WHITE paper
Unraveling GLBA: Compliance Basics
For Managers, Officers and Directors of Financial Institutions
page 2 page 3 page 4 page 7 page 8
Introduction Defining the Scope of Compliance Reviewing Compliance Steps Administrative, Technical and Physical Safeguards A Comprehensive Compliance Approach
Daniel J. Langin, Attorney at Law LLC1
©2007 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.
�WHITE PAPER
Unraveling GLBA: Compliance Basics Introduction
A popular song from a decade ago contained the lyric “if you want to destroy my sweater, hold this thread as I walk away.2” The process of unraveling federal legislation to find the core compliance requirements can be similar to the process outlined in that song lyric. The hard part is finding the thread or threads that will allow the regulated entity to end up with an orderly set of compliance steps at the end, rather than a tangled mess of disconnected requirements. The Gramm-Leach-Bliley Act (GLBA) and its implementing regulations present one such tightly-knit set of legal requirements. Passed by Congress due to growing concerns over identity theft and misuse of consumer financial information, the law requires financial institutions to adopt numerous measures concerning use, disclosure and protection of the nonpublic personal information of customers. Although much attention was initially paid to the privacy provisions of GLBA (which require institutions to develop privacy policies and send privacy notices to customers), perhaps more concern lately has been generated among managers, officers and directors of financial institutions over the information security provisions of GLBA, also known as the “financial institution safeguards.” The information security requirements of GLBA are found in Section 501(b), which states that the regulatory agencies and authorities that govern financial institutions3 shall establish administrative, technical, and physical safeguards to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.4 To establish the standards required by 501(b), federal agencies have passed a number of regulations. These include the following: • The Interagency Guidelines Establishing Standards for Safeguarding Customer Information5 for banks, thrifts and other “traditional” financial institutions (the “Interagency Guidelines”); • the National Credit Union Administration Guidelines for credit unions (“NCUA Guidelines”), and; • The FTC Safeguards Rule for credit card companies, credit reporting agencies and similar FTCgoverned entities (“Safeguards Rule”).
6
1 Daniel J. Langin is the principal of Daniel J. Langin, Attorney at Law, LLC. He has over 16 years of experience in private and corporate practice, including
or contact Daniel at (913) 661-2430 or dlangin@langinlaw.com. This article is provided for general educational and informational purposes. It is not intended to provide legal advice.
2 Weezer, “Undone-the Sweater Song,” The Blue Album (1994).
ten years of experience in technology, insurance coverage and intellectual property litigation and counseling. For more information, see www.langinlaw.com
3 For purposes of GLBA, these agencies and authorities include the Board of Governors of the Federal Reserve, the Office of the Comptroller of the Currency, the Board
of Directors of the FDIC, the Director of the Office of Thrift Supervision, the National Credit Union Administration Board and the SEC. See 15 USC Section 6809.(3).
4 15 USC Section 6801(b) (emphasis added). 6 16 CFR Part 314.3.
5 Published at Federal Register Vol. 66, No. 22, February 1, 2001, pp. 8616-8641.
Page 2
�WHITE PAPER
Unraveling GLBA: Compliance Basics
In addition to these regulations, at least two sets of draft regulations concerning incident response are currently pending: • The draft Interagency Guidance on Response Programs for Unauthorized Access7 (“Interagency Guidance”) for banks, thrifts and related financial institutions, and; • the draft NCUA Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice8 for credit unions (“NCUA Guidance”). Faced with this tangle of federal laws and regulations, how can a financial institution determine which threads to follow? This paper will attempt to unravel GLBA and its regulatory regime by defining the general scope of the regulations, reviewing the individual compliance measures, and then dividing compliance steps into the three primary categories outlined in 501(b) (administrative, technical and physical measures). This paper will conclude that the most tightly knotted threads of GLBA (administrative and technical compliance measures) can be best approached by adopting a configuration audit and control process which combines technical protections, clear audit trails and reporting, ongoing evaluation and administrative best practices which support all of the foregoing. The reasons for complying with GLBA and its regulations are simple. The agencies charged with enforcing GLBA may apply sanctions for violations (for example, the FDIC may impose penalties ranging from $5,000 per day up to $1,000,000), and the reputation and viability of institutions may be directly impacted.
