Two recent federal interagency guidance releases affect how financial institutions are required to comply with section 501(b) of the Gramm-Leach-Bliley Act (GLBA) and the Interagency Guidelines Establishing Information Security Standards (12 CFR 364, Appendix B). The regulatory guidance detail and Gladiator Technology Services, Inc. policy enhancements to support appropriate response to this guidance are included below.
Regulatory Guidance for: FDIC FIL-7-2005 – Proper Disposal of Consumer Information under the Fair and Accurate Credit Transactions Act of 2003â€“ Final guidelines to implement section 216 of the FACT Act require financial institutions to develop, implement and maintain, as part of its existing information security program, appropriate measures to properly dispose of consumer information derived from consumer reports to address the risks associated with identity theft. Section 501b of the GLBA originally included specifications for the proper disposal of customer information. This guidance requires expanding the definition for disposal to include consumer information. Financial Institutions have until July 1, 2005 to incorporate these changes into information security policies and procedures.
Gladiator Technology Services policy/procedure enhancements for compliance with FDIC FIL-7-2005: The Information Security Program content now includes verbiage that defines customer and consumer information and specifies requirements for proper disposal. Responsibilities for the designated Information Security Officer also include efforts to oversee and ensure the proper disposal of this type information by the institution and third party service providers operating on behalf of the institution.
Regulatory Guidance for: FDIC FIL-27-2005 -Final Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice – This interpretive guidance issued under the authority of section 501(b) of the GLBA states that financial institutions should develop and implement a response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider. The appropriate elements of a financial institution’s response program should include customer notification procedures. This guidance is effective immediately.
Gladiator Technology Services policy/procedure enhancements for compliance with FDIC FIL-27-2005: The Incident Response Procedures Addendum to the Network/Internet Systems and Security Manual and the Information Security Program has been modified to include specific procedures for contacting regulators and customers for breaches of information security. The enhancements include a checklist for following the notification standards outlined in the guidance. Reference to the Incident Response Procedures has also been expanded in the Information Security Program.