Non public customer information
• Discuss Policy and Procedures
• Staffs role in GLBA and sample training workshop
• Importance of safeguarding information

3
WHAT IS GLBA?

• The Gramm-Leach-Bliley Act (GLBA) was signed into
  law on November 12, 1999.
• Requires financial institutions to provide
  privacy notice to their customers and restricts
  sharing of non-public personal customers
  information with third parties.
• Mandates financial institutions to provide
  security and integrity of customers information.

4
WHY WAS GLBA ENACTED?
The GLBA is intended to protect the financial
privacy of non-public personal consumer
information held by financial institutions or
companies that offer financial products or
services to individuals, such as loans, financial
or investment advice, or insurance.
5
The Privacy Rule applies to businesses that are
"significantly engaged" in "financial
activities"

• Lending, exchanging, transferring, investing for
  others, or safeguarding money or securities.
  These activities cover services offered by
  lenders, check cashers, wire transfer services,
  and sellers of money orders.
• Providing financial, investment or economic
  advisory services. These activities cover
  services offered by credit counselors, financial
  planners, tax preparers, accountants, and
  investment advisors.
• Servicing loans or brokering loans.
• Collecting debt.
• Providing real estate settlement services.
• Career counseling (of individuals seeking
  employment in the financial services industry).
• Companies receiving information from a covered
  businesses.

6
Federal Trade Commission (FTC)

• Has jurisdiction over financial institutions.
• Administers consumer affairs and
• pursues law enforcement.
• Advances consumers interests and develops
  policies and standards for compliance.
• Conducts hearings, workshops, and conferences.
• Creates practical and plain-language educational
  programs and brochures for consumers and
  businesses.

7
Federal Trade Commission (FTC)

• has jurisdiction over financial institutions
• has taken the position
• that colleges and universities are financial
  institutions because they make loans to students.

8
FERPA vs. GLBA

• The Family Education Rights and Privacy Act
  addresses the privacy of student information.
• Gramm- Leach-Bliley Act addresses the security of
  customer records and information.

9
FTC has ruled
Safeguarding consumers information is not a
privacy issue but is one of security for
customers of financial institutions. Compliance
with FERPA does not exempt colleges and
universities from GLBA safeguard regulations.
10
Section 501 of GLBA

• Requires financial institutions to establish
  standards relating to administrative, technical
  and physical information safeguards in order to
  protect customer records and information.

11
Is This A Serious Problem?

• Since February 2005, Over 60 of the 150 security
  breaches victimized nearly 55 million people
  whose personal information was compromised.
• A number of these involved higher education
  institutions. (Privacy Rights Clearinghouse)

12
Is This A Serious Problem?

• 8.9 million people or 4 of the US adult
  population in 2005 had their non-public
  confidential information stolen and used to
  commit fraud.
• The average amount per victim was 6.383.00.
• The total annual cost was 56.6 billion dollars.

13
Is This A Serious Problem?

• There is a new victim every two seconds

14
Why Should We Comply?

• Penalties assessed for Non-Compliance
• Officers Directors
• Individually liable up to 10,000 per violation
  and/or up to 5 years in jail
• If this violation also violates another Federal
  law, or as part of a pattern involving more then
  100,000 within a 12-month period, penalties
  double.
• Potential barring from working in the Banking
  industry

15
Penalties for Non-Compliance

• For the institution
• Up to 100,000 per violation
• FDIC Violations
• Possible revocation of FDIC Insurance
• Cease Desist orders barring policies or
  practices
• Permanently barring management from working in
  the Banking industry
• Penalties up to 1M for individual and lesser of
  1M or 1 of total assets of financial
  institution.

16
What are the safeguard procedures at your school?

• Who is the individual or group responsible for
  the acts oversight?
• Have you attended
• Safeguard training?
• If you can not answer the first question or
• the answer to question number two is no,
• your school may not be in compliance.

17
GLBA OBJECTIVES

• Ensure security and confidentially of customer
  records and information.
• Protect against any anticipated threats or
  hazards to the security of the records.
• Protect against unauthorized access or use of
  records or information which could result in harm
  or inconvenience to customer.

18
HOW TO COMPLY

• Each financial institution is required to
  maintain safeguards.
• Design policies to protect customer information
  in whatever format
• electronic or hardcopy.
• Develop a written security plan.

19
Three Types of Safeguards

• Administrative Operational safeguards
• Hiring, background reference checks, staff
  training, NPI handling, monitoring, disciplinary
  measures for policy breaches and auditing.
• Technical safeguards
• Anti-virus software, patches, up-to-date
  firewalls, encryption, data transmitting and
  intrusion detection.
• Physical safeguards
• Storing records, password procedures, backup,
  disposal, protection against destruction and
  hardware security.

