GLBA compliance takes work, but it will more than pay off for your business in the long run.
Few things are more important to us than our finances, and few things are more private than information about our personal financial situation. The option to reveal or not reveal information about our financial health is a fundamental part of anyone’s right to privacy. Unfortunately, through accident or through malign intent, in today’s computerized and networked financial system, information about your finances is not safe.
Almost every day, somewhere in the United States, a news organization reports another chilling story about someone’s financial records, investments or accounts being compromised.
Last year, as a test, I was trying out one of the online file-sharing systems that many people use to download music. By searching for .xls files, I quickly and unintentionally located a spreadsheet with a private investor’s stock portfolio and other financial information — it was unprotected. I deleted the file and notified the owner, but this one case provides an example of the ways in which financial information can fall into the wrong hands.
The Graham-Leach-Bliley Act (GLBA), passed by Congress in 1999, is an important step toward providing greater security and privacy for financial information. GLBA requires that financial services companies must take steps to secure the confidentiality of customer information; protect against hazards and threats to this information; and protect against unauthorized access to or use of this information. This law has teeth: Compliance is mandatory, and companies that do not comply can be fined up to $1 million and face other penalties.
While GLBA is effective in some areas, there are still some gaping technological holes through which your financial information could escape your control. “Protecting sensitive information is a key requirement under the GLBA Data Protection rule,” says Paul Reymann, co-author of Section 501 of the GLBA and founder of Reymann Group Inc. “The convenient access to information coupled with ubiquitous communication tools such as peer-to-peer (P2P), instant messaging, and chat creates a constant challenge for financial institutions who must maintain a safe, sound, and secure infrastructure.”
In the past few months I’ve spent a lot of time meeting with financial information and security professionals. Whether it’s a one-on-one meeting or at an industry event I always ask: “Would you know if an employee accessed someone’s financial record, did a cut-and-paste of private information into a Web mail message or an instant message session, and sent this information outside your organization?”
Too often the answer is “no.” That’s the problem. While most financial organizations have implemented basic appropriate use policies for handling employee or customer information, many are unaware that data can be leaked to unauthorized individuals via e-mail, instant messaging, Web mail, Internet posting sites, and chat rooms. Confidential financial data is also exposed through seemingly innocent P2P file-sharing applications on financial employee workstations. The lack of visibility to the content of Internet-based communications coming and going across their networks leaves organizations dangerously exposed to inadvertent and malicious sending of confidential information to unauthorized individuals.
The results of this are all bad. People can suffer from embarrassment, humiliation, even job loss. In today’s information-sharing world, your credit rating could be harmed by information that should never have been available in the first place. The financial organization can be exposed to lawsuits, and when the story comes out, they are exposed to a degradation of reputation that can cost them customers and revenue.
So, financial organizations should carefully comply with the GLBA provisions. But just as important, these organizations should make sure they have some way of identifying and tracking inappropriate use of this information both to stop it when it occurs, and to identify and fix previously unrecognized areas of vulnerability. Organizations would be wise to provide some electronic backup the online equivalent of a security camera, basically that can alert them to inappropriate use of financial information. A new generation of products that provide these capabilities goes far beyond the simple blockers or sniffers of the past.
This monitoring and analysis technology uses advanced linguistic and mathematical analysis to analyze all TCP/IP network traffic, including Internet, intranet, e-mail, IM, chat, P2P, FTP, telnet, and bulletin board postings. It identifies, isolates, stores, and reports any online activity pre-defined as inappropriate. At the same time, it discards any record of appropriate activity, ensuring that employees can engage in appropriate work activities with anonymity and privacy. By analyzing traffic that passes over a network, such products can identify a wide range of online activities that could indicate inappropriate transfer of financial information:
* Nonpublic personal information — communications of unencrypted customer information such as account numbers, credit card numbers, social security numbers, account balance, payment history, credit information and other nonpublic personal information
* Hacker research — research on exploits, worms, methods and tools for hacking. (This precursor activity could indicate an impending security breach that could expose private customer financial information.)
* P2P file share — requests for files as well as actual file transfers using P2P applications. (Employees using P2P file-sharing at work can transfer private financial information deliberately or inadvertently.)
* IM, chat, and bulletin board postings — instant messaging, chat and bulletin board postings, regardless of content
* Successful attacks — indications that the system appears to be compromised, including backdoors, root activity, suspicious activity (FTP, SUID root and HTTP response) and keyboard logging output
* Web mail — Web-based e-mail such as hotmail.com or yahoo.com accounts, regardless of content
Financial organizations need next-generation monitoring and reporting technology to identify the weak spots in their security armor and to help their efforts to comply with GLBA. With the information they gain through such technology they can take steps to plug the leaks, improve their information security and in a short time, create an environment that ensures privacy and helps conformance with the provisions of Graham-Leach-Bliley Act. That’s a return worth more than money.
Lucie Trepanier is senior product manager for Vericept Corporation.