Best Practices for Gramm-Leach-Bliley Compliance


By: David A. Cole
The U.S. Commodity Futures Trading Commission (Commission) recently issued a Staff Advisory on the recommended best practices for covered financial institutions that must comply with Gramm-Leach-Bliley Act (GLBA) provisions on data security and customer privacy.
Congress enacted the GLBA in 1999 to ensure that financial institutions respect the privacy of their customers and protect the security and confidentiality of nonpublic personal information.  Specifically, under the Commission’s regulations, futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants (covered entities) “must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”  Those policies and procedures must:

  1. Insure the security and confidentiality of customer records and information;
  2. Protect against any anticipated threats or hazards to the security or integrity of such records; and
  3. Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

According to the Staff Advisory, the recommended best practices include that each covered entity should develop, implement, and maintain a written information security and privacy program that is appropriate to its size and complexity, as well as to the nature and scope of its activities.  In addition, the program should require the covered entity to, at a minimum:

  1. Designate a specific employee with privacy and security management oversight responsibilities;
  2. Identify, in writing, all reasonably foreseeable internal and external risks to security, confidentiality, and integrity of personal information and systems processing personal information;
  3. Design and implement safeguards, in writing, to control the identified risks;
  4. Training staff to implement the program and provide regular refreshers;
  5. Regularly test and monitor the safeguards;
  6. At least once every two years, arrange for an independent party to test and monitor the safeguards’ controls, systems, policies, and procedures;
  7. Implement third-party service-provider agreements which specify that the third party is maintaining appropriate safeguards;
  8. Regularly evaluate and adjusting the program; and
  9. Design and implement policies and procedures to respond to incidents involving unauthorized access, disclosure, or use of personal information.

These best practices should look familiar to those who already deal with the various state laws that require companies to implement written information security programs, as well as entities that are required to comply with HIPAA.  Ultimately, whether a specific law requires it in one form or another, it is a best practice for every entity that maintains personal information, whether it be that of customers, clients, patients, or employees, should implement a data security program and implement a “culture of security” at their workplace.