20
SAFEGUARDS RULES

• Require institutions to consider all areas of
• Hiring
• Employee management training
• Information systems
• Managing system failures
• Back-up and recovery procedures
• Incidence response handling

21
GLBA also REQUIRES

• Third party service providers to have a written
  policy by
• May 23, 2003.
• Schools must have a contractual agreements with
  their service providers in place by May 23, 2004.

22
Common Requirements of the Regulations

• A policy-driven security management program
• Validation of security controls
• A risk management approach to information
  security
• Demonstration of the due diligence in the
  application of internal controls
• An effective security incident management process
• Reporting
• Archiving document preservations
• Document disposal

23
INFORMATION SECURITY PLAN

• Designate one or more staff to coordinate the
  safeguards program.
• Identify and assess the risk to customer
  information.
• Design, implement policies which regularly
  monitor the safeguards program.
• Select appropriate and contract with service
  providers who have safeguards program.
• Evaluate and adjust the plan as needed.

24
Information security plans require

• A written plan to insure security and
  confidentiality of non-public consumer
  information (NPI).
• Must provide protection against reasonable and
  foreseeable internal risk and external risks.
• Must protect against misuse, destruction or
  compromise of confidential customer information.

25
Information Systems Security Plan

• Requires
• Regular testing
• Monitoring
• Security updates and improvements
• Backup recovery procedures
• Evaluate plan and adjust

26
Identify POLICY

• Find current policies related to protecting
  information
• Review policies procedures
• Revise and update as needed
• Distribute policies
• Provide staff training, communicate expectations
• Conduct risk analysis
• Continue to monitor program and adjust

27
PCI Data Security Standard

• Build and Maintain a Secure Network
• Install and maintain a firewall configuration to
  protect data.
• Do not use vendor-supplied defaults for system
  passwords and other security parameters.
• Protect Cardholder Data
• Protect stored data.
• Encrypt transmission of cardholder data and
  sensitive information across public networks.

28
PCI Data Security Standard

• Maintain a Vulnerability Management Program
• Use and regularly update anti-virus software.
• Develop and maintain secure systems and
  applications.
• Implement Strong Access Control Measures
• Restrict access to data by business need-to
  know.
• Assign a unique ID to each person with pc access.
• Restrict physical access to cardholder data.

29
PCI Data Security Standard

• Regularly Monitor and Test Networks
• Track and monitor all access to network resources
  and cardholder data.
• Regularly test security systems and processes.
• Maintain an Information Security Policy
• 12. Maintain a policy that addresses information
  security.

30
NON-PUBLIC CUSTOMER INFORMATION (NPI)

• Credit card numbers
• Social Security numbers
• Drivers license numbers
• Student loan data
• Income information
• Credit histories
• Customer files with NPI
• NPI Consumer information
• Bank Account data

31
Top States for ID Theft
Victims per capita are

• New York
• California
• Nevada
• Arizona
• Washington
• Texas
• Hawaii

• Illinois
• Oregon
• Michigan
• Florida
• Georgia
• Colorado

32
Cost of a Breach in Security

• One Universitys accidental release of credit
  card information to the internet cost them over
• 1,000,000.00 in security upgrades and
  notifications.
• Other examples can be found on the FTC web page.
  www.ftc.gov

33
What can we do to guard NPI?

• Keep confidential information private.
• Use care when asking or giving SSN.
• Use secure disposal methods.
• Protect the privacy of data transmissions.
• Improve procedures.

34
Review security policies at your school

• Computer usage
• Cash handling
• Confidentiality policy
• FERPA information
• Document handling

35
GLBA POLICY

• Current policies related to protecting
  information may assist you designing the GLBA
  policy
• Review policies procedures
• Revise and update as needed
• Review other schools policies
• Draft the policy
• Have the draft reviewed by covered departments.

36
GLBA POLICY

• Gain Executive level support
• Distribute the GLBA policy
• Ask staff to sign to agree with policy
• Review and update policy at least annually
• Provide continued staff training
• and communication.

37
Suggestions for TRAINING

• Staff training should include
• GLBA facts
• A definition of non-public information
• Information about maintaining security and
  confidentially of customers non-public
  information
• Schools security safeguard policies
• Special training in Information Systems security
  for IT professionals
• Identity theft and prevention

38
Suggestions for TRAINING

• Sensitize staff to seriousness of identity theft.
• Make it personal to grab attention and interest.
• Use examples.
• Encourage discussion.
• Offer solutions and best practices.
• List actions to take to prevent clients from
  becoming victims.
• Clarify responsibilities of staff include
  protecting and securing data and information.

