Gramm-Leach-Bliley-Act (GLBA)– Are you next on their list?
President – Thin-nology
A couple of months ago a small number of experienced and honorable accountants went to work, just as they had been doing for many years. When they arrived at work they went through the same routine however on this day around 11:00am the FedEx truck pulled into their driveway and dropped of a couple of packages they were not expecting.
When the FedEx package was opened and the contents read these few accountants knew their business practices were being questioned. The package was from a lawyer in Cleveland Ohio who worked for the Federal Trade Commission. The cover letter began with…
“The Staff of the Federal Trade Commission (Commission) is conducting a non-public investigation into “ABC Company’s” practices with regard to its safeguarding of consumers’ personally identifiable information. The staff is seeking to determine whether “ABC Company’s” practices are in compliance with the Gramm-Leach-Bliley-Act.”
These experienced and honorable accountants have never heard of the Gramm-Leach-Bliley Act (GLBA). So why were they under an investigation for a regulation they had never heard of?
The Gramm-Leach-Bliley-Act of 1999 (modified in 2001) was designed to make Financial Institutions put measures in place, for both physical and electronic data, to ensure that “personally identifiable information” could not be accessed by anyone other than those who had been granted permission to access it. Most of us think of Financial Institutions as Banks, Credit Unions, and Investment Houses. The GLBA considers anyone that provides any type of Financial Services to consumers as a financial institution. The enforcers of the GLBA have an interesting mandate. They must sustain their operations from the revenue they receive through the collection of fines from those found not to be in compliance. This in essence differentiated the GLBA from the other well known consumer protection agency, HIPAA, in a very big way. HIPAA is set up to be a reactive agency. If someone complains they investigate. GLBA is setup to be a proactive agency. The agents inside the FTC have to be very diligent in the collection of evidence and fines or they are out of business.
The folks at the GLBA have traditionally focused their efforts on what we all think of as “traditional financial institutions” but then started targeting automobile dealerships. Why Automobile Dealerships one would ask? The answer is simple, they collect your personal information to provide you a loan for a car. We all remember sitting the finance office in the car dealership and seeing “the deals” in progress or folders stacked on the desk or the floor. This identified many sources of identity theft. For each infraction (unsecure personal information) the GLBA agents would fine the dealership $10,000.
In the last 3-4 years the number of fraudulent tax returns being filed with the IRS has risen dramatically. Point in fact one the Nation’s largest tax prepares has admitted to the release of personal data. Most accounting firms are in the infancy of technology security. This is why the agents at the GLBA are now focusing on accounting firms practices. The lawyer was requesting the accountants produce records of compliance for the last “two” years. This request will almost certainly identify infractions for a mandate the accounts were not aware of.
The actual Protection and Privacy Rules can be found at https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule. Three small sections (314.2, 314.3 and 314.4) are going to identify compliance rules, maintain compliance practices, and outline the fines the FTC can levy.
Here is an outline to the technology side of documentation requirements.
- Risk Assessment Documentation and Training along with all changes and updates since their inception
- Security Risk Identification and rectification plans and training along with all updates since their inception.
- Network and System Monitoring Systems in place along with implementation documentation and training programs provided
- Security breaches identified by the monitoring systems. Documentation on actions taken and training provided on each breach.
- Administrative and technical details of security systems in place and the training of personal on their use.
- Information disposal systems in place including the disposal of hard drives per Federal Guidelines.
- Access Authentication policies, procedures, and implementation, along with training provided.
- Encryption practices, policies and procedures in place along with training provided.
- Provide the identity of the individual in charge of Security Systems and the training provided to all employees and vendors of the company. Provide copies of all documentation relating to changes in the training programs.
Most IT firms working with accountants would not know where to begin or how to provide the documentation that was being requested. Luckily one of the experienced and honorable accountants who received this “Non-Public Investigation” packet had hired many years ago, an experienced cloud computing company to handle their network and information technology. The experienced cloud computing company has ensured compliance to the GLBA for all their customers since inception.
The response totaled hundreds of pages and this was for the technology side only. The administrative side (Inside the office) has an equally significant effort for compliance. The Security Officer must provide copies of contracts, business continuity agreements, and vendor qualification documentation. One of the interesting requirements is the “qualified personnel” clause. This essentially means that a lot of IT guys used by many companies will not pass the “qualified personnel” test and would cause a company to be in non-compliance of the Act. They must provide documentation as to how physical security of the office, office systems, and data systems is implemented and maintained.
Accountants should create office policies and procedures, document the gathering and distribution of personal information. Get a consultant to help locate a reputable IT company and networking engineer. Getting in compliance means having an insurance policy that will, one day, pay out.