What Color Is the Fabric? Defining the General Scope of GLBA Compliance
The first step in understanding any regulatory compliance regime is to define its scope. The scope of businesses covered by GLBA is “financial institutions,” i.e., businesses such as banks and thrifts, credit card companies, financial advisors, insurance companies, mortgage brokers, merchants that issue credit cards, and so on.9 The scope of information covered by GLBA is “customer information,” which is any records containing non-public personal financial information of a customer, whether in paper, electronic, or other form.10 The scope of the systems covered by GLBA is defined by regulation either as “customer information systems,” “member information systems” or “information security programs11” but all three terms mean any system used to access, collect, store, use, transmit, protect, or dispose of customer information, whether maintained by the institution or its service providers.12
7 68 Federal Register 47958 (August 12, 2003). 8 12 CFR Part 748, Appendix B. 9 15 USC Section 6809.(3) defines a financial institution as “any institution the business of which is engaging in financial activities,” and the term “financial
activities” is described in 12 USC Section 1843(k) to include activities such as lending, investing or safeguarding money or securities, insuring, guaranteeing or indemnifying against loss or damage, providing financial, investment or economic advisory services, underwriting or dealing in securities, and a host of other activities incident to these, as well as holding certain shares or interests in, or control over, a financial institution (such as bank holding companies).
10 See, e.g. 66 Federal Register 8635. The NCUA Guidelines refer to “member information” instead of “customer information” but the definition is the same as
“customer information” (12 CFR Part 748 Appendix B, Section I.B.2.b).
11 See, e.g. 66 Federal Register 8635 (Interagency Guidelines), 68 Federal Register 479589 (draft Interagency Guidance). The NCUA Guidelines, however, refer to
“member information systems” rather than “customer information systems” (12 CFR Part 748 Appendix B, Section I.B.2.c). The Safeguards Rule refers to the
“information security program” is basically identical to “customer information systems” as used in the other regulations (67 Federal Register 36487).
12 66 Federal Register 8635.
institution’s “information security program” rather than its “customer information systems,” but the FTC commentary to the rule states that the definition of
Page 3
�WHITE PAPER
Unraveling GLBA: Compliance Basics
GLBA’s security provisions and regulations, therefore, essentially apply to the systems that financial institutions or their service providers use to access, collect, store, use, transmit protect, or dispose of records that contain customer financial information. GLBA does not apply to information of business customers, information that relates to non-customers (persons who have not established an ongoing relationship with the institution13), or information that is not held by a financial institution or its service providers.14
Individual Threads: Reviewing Specific Regulatory Compliance Steps
Defining the general scope of GLBA and its security regulations makes it easier to break the individual regulations down into simpler sets of compliance steps. The primary regulations can be grouped into three categories: The Interagency Guidelines and NCUA Guidelines; the Safeguards Rule, and; the draft Interagency Guidance and NCUA Guidance. The Interagency Guidelines and the NCUA Guidelines contain virtually identical terms. The only difference is that one applies to banks, thrifts and related entities while the other applies to credit unions. Sections III.C.1 of both guidelines identify eight compliance steps that institutions must address to manage and control risk: i. placing access controls on customer information systems; ii. placing access restrictions on physical locations containing customer information; iii. encrypting electronic customer information; iv. adopting procedures to ensure that system modifications are consistent with the institution’s information security program; v. adopting dual control procedures, background checks, and segregation of duties for personnel with access to customer information; vi. installing monitoring systems & procedures to detect attacks and intrusions into customer information systems; vii. adopting response programs that specify the actions to be taken in the event of an actual or suspected intrusion, including reporting to regulators and law enforcement; and viii. protecting customer information from destruction or loss due to physical & environmental hazards such as fire, water damage or technical failure. Some of these measures seem very straightforward. For example, item ii could be satisfied by simply locking file cabinets which contain customer information. Although this seems like a “no-brainer,” one of the most significant incidents of information theft (the Tri-West incident) involved a simple burglary in which several computers were stolen that contained the names, addresses, dates of birth, and social security numbers of over 500,000 people.15
13 See commentary at 66 Federal Register 8618 (“‘Customer’ does not include a business, nor does it include a consumer who has not established an ongoing
relationship with a financial institution (e.g., an individual who merely uses an institution’s ATM or applies for a loan)”).
14 Other federal laws may, however, apply to such information in certain circumstances.
15 “Lawsuit Accuses Tri-West Health Care of Negligence,” Arizona Republic, January 30, 2003 (class action filed in Arizona after computer files and data files
containing personal information stolen). The class action was later dismissed, but the stolen computers and the information on them have yet to be recovered.
