The Gramm-Leach-Bliley Act (G-L-B) versus Best Practices in Network Security

The G-L-B act, signed into law by President Clinton on November 12, 1999, is a sweeping piece of legislation affecting all financial institutions in areas from fair treatment of women by financial advisors, to the rescission of Glass-Steagall.1 But the section that is getting the most attention is Title V, section 502, entitled 'Obligations with respect to disclosures of personal information.' Most everyone has received a notice from your bank brokerage firm or insurance company explaining their position on privacy as it relates to your personal information. I would advise you to read it carefully. The law provides that larger financial institutions allow for an 'opt-out' provision to be made available. If you do not opt-out using one of the proscribed methods they can use your private information in any way they see fit. Financial institutions are scrambling to implement the specific provisions of section 502 by July 12001 but in my opinion they are missing the mark. The focus of this paper is on a lesser known but potentially more problematic section. Title V section 501 'Protection of nonpublic personal information'. This section mandates that financial institutions implement 'administrative technical and physical safeguards' for customer records and information.