The Federal Trade Commission (FTC), which is responsible for enforcing the privacy rule concerning consumer financial information, explains the Gramm-Leach-Bliley Act (GLBA) as follows:
"The Gramm-Leach-Bliley Act seeks to protect consumer financial privacy. Its provisions limit when a 'financial institution' may disclose a consumer's 'nonpublic personal information' to nonaffiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain 'financial activities.' Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to 'opt-out' if they don't want their information shared with certain nonaffiliated third parties. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information."
According to the FTC:
"There are two ways that the Privacy Rule might cover you. First, if you are a 'financial institution,' you are covered. [You have] obligations if you collect 'nonpublic personal information' from your customers' or 'consumers' and define these terms. Second, if you receive 'nonpublic personal information' from a financial institution with which you are not affiliated, you may be limited in your use of that information."
As part of the privacy protection process, GLBA includes the Interagency Guidelines Establishing Standards for Safeguarding Customer Information issued by the Federal Financial Institution Examination Council (FFIEC). These guidelines state that all financial institutions are required to:
"Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs."
To comply with the law, all financial institutions are required to perform penetration tests as part of their overall information security program. Penetration testing, IT audits and risk assessments available through Sikich are designed and delivered to meet the expectations of examiners and provide valuable information to your financial institution and IT department.
All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.