GLBA Compliance

Because Sutton’s Law Is Still True

Legend has it that a reporter once asked famed bad guy Willie Sutton why he robbed banks. Sutton frowned, as if he couldn’t believe the answer wasn’t obvious. 

“Because that’s where the money is,” he said. 

Sutton’s rationale was obvious to the authors of the Graham-Leach-Bliley Act of 1999. The law seeks to hold financial institutions responsible for the nonpublic personal information entrusted to them. Penalties for improper disclosure of such information may range up to $100,000 for each violation.


GLBA:  It’s more than just a privacy notice.

One of the outcomes of GLBA is that the working definition of a “financial institution” has been expanded to include:

  • ATM Operators 
  • Mortgage brokers
  • Automotive industry leaders
  • Non-bank lenders
  • Check-cashing businesses
  • Payday lenders
  • Courier Services
  • Real estate appraisers
  • Credit reporting agencies
  • Retailers with branded credit cards
  • Debt collection firms
  • Tax preparers
  • Investment advisors
  • Title companies

Given that information technology is central to supporting the mission of each of these industry segments, GLBA has serious implications for IT providers, whether internal IT departments or third-parties.

The law requires institutions to establish and enforce meaningful standards to safeguard client personal information. Specifically, the Safeguards Rule requires them to develop a written security plan that describes how the company protects their clients’ nonpublic personal information. The rule applies to both current and former customers, regardless of what particular product or service that customer purchased. 

Under the plan, a covered institution must:

  • Specify at least one employee to manage the safeguards. 
  • Conduct a thorough risk analysis on each department handling the nonpublic information.
  • Develop, monitor, and test a comprehensive security program.
  • Protect against any reasonably anticipated threats to the security of such data.
  • Protect against unauthorized access to such data that would result in substantial harm or inconvenience to any customer.
  • Develop, enforce, and monitor a comprehensive change management program, and demonstrate that the program can adapt to changes in the information technology industry, and the threat landscape inherent within it.

SLPowers can get you there.

SLPowers has more than 30 years of experience delivering secure, dependable, and well-documented computing environments to our clients, so their organizations could thrive. We’ve been working with GLBA-covered clients since the bill became law in the fall of 1999. And we routinely satisfy all six of the above requirements. (Well, technically we can’t appoint someone from your staff to manage the safeguards. But we can work closely with the employees you do appoint, to educate them on how to remain fully compliant going forward.)

Our exclusive CTM technology framework is especially effective in supporting regulated clients. And we bring a second set of eyes to the table. Compliance experts from our partner company, True Digital Security, will join us in evaluating the current state of your environment and mapping out a remediation plan to assure safe passage through the regulatory process. 

Two companies. Two teams of compliance experts. One outcome: Regulatory peace of mind.  

Contact us today to find out more.