Page 4
�WHITE PAPER
Unraveling GLBA: Compliance Basics
Other requirements (such as items iv, vi and vii) require a much more complex set of administrative and technical decisions. Comments to the Interagency Guidelines indicate that the decision of whether and how to implement each of these steps must be determined by each institution based on its particular circumstances: While a financial institution that offers Internet based transaction accounts may conclude that encryption is appropriate, a different institution that processes all data internally… may consider 16 other kinds of access restrictions. The second basic set of regulations is the Safeguards Rule, which applies to credit card companies, credit reporting agencies, merchants who extend credit and other institutions under FTC supervision. The Safeguards Rule requires these institutions to adopt a comprehensive written information security program 17 to meet GLB 501(b). Requirements of this program include: i. designating an employee to coordinate the program; ii. identifying and assessing internal and external risks to the security, integrity and confidentiality of customer information in the following areas of operations: a. employee training/management; b. security of information systems; c. detection, prevention and response to attacks, intrusions or system failures; iii. designing, implementating, monitoring and evaluating information safeguards on an ongoing basis, including regular testing; iv. overseeing service providers by retaining those that apply appropriate safeguards to customer information (and which agree by contract to maintain such safeguards); v. evaluating and adjusting the information security program in light of the testing and monitoring required by point iii above, changes to the institution’s systems and business arrangements. Although the wording of these requirements differs somewhat from the Interagency Guidelines and NCUA Guidelines, the FTC has commented that any entity that complies with those guidelines will be deemed to satisfy the Safeguards Rule.18 Like the Interagency and NCUA Guidelines, the Safeguards Rule suggests that institutions must adopt these measures in a manner that best suits its particular circumstances, a flexibility which is enhanced by the fact that the FTC does not conduct regular assessments or reviews of institutions like the bank, thrift, or credit union regulators.19 The third basic set of regulations includes the draft Interagency Guidance and NCUA Guidance. When finalized, the Interagency Guidance will apply to the same entities as the Interagency Guidelines (primarily
16 66 Federal Register 8621.
17 16 CFR 314.3(a), published at 67 Federal Register 36486. 18 67 Federal Register 36486. 19 67 Federal Register 36489, at n. 61.
Page 5
�WHITE PAPER
Unraveling GLBA: Compliance Basics
banks and thrifts) and the NCUA Guidance will apply to the same entities as the NCUA Guidelines (credit unions). The current drafts of both regulations would require institutions to develop a written incident response and customer notification program with the following elements: i. assessment of the incident, including which systems have been accessed or misused; ii. notifying regulatory and law enforcement authorities under Suspicious Activity Report (SAR) regulations and agency bulletins; iii. containing and controlling the incident; and iv. taking corrective measures such as flagging and securing affected accounts and notifying and assisting customers in protecting their accounts. Some of these requirements involve basic information security incident response measures. When a hacker broke into the Republic Bank of Florida’s computer network and accessed 3,600 accounts in April of 2002, for example, the bank hired computer security consultants, reviewed the affected files, and asked clients to change passwords and email addresses. A lot could have occurred between the security breach and the Bank’s response, however, because the breach in security was discovered only after the hacker emailed the bank.20 The federal government is not the only entity which has passed a customer notification law. California enacted a state statute in 2003 that requires similar notification steps to be taken with persons whose private information is compromised.21 This law was passed in part due to the Tri-West incident and the fact that hackers had broken into the state of California’s payroll database and gained access to personal, financial information of the state’s 265,000 employees.22 Responsibility for compliance rests with different entities under each set of regulations. For example, Sections III.A of the Interagency and NCUA Guidelines place primary responsibility to “oversee the development, implementation, and maintenance of the bank’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management” on the institution’s Board of Directors.23 Because the draft Interagency Guidance and NCUA Guidance supplement the Interagency Guidelines and NCUA Guidelines respectively, responsibility for compliance also rests with the Board. The Safeguards Rule applies a more flexible approach which simply requires the institution to designate an employee to oversee the program. FTC comments to the Safeguards Rule indicate that this approach was adopted because not all of the entities regulated by the FTC have a Board of Directors.24 As a practical matter, of course, officers and managers will bear the brunt of shaping and implementing the measures required by these regulations. A likely scenario would involve an institution’s Board of Directors requesting that the CFO, CEO or CIO of an institution put together a proposal for the information security program, and present it to the Board. The Board (after fulfilling its responsibility to review the program) would likely approve the program, after which one or more officers would then delegate implementation and day to day monitoring of the program to one or more managers. These managers would then be in charge of ensuring that all of the measures are implemented, the program updated and employees trained before reporting back up to the Directors in time to include a status report in the institution’s regular compliance review process.
