Safeguarding financial data is not an easy task under any circumstance. Whether a corporate financial services organization with different customer bases shares the same on-premise infrastructure, or the firm chooses a third-party cloud-hosted infrastructure and service — how does an organization ensure that its data isn’t inadvertently or maliciously passed from one organization to another, or even simply vanishing into the ether?
The Financial Services Modernization Act of 1999, more commonly referred to by its principle sponsors’ names as the Gramm Leach Bliley Act (GLBA), was written to repeal the Great Depression-era Glass-Steagall laws that restricted financial firms to providing only one type of financial service, whether it be commercial or investment banking, brokerage or insurance services, etc. GLBA’s passage enabled financial firms to offer a wider range of financial services under one corporate umbrella and included a few forward-looking provisions as well. Seeing that firms and organizations were completing the transition to digital record-keeping at the same time that the internet was developing as an important commercial medium and marketplace, the proponents of GLBA foresaw the need to ensure that consumer information maintained as digital data would be provided with the most impregnable security possible from both accidental and criminal abuses.
Today few people are unaware that cyber-criminals see financial services firms as among the choicest targets in cyber space simply because, as Willie Sutton put it, “that’s where the money is.” Yet data breaches can be ruinous to organizations, personal fortunes and, at the very least, to the privacy of clients’ personal information. In 2010 a private investment firm called MF Global lost billions of investor dollars overnight in a mishap that led to a congressional investigation and left everyone wondering where the money went and what happened.
Such threats, whether accidental or malicious, are precisely what the authors of GLBA sought to protect against. To that end, stiff GLBA penalties for failing to protect customer accounts and personal information mean that even if a serious data breach doesn’t take your firm down, the government might. GLBA wants organizational responsibility for cyber security to be taken so seriously that it has included personal monetary penalties and jail time for executives under whose aegis data breaches occur.
GLBA conveniently breaks down responsibility for data integrity and security into three general definitions that leave the implementation to current best practices designed to keep pace and remain effective even as the threats themselves continue to evolve and develop over time. The Financial Privacy Rule and the Pretexting Protection provisions require policies for employee handling of customer data, focused on protecting and preventing access not authorized by the customer. The Safeguards Rule requires that risk assessments be performed on the technology that collects, stores and processes customer information and that these safeguards be updated and maintained in an effective state.
These GLBA requirements are mandatory. They apply to:
- Commercial and investment banks;
- Insurance companies;
- Credit unions;
- Credit card companies and organizations that issue their own credit cards;
- Investment funds;
- Mortgage brokers;
- Credit reporting agencies;
- Check-cashing businesses;
- Payday lenders;
- Non-bank lenders;
- Real estate companies;
- Tax services; and
- Any organization that exchanges customer data with any of the above.
GLBA security obligations for digital and internet infrastructure quickly become formidable for organizations of any size let alone for those needing to coordinate work flow, data processing and customer interactions among multiple and far-flung sites. Many on-premise IT departments have found themselves challenged to keep up with the demands of ever new security challenges even apart from the ever evolving demands of online commerce itself. Many have decided to move some portion of their IT burden to cloud-hosting experts.
Fortunately, by leveraging managed services that offer GLBA compliance, IT departments in financial services firms can pass the GLBA burden onto managed services experts. For instance, at Adobe, our product Adobe Experience Manager Managed Services, a digital experience management solution, is compliant and provides those protections for cloud-hosting support. It can also relieve a firm’s IT department from having to divert resources for hiring and/or training personnel to assume a burden they may never be able to keep up with and that might well be far more economical to subscribe to instead.
Adobe Experience Manager Managed Services is a fully integrated package of best-of-class digital marketing products and managed services combined. In addition to web content management, Adobe offers other highly rated Managed Services including business process management and web conferencing.
While at Adobe, I’ve particularly enjoyed assisting financial firms to confidently find their footing in this seemingly ever new and challenging digital realm. This is what we do at Adobe — provide cloud and enterprise solutions for broad sectors of the economy. If you’re concerned about GLBA and how to meet compliance, we’d be happy to talk to you.
Also, I encourage you to check out this video from a presentation we did at Finovate Fall 2015. It’s focused on the benefit Adobe Marketing Cloud brings to financial services companies by transforming account enrollment and onboarding into streamlined, engaging and integrated experiences across channels.