Copyright Goodheart-Willcox Co., Inc. Chapter 2 Information Security Fundamentals 61 Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act (GLBA) ensures that fi nancial businesses are protecting your private data. It was enacted in 1999 and is also known as the Financial Services Modernization Act of 1999. This act applies to companies of all sizes that provide fi nancial services and products. Financial services can include loans, insurance, and fi nancial and investment advice. Any business that provides these services is subject to its provisions, such as a bank. It also covers other busi- nesses such as a retail store if the company offers fi nancing or credit cards, check cashing companies, tax-preparation services, and even real estate appraisers. To implement the GLBA, the Federal Trade Commission (FTC), shown in Figure 2-19, issued the Safeguards Rule. Businesses must develop, implement, and maintain a comprehensive information security program to comply with the Safeguards Rule. This program needs to contain administrative, technical, and physical safeguards that are appropriate to the size and complexity of an organization. Companies must anticipate likely threats and hazards that could affect the security and integrity of the data. This not only includes potential security threats to IT systems, but the employees who have access to customer infor- mation. It also includes potential system failures. The other key provision of the GLBA is the Finan- cial Privacy Rule. This regulates the collection and disclosure of a consumer’s nonpublic personal infor- mation (NPI). Under this rule, businesses must pro- vide customers with written notice describing their privacy policies and practices. Consumers should be given the opportunity to opt out of the sharing of some of their personal fi nancial information. A third protection under this act is for pretext- ing protection. Pretexting may include requests from phishing e-mail, phony telephone calls, or direct mail. Companies must train their employees and implement practices to reduce the success of a pretexting act. There are some criticisms of this act. Some pri- vacy advocates believe too great of a burden is placed on the individual consumer to protect his or her data. These advocates believe consumers should have the right to opt in and decide for themselves what data, if any, can be shared. Also, there are no standards on notices required by the GLBA. This can create confusion to consumers, especially in regards to confusing legal terminology. Sarbanes-Oxley Act The Sarbanes-Oxley Act (SOX) prevents company executives from hiding or destroying electronic records for a minimum of fi ve years. In the early 2000s, there were a few large corporations including Enron and WorldCom, who engaged in deceptive and fraudulent fi nancial and accounting practices. When these issues were discovered, some of the companies closed. This cost investors, stockholders, and employees millions of dollars, retirement pensions, and jobs. Sarbanes-Oxley was named after the two sponsors in Congress: Senator Paul Sarbanes of Maryland and Representative Michael Oxley of Ohio. It became law in 2002. Enforcement of this law is done through the Securities and Exchange Commission (SEC). Mark Van Scyoc/Shutterstock.com Figure 2-19. The Federal Trade Commission (FTC) issued the Safeguards Rule to implement the Gramm- Leach-Bliley Act.