Financial markets and the financial services industry in general operate on some of the most sophisticated technology currently available. Technology has allowed greater transparency, lower costs, increased client access and greater efficiencies; however, with greater use of technology comes the possibility of its misuse. With the advent of the internet, information, both public and private, can be quickly collected and disseminated; information, especially accurate consumer information, is a highly prized commodity for producers as well as consumers.
July marks a decade since the SEC required financial institutions to comply with Regulation S-P, section 504 of the Gramm-Leach-Bliley Act (“GLB”). The past decade also demonstrates marked growth in identity theft and theft of other personal information stored electronically by companies, corporations and government and educational institutions that provide products and services to clientele and the general public. Theft of client and consumer information damages not only the reputation of those consumers whose information is misused but also the reputation of those entities that have the responsibility and obligation to protect their clients’ personal information. Identity theft is one of the fastest growing crimes in North America, Europe and Asia and one of the most difficult to prosecute.
The portion of GLB that covers privacy utilizes three key concepts: the Financial Privacy Rule, the Safeguards Rule and Pretexting Protection. Each of these concepts is outlined as follows and codified at 15 U.S.C. §§ 6801-6809 and 15 U.S.C. §§ 6821-6827:
- The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ personal information. The Safeguards Rule applies to information of any clients past or present of the financial institution’s products or services. This plan must include:
- The appointment of an employee or employees to manage safeguards
- The implementation of a risk management process applied to each department handling personal information
- Development, monitoring and testing of programs to secure personal information
- Update safeguards as needed with the changes in how information is collected, stored, and used.
- Pretexting is the act of attempting to gain access to personal information without the proper authority to do so; the most common acts of pretexting include impersonation of clients and phishing, where unsuspecting consumers provide personal information to bogus websites or email addresses. In the United States, pretexting is punishable as a common law crime of False Pretenses and under GLB, financial institutions must create and implement safeguards to protect against pretexting activities.