GLBSR – INFORMATION, DATA AND PRIVACY
In light of prevalent and ever-increasing security threats to databases and networks that often result in identity theft and other crimes, the state and federal governments, in addition to e-commerce and trade industry groups, have put into place a quilt of protective laws, regulations and standards to battle the modern day outlaws. In furtherance of our ongoing program of corporate responsibility and compliance with these laws, regulations and standards, we hereby institute this Gramm Leach Bliley Safeguards Rule Information, Data and Privacy Security Policy. Failure to achieve and maintain compliance may not only result in very serious legal consequences, but also in terrible harm to innocents. It is in this context that we implement the following Information, Data and Privacy Security Policy.
We have to contend with a number of laws, regulations and standards comprehending: marketing communications, children’s privacy, financial privacy, credit reporting and personal privacy. Many agencies play a role with regard to these laws. The FTC is the major enforcer in this arena.
American and European privacy and information security laws, and this policy, rest on respect for an individual’s (or a legal entity’s) right to expect that personally identifiable information (that which can be used to harm the owner by identity theft or otherwise) which has been conveyed to another (such as our company) will remain secure and private from unauthorized, malicious outlaws or even those who would be given to discriminate against the owner. Under the Gramm-Leach Bliley Act our company must honor this right and may not disclose the information entrusted to our care to any third party UNLESS the owner, after notice, expressly agrees to allow us to share the information.
Employees shall take note of the following applicable laws under which we have corporate accountability.
- The Fair Credit Reporting Act (FCRA) and its amendment The Fair and Accurate Credit Transactions Act or 2003 regulates any company that uses or collects “consumer reports.” Consumer reports contain credit reports, information regarding character, reputation, and mode of living and insurance eligibility. Since we “collect and/or use” credit reports, we are subject to this law. Under FCRA we must maintain accurate, reasonably current and complete third party data for substantive decision making by others in need of the information. The party who the information identifies has a right to be notified when the information we have is used to make a negative decision about him; the information must only be used properly. Violations are enforced by the FTC, the State Attorney General, as well as by civil suit. Non-compliance with this law can result in criminal and civil penalties in the amount of actual damages plus statutory damages of at least $1,000.00 per violation and at least $2,500.00 for willful violations. All users, such as our company, of consumer information, must have a “permissible purpose” under The FRCA to obtain a consumer report. We must certify to the Consumer Reporting Agency that we are requesting the information for one of the following permissible purposes:
- Court Order;
- At Consumer’s Request;
- Credit Application;
- Employment Applications – with consent;
- Insurance Applications;
- Legitimate Business Needs;
- Account Reviews;
- Licensure Requirements;
- Investigation of Investors;
- State and Local Government Agents For Child Support Issues;
- Creditors and Insurers may obtain consumer reports for the purpose of making prescreened unsolicited offers of credit or insurance.
- The Gramm Leach Bliley Act (GLBA) addresses privacy breaches in the form of information sales between financial institutions to telemarketing firms. GLBA provides privacy and data/information security by empowering the FTC, federal banking regulators and state insurance regulators to make, enforce and adjudicate rules with both civil and criminal remedies for non-compliance. A great variety of business types must be GLBA compliant; for example: mortgage companies, insurance providers, securities firms, debt settlement firms, payment settlement firms, credit counselors and even check cashing services. In other words, any company significantly engaged in financial activities is a financial institution under GLBA and must be compliant. Therefore, our company must remain compliant. GLBA specifically covers non-public personal information (NPI). This is defined by that which is provided by the consumer to a financial institution, results from a transaction or service or is obtained by some other method by the financial institution. GLBA requires us to safeguard the NPI, which means that we must securely store NPI; notify consumers about our policies regarding information sharing; give consumers an opportunity to opt out of sharing their NPI; refrain from disclosing NPI to non-affiliated third party marketers other than a CRA (Consumer Reporting Agency); and comply with all regulatory standards established by governing authorities which protect the security and confidentiality of NPI and protect against security threats and unauthorized access to or certain uses of records or information. GLBA requires us to have a security plan in place to protect NPI. This is known as the GLB Safeguards Rule (GLBSR) of 2003. The GLBSR applies to paper and electronic records. Under the GLBSR we are required to develop and implement a comprehensive Information Security Program. This program must contain “administrative (e.g. personnel), technical (e.g. encryption/access control/software) and physical (e.g. infrastructure/disaster recovery/environment)” safeguards to protect the confidentiality, security and integrity of NPI. Our Safeguard Program must not only protect the security and integrity of the NPI in our care, but it must also anticipate threats to same. Under this program we are required to: designate an employee to coordinate the safeguards; continually identify and assess risks; continually test our safeguards; diligently evaluate service providers who may have access to our NPI; evaluate and adjust the program dynamically in accord with changes in our business or practices.
