|
|
|
The GLB Crackdown Begins: If your company is not a depository bank should you care about the Gramm-Leach-Bliley (GLB) Data Protection Act? According to Jerry Montella, it may be very important for you to care. While we all know that the Gramm-Leach-Bliley Date Protection rules must be followed by financial institutions (defined as banks, thrifts and credit unions), did you know they must also be followed by numerous non-depository institutions? In a press release distributed by the Federal Trade Commission (FTC) in November, the "financial institutions" covered by the Safeguards Rule in the GLB Act, "include not only lenders and other traditional financial institutions, but also companies providing many other types of financial products and services to consumers. These institutions include, for example, payday lenders, check-cashing businesses, professional tax-preparers, auto dealers engaged in financing or leasing, electronic funds transfer networks, mortgage brokers, credit counselors, real estate settlement companies, and retailers that issue credit cards to consumers." If your company falls into one of the preceding categories or if your company provides services or contracts for services from one of these companies, the GLB Data Protection act applies to YOU. Think hot site vendors, electronic storage vendors, print-to-mail recovery vendors, anyone and everyone who has access to personal, non-public financial information. Although, the deadline for compliance with the GLB Data Protection Act was May 23, 2003, it was only recently that the Federal Government started cracking down. In November, as part of a nationwide compliance sweep, the FTC charged Nationwide Mortgage Group, Inc. (Nationwide), headquartered in Fairfax, Virginia, and Sunbelt Lending Services Inc. (Sunbelt) a subsidiary of Cendant Mortgage Company, headquartered in Clearwater, Florida, with violating the GLB Safeguards rule "by not having reasonable protections for customers' sensitive personal and financial information." In fact, the FTC also charged Nationwide president John D. Eubank personally with the violation. I'm wondering if there are some business continuity planners looking for new jobs. The FTC noted specifically that the mortgage companies had failed to protect their customers' names, social security numbers, credit histories, bank account numbers, income tax returns, and other sensitive financial information. These are the FTC's first cases enforcing the Safeguards Rule, but they are not likely to be the last. And by the way, Sunbelt's settlement requires biannual audits of Sunbelt's information security program by a qualified, independent professional for 10 years? How much do you think that will cost? And here is something else for you to consider. Let's say you are responsible for business continuity and your plan includes recovery scenarios for high volume print-to-mail production. Someone on the printing staff makes an unintentional error and non-public personal customer information is compromised. If your organization is governed by the GLB, or if your organization provides services to an institution governed by one of the federal banking agencies, then you could be in breach of the GLB and subject to fines. Unfair, you protest, it was an accident. Fair or unfair, the regulation is clear. Under the rules an error is no excuse - you need more than a strategy, you need an effectively deployed program based on a strategy that can be (and has been) audited and tested. Mistake or no mistake, if you can't produce documentation that you have policies and procedures for data protection in place, you could be in violation. Again, these regulations are true not only for banking institutions, but also for support organizations. If you outsource your print-to-mail services, either routinely, at the time of a disaster, or when you have a production overflow and need assistance, the company to which you outsource these services must also comply with the GLB rules. And YOU are responsible for ensuring they do. Specifically, the GLB requires that institutions not only achieve their own compliance, they must also review and monitor the strategies and plans of their business partners to ensure that the partner's compliance (or more specifically lack of compliance) doesn't compromise their own. With the enforcement of the regulations no longer a risk, but a reality, you have no time to lose. Achieving compliance and passing a regulatory audit are two separate steps and confirming that your service provider partners can pass muster is yet another required step. If you use third-party providers you should prepare a rigorous audit for your vendors and maybe be prepared in case your clients require an audit of their own - of your plans. In the auditing process, one area that is often overlooked is print-to-mail business continuity. Is high-volume print-to-mail in your business continuity plan and is your third party print-to-mail provider compliant with GLB? A little more than a year ago, a Madison Advisors study specifically examined the preparedness of organizations relative to print-to-mail continuity issues. Over 30% of the responders in a mail survey indicated their companies have integrated business continuity with their mainframe disaster recovery plans. On the other hand, only 15% of those responding as part of a phone survey indicated it was part of the Mainframe recovery plan. A business continuity plan is an integral part of any auditable compliance plan. Are you certain you have included an auditable print-to-mail continuity provider in your plan? What's Your Guess? Madison Advisors also discovered that while high volume printers were sometimes included in continuity plans, inserting and mailing equipment and processes were more often not. Why not? "The fact that some companies have backup strategies for their print volumes but not their mailing processes is baffling. What they propose to do with a million pages of invoices without an insertion and mailing plan is anyone's guess." the report stated. What's your guess? I'm guessing it's a matter of "it's not my job." If printing is the purview of one department and inserting and mailing is the purview of another department, whose job is it to make sure the entire process is completed? If your job responsibility is complete when the continuity plan is done, should you care if the invoices get mailed? What is the impact on your company's bottom line? Do you care about that? What is the risk to your company if you haven't thoroughly investigated your third party providers relative to regulatory compliance? In fact, that should be two questions: in addition to asking "what is the regulatory risk?" you need to ask, "what is the financial risk?" Remember, both you and your third party providers must protect non-public personal data. So the protection of that personal financial customer data even if its in your plan but done outside of your organization is still your responsibility. According to the OCC, bulletin 2001-47, this means to properly oversee and manage third party relationships, organizations should adopt a risk management process that includes:
It's time for all of us to step up and take responsibility - for compliance, for risk management and for business continuity. In these uncertain times, its better to be prepared than surprised. Make sure every department in your organization that touches or outsources a process which touches your customers' personal, non-public financial information has a written, tested auditable plan for keeping that information safe. Help protect your company:
You may be surprised by the new friends (in high places) you make by raising your hand and saying, "We need to protect our company!" That's your job. About the Author Gerald A. (Jerry) Montella serves as Vice President of Warminster, Pa.-based Mail-Gard, a Transcontinental Company, and the nation's leading provider of high volume print-to-mail continuity solutions. Jerry is responsible for overseeing all of Mail-Gard's operations as well as developing and managing the company's sales and marketing activities. Jerry is a member of the editorial advisory board for Disaster Recovery Journal. With GLB-compliant operations, Mail-Gard maintains a fully-secured, facility utilized for Print-to-Mail continuity purposes, supporting cut sheet, continuous form, duplex, MICR and color printing as well as accumulating, folding and inserting capabilities in conjunction with on-site U.S. postal substations and warehousing. In case of any business interruption—human error, power outage, natural disaster— or in the event of overflow production needs, Mail-Gard can ensure that a company's invoices, statements and other critical documents will reach customers and vendors. Additional information can be found at http://www.mailgard.com.
|