39
Sample Training Workshop
Identity Theft Safeguarding Information
40
What is Identity Theft?

• Under ID Theft Act, identity theft is defined
  very broadly as
• knowingly using, without authority, a means of
  identification of another person to commit any
  unlawful activity.
• (unlawful activity a violation of Federal law,
  or a felony under State or local law).

41
IDENTITY THEFT
When someone steals your identity (NPI), they are
usually using your ID to obtain goods and
services for themselves that you will have to
pay for.
42
How Does an Identity Thief Get Your Information?

• Stealing files from places where you work, go to
  school, shop, get medical services, bank, etc.
• Stealing your wallet or purse.
• Stealing information from your home or car.
• Stealing from your mailbox or from mail in
  transit.
• Sending a bogus email or calling with a false
  promise or fraudulent purpose.
• - For example pretending to be from a bank,
• creating a false website, pretending
  to be
• a real company, fake auditing letters.

43
From PNC Bank Sent May 17, 2007 631 PM To
abuse_at_rutgers.edu Subject To All PNC bank
users Dear PNC user, During our regular update
and verification of the user data, you must
confirm your credit card details. Please confirm
you information by clicking link below.
http//Cards.bank.com pncfeatures/cardmember
access.shtml
44
PHISHING

• Loss from phishing attacks in 2004 was 137
  million, in 2006 it was 2.8 billion.
• The number of adults receiving phishing
  e-mails almost doubled from 57 million in 2004 to
  109 million in 2006.
• The per victim loss increased from 257 to 1244.
• The percentage of money recovered dropped to 54
  in 2006 from 80 in 2004.

45
How Does an Identity Thief Use Your Information?

• Obtains Credit Cards in your name or
• makes charges on your existing accounts (42).
• Obtains Wireless or telephone equipment or
  services in your name (20).
• Forges checks, makes unauthorized EFTs, or open
  bank accounts in your name (13).
• Works in your name (9).
• Obtains personal, student, car and mortgage
  loans, or cashes convenience checks in your name
  (7).
• Other uses obtains drivers license in your name.

46
You may be a victim if

• You are denied credit.
• You stop getting mail.
• You start getting collection calls/mail.
• You start getting new bills for accounts you do
  not have or services you did not authorize.
• Your bank account balances drops.

47
Victims of Identity Theft

• If your identity is stolen, do the following
  immediately
• Contact the fraud department of the three major
  credit bureaus (Equifax, Experian, Trans Union).
• Contact your creditors and check your accounts.
• File a police report.
• - File a complaint with the FTC.

48
DAMAGES

• Time
• Money
• Credit rating
• Reputation

49
RECOVERY

• Take back control of your identity
• Close any fraudulent accounts.
• Put passwords on your accounts.
• Change old passwords and create new PIN codes.

50
Remind Victims to

• Call fraud departments of credit reporting
  agencies.
• Have fraud alerts placed on their credit report.
• Contact creditors.
• Close open account get new account numbers.
• Report to the local police, get a copy of the
  report.
• Follow up.
• Keep a copy of the police report for the future.
• Go to the FTC website for additional information.

51
PREVENTION

• Protect yourself
• Protect others
• Guard against fraud
• Sign cards as soon as they arrive.
• Keep records of account numbers and phone
  numbers.
• Keep an eye on your card during transactions.
  Also be aware of who is around you, is anyone
  else listening?
• Check your credit report and credit card monthly
  statements.

52
ANNUAL CREDIT BUREAU REPORT

• Review your credit report annually
• If you are denied credit, you are allowed to
  request one free copy of your credit report.
• Check your report for accurate information,
  open accounts, balance information, loan
  information, etc.

53
CREDIT BUREAU LINKS

• Equifax www.equifax.com
• To order a report, 1-800-685-1111
• To report fraud, 1-800-525-6285
• Experian www.experian.com
• To order a report, 1-888-397-3742
• To report fraud, 1-888-397-3742
• Trans Union www.tuc.com
• To order a report, 1-800-916-8800
• To report fraud, 1-800-680-7289

54
Good Practices

• Empty your wallet/purse of non-essential
  identifiers.
• Photocopy the contents of your wallet/purse.
• Do not use any information provided by the people
  who may be trying to scam you look it up
  yourself.
• Shred documents before you depose of them.
• Photocopy your passport (keep a copy at home and
  one with you when you travel).

55
NPI

• Has anyone asked you for information that should
  not be required to conduct business?
• How did you handle the request?
• Will you handle it differently in the future?

56
General Privacy

• Do not provide correcting information for account
  verification questions.
• Be suspicious.
• Be paranoid.
• Dont be afraid to say no when asked for
  information that is not required to conduct the
  current business transaction.