3. Florida Statute 817.5681 – Breach of Security Concerning Confidential Personal Information in Third-Party Possession; Administrative Penalties requires us to protect NPI as well. NPI is defined by state law as an individual’s name in combination with any one or more of her social security number, driver license number, financial account numbers, credit card numbers with security codes or passwords, debit card numbers with security codes or passwords or any combination of the above numbers or information which would afford an unauthorized person access to the owner’s private information. Should a breach of our GLBSR program occur, we are obligated to notify the subjects who are reasonably believed to have had their NPI compromised within 45 days of our ascertainment of said breach. A breach is defined as the unauthorized access to unencrypted NPI. The notification is subject to postponement for: law enforcement’s investigation, or to any measures necessary to determine the presence, nature and scope of the breach and restore integrity to the system.
Administration of this GLBSR Program will be a team effort involving top management, Information Security and Privacy Law Counsel, IT personnel, Accounting and the program administrator (The Team). Under this, our GLBSR Program, we hereby appoint Charles J. Bonfiglio as our Chief Privacy and Information Officer (CPIO). The CPIO shall be responsible administering and coordinating the actions necessary for the implementation of the GLBSR Program. He will arrange for continuing maintenance, security updates and communication between IT personnel, the database manager, contractors and legal compliance counsel and daily program compliance by personnel. We also obligate ourselves to the selection of appropriate and trustworthy contractors and personnel.
The CPIO, with the assistance of The Team, shall perform an annual self-audit of network security, potential threats, necessary updates and equipment reliability. The annual information security and privacy audit shall inquire specifically as to:
- Is the database secure? This inquiry looks at whether the daily database backup is/are securely stored in a device to which access is restricted. Additionally, the account lockout protocol should be updated annually. Users who attempt to log in and get the password wrong three times should be locked out until they communicate with the CPIO. If they do not communicate with the CPIO that they were trying to log in, an event may be in progress and an investigation by the team should be initiated. Default passwords shall be avoided. Oscanner is a software device commonly used by hackers to learn default passwords. In this vein, many retail software programs contain easily accessible default passwords, which must be changed. The audit personnel, knowing that passwords by themselves are not sufficient to protect systems and the information stored on them should look for two-factor authentication such as RSA, SecureID, Identix, Biometric authentication or digital certificates. These force users to not only have their password, but also to produce a second form of authentication. Finally, real security testing should be implemented. This can be done by loading a laptop with appropriate software, which will only be on the network during security testing like a fire alarm. Our IT personnel will be responsible for setting up such a machine and ensuring that backup storage is encrypted.
- Is the network physically secure? The physical security should be tested without employee awareness of the test. Are computers being left on? Are doors being left unlocked? Are passwords taped to keyboards? Can we gain access to machines by posing as IT contractors, telephone repair or maintenance/janitorial personnel? Who has access to alarm codes? Can equipment such as laptops be stolen – one laptop machine stolen at Boeing resulted in over 160,000 identities being stolen. Traveling personnel should be required to lock up laptops in hotel room safes or locking luggage. All laptops should have PC LoJack installed on it. Does the auditor observe unattended machines? Once an unauthorized person has access to an unattended machine he can use a flash drive to load the “Logmein.com” software with his account information to establish an inside-out connection. A breach like this could be disastrous for our company and should be thoroughly tested.
