The Gramm-Leach-Bliley Act (Financial Privacy Legislation) of 2001 applies to consumer information/transactions and does not apply to business, commercial or agricultural information/transactions. The federal law establishes appropriate standards for financial institutions relating to the administrative, technical and physical safeguards of customer records and information.
The standards' objectives are to:
– Ensure the security and confidentiality of customer information;
– Protect against any anticipated threats or hazards to the security or integrity of such information; and
– Protect against unauthorized access to or use of customer information that could either result in substantial harm or inconvenience to any customer, or present a safety and soundness risk to the institution.
Financial institutions are required to:
– Identify and assess the risks that may threaten customer information;
– Develop a written plan containing policies and procedures to manage and control these risks;
– Implement and test the plan; and
– Adjust the plan on a continuing basis to account for changes in technology, sensitivity of customer information and internal or external threats to information security.
Compliance was mandatory starting July 1, 2001, or by the date the bank opens for business if later.
As in all regulations, the involvement of the Board of Directors enhances compliance and the Board will review reports and comments on a regular basis.
In response to this regulation, Union State Bank will adhere to the following to include, but is not limited to:
Union State Bank is to assess the risks involving the security of customer information:
– Identify reasonable, foreseeable, internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems.
– Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.
– Assess the sufficiency of policies, procedures, customer information systems and other arrangements in place to control risks.
USB is to establish a program with procedures to manage and control risk involving the security of customer information:
– Design an information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the institution’s activities. The institution must consider whether the following security measures are appropriate and adopt those measures it concludes are appropriate:
• Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
• Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities, to permit access only to authorized individuals.
• Encryption of electronic customer information while in transit or in storage on networks or systems to which unauthorized individuals may have access.
• Procedures designed to ensure that customer information system modifications are consistent with the bank’s information security program.
• Dual control procedures, segregation of duties and employee background checks for employees with responsibilities for or access to customer information.
• Monitoring systems and procedures to detect attempted attacks on or intrusions into customer information systems.
• Response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
• Measures to protect against destruction, loss or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.
– Train staff to implement the institution’s information security program.
– Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests are to be determined by the institution’s risk assessment results.
– Tests are to be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
– Oversee service provider arrangements:
• Exercise appropriate due diligence in selecting the institution’s service providers.
• Require the service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines.
• Where indicated by the institution’s risk assessment results, monitor the service providers to confirm that they have satisfied their obligations as required earlier. As part of the monitoring, USB should review audits, summaries of test results or other equivalent evaluations of its service providers.
– Adjust the program:
• The institution shall monitor, evaluate and adjust as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information and the institution’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.