Security Compliance Associates (SCA) recently released a whitepaper titled, “Are you GLBA Compliant: An examination of GLBA and Certification Requirements.” It discussed the requirements under the Gramm-Leach-Bliley Act (GLBA) and ALTA Best Practices. It said certification to the Best Practices does not necessarily mean the business is compliant with federal and state legal requirements.
“If you are having your business practices evaluated, it is important that you ask not only for ALTA Best Practices certification, but also for an analysis regarding whether you are specifically in compliance with all applicable statutory laws,” the paper stated.
The third pillar pertains to the protection of consumers’ personal, private information. Title and settlement companies are instructed to adopt and maintain a written privacy and information security program to protect non-public, personal information (NPI) as required by law. According to the paper, the primary concern is that companies could have policies in place conforming to Pillar No. 3 recommendations, but are not fully compliant.
“If you have been certified under Pillar 3, you are not necessarily following federal guidelines,” SCA Chief Information Officer Matthew Froning said in the paper. “Whether you are compliant with federal law is not always clear from a review of your policies and procedures. The analysis needs to go much more in depth. It is highly recommended that you have an independent third party looking at your overall security posture and ensuring your written policies and procedures match your operating environment.”
Under GLBA, financial institutions are required to provide adequate protection and privacy for consumer information. The Federal Trade Commission (FTC) is charged with the responsibility of enforcing the law. When implementing the GLBA, the FTC promulgated the Safeguards Rule and Privacy of Consumer Financial Information Rule, which requires a written data security plan in place appropriate to the company’s size and complexity.
“In executing its plan, a company is required to have specific employees in charge of coordinating the information security program,” the paper stated. “Any risk to consumer information must be identified by the company and the plan should be evaluated for effectiveness. If circumstances change, the program must be evaluated and adjusted accordingly.”
The paper goes on to say the FTC requires companies to ensure consumer information is protected in all areas of operation – specifically, the training and management of employees, information systems, and detecting and managing breaches and system failures.
The Privacy Rule focuses more on the purposeful sharing of consumer information. The rule requires financial institutions to provide their customers and some other consumers with a written notice describing their privacy policy and procedures. The notice must be “clear and conspicuous.”
“ALTA has removed the requirement of encryption of data at rest from (its) assessment checklist; however, GLBA requires the safeguarding of NPI, and encryption is a key security component,” Froning said. “If you rely on only the ALTA assessment guidelines, you could be missing key components of the GLBA because it (Best Practices) is not all encompassing of the federal requirements.”