- Remote Access? “Logmein” and “GoToMyPC” allow access to firewall protected machines. Once a hacker loads this software on a machine inside the network by the method mentioned in “B” above, it can be accessed from outside the network by a hacker. The software literally allows remote control of an internal machine from the outside. By using this software, hackers can pass through firewalls. The question here is whether use of remote access is strictly limited to selectively authorized personnel. So this area must be thoroughly tested.
- Observe and Test Employees and Contractors. Many security breaches have occurred as inside jobs at companies like Bank of America, Commerce Bank and Wachovia. To prevent this from happening it is essential for us to constantly test, audit and update our monitoring of employee and contractor access and use of our network and information database. Internal controls should be examined. Employee and contractor activity should be observed. Unusual activity should be scrutinized. An outside agency should be retained to ascertain vulnerability to insider breaches or negligence. Ask whether Blackberries and PDAs are password protected. Ascertain that only business devices are used and only for business purposes.
Physical Security & Technical Security
Pursuant to this program, we hereby commit our company to maintain continuing updates through our IT personnel, legal counsel and contract service personnel. Toward these ends, it shall be our duty to continually identify and assess risks to our clients’ information entrusted to our care. We will monitor risks and test our system in light of ongoing risk. We will continue to keep pace and deploy emerging encryption, firewall, anti-virus, anti-spyware technologies and software. We are committed to the maintenance of a closed network perimeter. Passwords will be continually changed every thirty days and shall contain random combinations of numbers and letters. Passwords shall not be stored nor left in writing where they can be found by potentially unscrupulous individuals. Wireless elements shall not, until further notice, be a part of our network.
Any transmission of data will be encrypted. We use data encryption/decryption and signature techniques to ensure that the data is understood only by the intended recipients and that the senders of information are genuine. We also use, as mentioned herein, accounts, passwords and access control. Each employee/user must have a digital identity that has been set up by the IT personnel. Same shall be updated by password changes and personnel records as required herein.
Only authorized personnel shall be allowed access to our computers. Doors shall be locked at all times the computers are unattended. Any computer and/or computer equipment, which can be shut off during non-use, shall be shut off. We shall maintain an appropriate and secure collocation site for our database to maintain data/information integrity and security. We shall maintain an appropriate security system directly linked to local law enforcement and emergency personnel in furtherance of protecting our physical perimeter.
We are aware that former employees may represent potential threats to our clients’ information and our network security. Therefore, we will automatically freeze all accounts and access available to an employee immediately prior to notification of termination is communicated to the employee. Employees will sign non-disclosure agreements as part of the hiring process. Prior to hiring we shall conduct full background checks of personnel in furtherance of assurance of the quality and trustworthiness of our employees as well as giving us a capability of contacting employees subsequent to their departure.
Information security and privacy protection is of paramount import to our clients and our company. A breach could devastate a client, several clients and our company. However, implementation of the foregoing program will go a long way toward securing the administrative, technological and physical aspects of our network as well as our company’s future. Upon approval by corporate authorities, this program should be provided, on a need to know basis, only to the corporate officers appointed CPIO. The CPIO shall then assemble The Team, which should be brought together for an initial meeting. The Team should keep this program on-hand in a secure location.
Communications between Team members shall be confidential and compartmentalized from the rest of the organization. The CPIO should write a letter to the entire organization introducing herself in her new role and expressing in general terms that her role has been created as part of a program securing the company’s information assets and the clients’ privacy interests. Personnel should also be advised that any person in our organization who observes a breach or even a potential breach should notify the CPIO notified immediately.
We expressly acknowledge the value of our information assets and our clients’ privacy interests as well as the laws and regulations, which are in place to protect them. In compliance under these laws and regulations we have developed, and hereby implement, the aforementioned GLBSR Program. Any questions or concerns shall be directed initially to Charles J. Bonfiglio CPIO and then to The Team if necessary.