20 “Hacker 'Infiltrates' 3,600 Online Accounts of Customers at Republic Bank in Florida” 78 Banking Report, No. 17 at 739-740 (April 29, 2002). 21 California Civil Code Section 1798.82. 22 Falvey, LaFlamme & Oaks, “Disclosure Of Security Breaches Required By New California Privacy Legislation” (available at www.findlaw.com) 23 See, e.g., The Guidelines as adopted by the Office of Comptroller of the Currency, at 12 CFR I, Appendix B to Part 30. 24 67 Federal Register 36488-89.
Page 6
�WHITE PAPER
Unraveling GLBA: Compliance Basics Weaving the Strands Together: Intertwining Administrative, Technical, and Physical Safeguards
As noted earlier, the easiest way to analyze the compliance measures is to break them down into their three major categories: administrative, technical, and physical. The figure below illustrates how each of the compliance steps noted above can be grouped into these categories. Note that some compliance steps fit into more than one category.
Interagency Guidelines and NCUA Guidelines Administrative (adoption of a policy, procedure or process) • access controls on customer information systems • procedures to ensure that system modifications are consistent with security program • dual control procedures/ background checks/ segregation of duties • monitoring systems & procedures to detect attacks and intrusions • adopting response programs for actual or suspected intrusion • access controls on customer information systems • encrypting electronic customer information • procedures to ensure that system modifications are consistent with security program • monitoring systems and procedures to detect attacks and intrusions • protecting customer information from destruction or loss due to physical & environmental hazards including technical failure • access restrictions on physical locations • protecting customer information from destruction or loss due to physical & env. hazards incl. tech. failure
Safeguards Rule • designating an employee to coordinate the program • identifying and assessing internal and external risks • designing, implementating, monitoring and evaluating information safeguards on an ongoing basis, including testing • overseeing service providers • evaluating and adjusting the information security program
Draft Interagency Guidance and NCUA Guidance • assessment of the incident • notifying regulatory and law enforcement authorities • taking corrective measures such as flagging and securing affected accounts and notifying and assisting customers
Technical (implementation of software, hardware or other technologies)
• identifying and assessing internal and external risks • designing, implementating evaluating information safeguards on an ongoing basis, including testing, evaluating • and adjusting the information security program
• assessment of the incident • taking corrective measures such as flagging and securing affected accounts and notifying and assisting customers
Physical (changes or measures affecting the physical plant)
• no specific measure, but changes to physical plant may be required to implement administrative and physical measures (e.g. locking network operations center)
• no specific measure, but changes to physical plant may be required to implement administrative and physical measures (e.g. locking network operations center)
3 Page 7
WPPDS01
�WHITE PAPER
Unraveling GLBA: Compliance Basics
It is important to note that not all of these categories or all of the compliance steps are equally complex, nor are they given equal weight by the regulators. The physical steps are likely the easiest, and may involve little more than locking doors or storing files in areas not subject to water damage. Furthermore, guidance issued to federal examiners under the Interagency Guidelines seems to focus on technical and administrative measures. For example, these guidelines mention “network and host intrusion detection systems” as one of only two specific technologies to be highlighted in the document (the other is encryption). Similarly, FTC comments to the Safeguards Rule stress the need to examine network and software design and to detect attacks, intrusions, and other system failures. In fact, the FTC added these items to the final Safeguards Rule even though they were not included in the draft rule.25 The FTC had good reason to add these items to the Safeguards Rule. On several occasions, it has sanctioned merchants and others whose security was breached and who made erroneous statements about their online security in their privacy policies.26
Conclusion: Knitting the Threads Together Into a Comprehensive Compliance Approach
Installation of technical solutions, however, is not sufficient without the adoption of complementary administrative measures. Institutions are required to continually evaluate their security status27 and (under the Interagency and NCUA Guidelines) be prepared to report on that status to examiners. A May 31, 2001 letter from the Federal Reserve advises federal examiners to review information security status of financial institutions as part of regular examinations. Institutions are also required to produce records and audit trails demonstrating compliance. A set of agency Examination Procedures (a checklist for examiners) under the Interagency Guidelines specifically advised examiners to review “network traffic monitoring, manual reviews of logs and other information available to assess management’s monitoring process.” Given that most federal examiners are not IT professionals, simple and reliable audit trails and reports may be more important than technically detailed logs. In short, institutions must implement technologies, practices, and other safeguards to protect customer financial information, and they must implement the appropriate controls and reporting strategies to allow them to demonstrate that these safeguards are in place, regularly reviewed, and working as expected. In the same way that a sweater cannot hold together unless all of the threads are connected, institutions cannot create a comprehensive GLBA compliance program without pulling together technical solutions, administrative best practices and policies, assessment and review processes and top-level corporate decisionmaking into a seamless program of configuration audit and control. Because the regulatory and legislative landscape is always changing, new threats are always emerging, and institutions are constantly adopting new ways of doing business, a static compliance approach is not enough. Today’s best firewall will eventually become tomorrow’s most expensive paperweight, but if an institution (with buy-in from all levels of management and its Board) incorporates information security and integrity into the institution’s day-to-day business decision-making processes through a program of configuration audit and control, its security posture will have the flexibility needed to comply with compliance burdens today, tomorrow, and beyond.