57
GLBA requires us to PROTECT CONSUMERS from
substantial harm or inconvenience.
58
Actions to prevent Others from becoming Victims

• Determine what information you need.
• Provide a secure workplace.
• Always ask for a students ID or debtors account
  number.
• Keep prying eyes away from customers
  information.
• Dont expose NPI information to the outside world.

59
Actions to prevent Others from becoming Victims

• Take care when you provide employees or
  customers personal information to others.
• Know explain how you handle personal
  information.
• Ask for written permission prior to sharing
  personal information.
• Report problems or concerns to managers or
  supervisors.

60
Remember to always maintain confidentiality,
security and integrity

• Avoid
• unauthorized disclosure
• removing information from your office
• sharing information
• tossing information in the trash
• down loading or e-mailing information.

61
What are university assets?
62

• Are customer information and
  records assets?

63
Potential Damages to the University

• Reputation
• Fines
• Reparation costs
• Recovery costs
• Increased prevention costs

64
EXPECTATIONS

• All University employees are responsible for
  securing and caring for University property,
  resources and other assets.
• The University relies on the attention and
  cooperation of every member of the community to
  prevent, detect and report the misuse of
  university assets.

65
SAFEGUARDING INFORMATION
66
What can the staff do to guard
NPI?

• Keep confidential information private.
• Use care when asking or giving social security
  numbers.
• Use secure disposal methods.
• Protect the privacy of data transmissions.
• Review and follow written polices
• Improve procedures.

67
CHECK YOUR WORK AREA!

• Do you leave NPI reports on your desk?
• Is NPI stored in unlocked file cabinets?
• Keep computer disks secure.
• Do not save NPI on your computer C drive.

68
Safeguarding Information

• Your role as a user.
• Ensure Physical Security.
• Select and Protect hard to guess passwords.
• Avoid email traps and disclosures.
• Back up files.
• Log off your computer when not in use.
• Do not open emails with attachments from unknown
  sources.
• Obliterate data before giving up your computer.
• Recognize social engineering tactics.

69
University Regulations Guidelines related to
Safeguarding Information

• Standards for University Operations Handbook
• Confidentiality
• Accounting for Financial Resources
• Acceptable Use of Network Computing Resources
• Agreement for Accessing Information
• Acceptable Use Policy
• Guidelines for Interpretation of Acceptable Use
• Acceptable Use Supplement
• Basics

70
Managements Expectations

• Follow GLBA policy.
• Report any breaches.
• Be observant and make suggestions.
• Never e-mail NPI.
• Make sure that conversations cannot be overheard
  when exchanging sensitive information.
• Password protect your computer. Do not leave it
  unguarded even for a minute, lock it.

71
Safeguarding customer information and university
assets is everyones job!
72
The FTCs Identity Theft Program

• Toll-free phone number for complaints 877-ID
  THEFT
• Consumer Education Materials
• Web site www.consumer.gov/idtheft
• Identity Theft Data Clearinghouse the federal
  governments centralized database of ID theft
  complaints

73
Learn about security and privacy protection
practices for your workplace

• "Security Privacy -- Made Simpler," from the
  Better Business Bureau www.bbb.org/securityandpriv
  acy/SecurityPrivacyMadeSimpler.pdf
• Protecting Personal Information A Guide for
  Business, from the Federal Trade
  Commissionwww.ftc.gov/bcp/edu/pubs/business/priva
  cy/bus69.pdf
• Information Security Handbook, from the
  National Institute of Standards and Technology
  http//csrc.nist.gov/publications/nistpubs/800-10
  0/SP800-100-Mar07-2007.pdf
• Prevent Identity Theft with Responsible
  Information-Handling Practices in the Workplace,
  from the Privacy Rights Clearinghousewww.privacyr
  ights.org/ar/PreventITWorkplace.htm

74
WHAT WOULD YOU DO?
75
Additional Resources

• The California Office of Privacy Protection has
  developed a series of Recommended Practices.
  Several of the guides may be helpful in
  protecting your business whether or not you are
  located in California.
• Recommended Practices on California
  Information-Sharing Disclosures and Privacy
  Policy Statements, www.privacy.ca.gov/recommendat
  ions/infosharingdisclos.pdf
• A California Business Privacy Handbook,
  www.privacyprotection.ca.gov/recommendations/ca_bu
  siness_ privacy_hb.pdf
• 'Recommended Practices for Protecting the
  Confidentiality of Social Security numbers,
  www.privacy.ca.gov/recommendations/ssnrecommendat
  ions.pdf

76
In Summary

• Protect Yourself
• Protect Others
• Protect the University