Corporations are under gun to protect financial information and consumers are watching!Just a few weeks ago, one of world’s largest banks announced that it had lost computer data containing personal information of an estimated 1.2 million federal employees, including some members of U.S. Senate. The missing information includes Social Security numbers and account data for government employees who use bank’s charge cards for travel and expenses. In aftermath of these revelations, ability of banks and other financial institutions to safeguard our personal information has been called into question by consumers and government alike. Predictably, we are beginning to hear rumblings of additional legislation, but there have been laws protecting consumer financial information on books for years – laws such as Gramm-Leach-Bliley Act (GLBA).
The effect of this legislation and consumer awareness hits squarely on issue of email security. Customers receive their bank statements via email; bank officers pass countless sensitive email messages back and forth to one another; financial spreadsheets are included in email communication on a regular basis. This reliance on email is bringing information privacy and security into spotlight.
With international attention now focused on privacy and information security, executives are scrambling to ensure that their enterprises are not only compliant with law, but that they also convey a sense of security to consumers who ultimately vote with their pocketbooks. As an email security company, our interest is in understanding how these issues affect an organization’s email system.
The Gramm-Leach-Bliley Act was signed by former President Clinton in 1999 and made fully effective on July 1, 2001. GLBA requires financial institutions (including banks, brokerage firms, insurance companies and tax preparation firms), as well as all of their business partners and contractors, to protect private financial information that passes through their enterprises.
GLBA Requirements GLBA requires financial institutions and their partners to make various information security best practices part of everyday operations. This includes:
- Ensuring that email messages containing confidential information are kept secure when transmitted over an unprotected link
- Ensuring that email systems and users are properly authenticated so that confidential information does not get into wrong hands
- Protecting email servers and network drives where confidential information may be stored
Even without government regulations defining acceptable communication behavior, financial institutions are faced with need to protect confidential data and keep their networks operational and secure. The consequences of a failure to perform in any of these areas could have devastating effects on business itself – potentially causing existing and potential customers to lose faith in company’s ability to protect their identities and financial information. If that doesn’t strike fear into your heart, GLBA provides for imprisonment of company officers and steep monetary fines for non-compliance. Components of GLBA Compliance There are five general sections of “safeguards” rule contained in GLBA. They outline, at a very high level, what to implement to meet these requirements – not how to implement them. In fact, nowhere does safeguards rule mention specific technologies or products such as firewalls, encryption, and content filtering that must be in place in order to contribute to compliance. However, use of each of these technologies is necessary in order to properly secure email gateway against compliance violations. On same note, experience and time have shown that technology alone is not an information security catch-all.