25 See commentary at 67 Federal Register 36489.
26 See, e.g. “Guess Settles FTC Security Charges; Third FTC Case Targets False Claims about Information Security” (June 18, 2003) (available at http://www.
ftc.gov/opa/2003/06/guess.htm); “Federal Trade Commission, Microsoft Settles FTC Charges Alleging False Security and Privacy Promises” (Aug. 8, 2002), available at http://www.ftc.gov/opa/2002/08/microsoft.htm.
27 Section III.E of the Interagency Guidelines and NCUA Guidelines require institutions to “Adjust the Program,” i.e., monitor, evaluate & adjust program in
light of changes in technology, new threats and the institution’s business arrangements. Similar requirements exist in section 314.4(e) of the Safeguards Rule.
3 Page 8
WPPDS01
�WHITE PAPER
Unraveling GLBA: Compliance Basics
To help them create and maintain the necessary configuration audit and control processes, institutions and the Directors, officers and managers responsible for compliance must consider which parts of the process can be handled internally and which parts must be outsourced. Certain aspects of the compliance process can often be handled internally, especially physical security and access measure such as securing paper files and locking doors. The more complicated portions of the configuration audit and control program typically involve technical and administrative measures. Although technical measures are often accomplished with assistance from vendors, the administrative measures sometimes end up being assigned to consultants who do not integrate their administrative solutions with the institution’s technical measures, or being handled internally by persons who may (or may not) have experience developing best practices and policies. Adoption of an ongoing process of configuration audit and control, as noted above, requires integration of all parts of the compliance process. Institutions may be best served by working with vendors that combine robust technical solutions which produce easily tailored and readable audit trails with complementary best practices resources to help institutions and their Boards meet the administrative and technical challenges of GLBA compliance. With such assistance, institutions can worry less about the number of loose threads in their compliance program, and more about the business of making money.
Biography—Daniel J. Langin
Daniel J. Langin, Attorney at Law, LLC www.langinlaw.com Dan Langin is an attorney with 16 years of experience in trial and corporate practice. For the last 10 years, he has focused primarily on technology and business law, representing information technology companies and insurance companies that cover technology risks. Past and present clients include Tripwire, Inc., Symantec Corporation, Ingenix, Inc., CNA Insurance Company, Recourse Technologies, Inc., Skillpath Seminars, Inc. and Quanta Holdings. Dan’s past legal experience includes positions as General Counsel of two technology companies (GeoAccess and INSUREtrust), and as global IT Law Manager for the technology insurance groups of USF&G and St. Paul Insurance Companies. He began his work in technology law in 1993 as Claims Counsel for Media/Professional Insurance, where he handled several early Internet claims. Before that, Dan spent four years as a trial lawyer at the law firm of Smith, Gill, Fisher and Butts (now known as Bryan, Cave). Dan has spoken on issues of technology law and policy in the U.S., Canada, Europe and Israel, and has participated in the Aspen Institute’s Internet Policy Project, PLUS, and the BESTS roundtable on electronic commerce in Europe. He is a former editorial board member of the Cyberspace Lawyer, and has published articles for the Defense Counsel Journal, Intellectual Property Counselor, Practising Law Institute, the American Bar Association, and others. He recently co-authored a chapter of the book IT Security: Risking the Corporation (Prentice Hall PTR 2003) by Linda McCarthy of Symantec. He has been quoted in publications including USA Today, CIO, Computerworld, Boardwatch and the Boston Business Journal. A 1988 graduate of the University of Iowa College of Law (where he was an editor of the Iowa Law Review), and a 1984 graduate (Magna Cum Laude) of Creighton University, Dan served as judicial clerk to Justice Linda K. Neuman of the Iowa Supreme Court from 1988 to 1989.
www.tripwire.com
326 SW Broadway, 3rd Floor Portland, OR 97205 USA
US TOLL FREE: 1.800.TRIPWIRE MAIN: 503.276.7500 FAX: 503.223.0182
TRIPWIRE UK: +44 207 618 6512 FAX: +44 207 618 8001 78 Cannon Street London EC4N 6NQ UK
www.tripwire.com/europe
3 Page 9
WPGLB7 WPPDS01
