GLBA Compliance: Keeping Personal Financial Data Secure

Fast-Moving Environment

The task of safeguarding personal and financial information is magnified by the enormous volume and variety of financial transactions. Tens of millions of individuals make multiple transactions daily, dealing with hundreds of thousands of firms and entities. These can range from major global enterprises to online merchants and mom-and-pop stores.

These financial transactions have to be fast and convenient, while still providing robust and reliable security for personal and financial data.

Financial transactions also involve a wide range of software, along with storage systems. All of them must be developed and tested using realistic data, but without compromising actual personal or account information. Systems must then be maintained, patched, updated, and otherwise manipulated in a variety of ways. Operational tasks may be performed by contract personnel, or even offshore service providers. These activities often make data potentially accessible to non-vetted individuals.

It all adds up to an enormous flow of highly sensitive personal and financial information. Which makes for a very demanding security and regulatory environment.

 

Overview

The Gramm-Leach-Bliley Act (GLBA) provides the main framework for regulation of the financial industry in the United States. GLBA was enacted by Congress to increase the flexibility of financial institutions; for example, allowing insurance companies to provide such banking services as offering personal checks.

The GLBA also sets in place standards for the management and protection of customers' personal and financial information. In particular, all financial firms are mandated to safeguard this data against "any anticipated threats or hazards."

Financial firms must also be in compliance with industry standards, such as Payment Card Industry Data Security Standards (PCI DSS), which apply to any firm issuing credit or debit cards.

Personal financial data and records are extremely sensitive, for fairly obvious reasons. This data is a primary target of criminals, since credit card or bank account information in the wrong hands can make theft as easy as using an ATM machine.

Firms that handle financial information may find themselves under strong pressure to make good customers' losses even if not required to do so by law. Failure to do so may cause consumers to lose confidence in the firm. Indeed, careless handling of customer accounts may alienate customers even if no losses are involved.

Mistakes in handling financial data are also a fast road to serious legal complications. A criminal investigation can destroy a firm' reputation even if no wrongdoing is ultimately found. Fortunately, effective security tools such as Data Masking are available to protect sensitive customer information.

 

Protecting Personal and Financial Data using Data Masking

Here is a real life story. A community savings bank wants to extend its range of services, including issuing credit and debit cards for its customers. This will require installing enterprise software packages that the community bank's IT department cannot fully test with its own limited resources. Yet the community bank must remain in compliance with multiple requirements:

The GLBA, Section 501, requires that financial institutions "protect against any anticipated threats or hazards to the security" of customers' personal and financial information.

In addition, PCI DSS specifies a requirement (6.3.4) that "production data are not used for testing or development."

The community bank responds by adopting a Data Masking solution. Sensitive personal and financial data is automatically replaced with artificial substitute data before records are allowed through the security firewall for application testing by an outside vendor. By using masked data, the applications can be thoroughly tested while ensuring the integrity of sensitive information.

Masked data also allows the community bank to provide customers with receipts and statements that customers can then dispose of safely, with confidence that the documents do not expose their full account information. The community bank achieves compliance, and its customers enjoy peace of mind.

 

Proactive Approach to Security

We at GRT Corporation believe that financial data security begins with watchfulness and thinking ahead. We focus on a holistic, proactive approach to security and GLBA compliance, designed to safeguard data whether it is "at rest" or "in motion." We recognize that sensitive financial data is at risk not only from deliberate attack but from inadvertent exposure in the course of daily business operations.

 

Contact us to ease your compliance burden now