The Gramm-Leach-Bliley Act (GLBA) of 1999 forever changed the way financial institutions do business. But even after more than two decades, there’s still confusion about what exactly constitutes GLBA compliance. Most organizations realize they must protect their data—but to what extent? They know they need robust security solutions in place—but what kinds? And how should financial institutions react when a data breach does occur?
To answer questions like these, we’ve prepared a simple GLBA compliance checklist. As a reminder, there are three portions of GLBA that financial institutions must adhere to:
- The Privacy Rule, which regulates the collection and use of NPI.
- The Safeguards Rule, which requires financial institutions to implement a security program to protect NPI.
- Pretexting provisions, which prohibit access to NPI under false pretenses.
Rather than burden your IT team with a long list of complex tasks, we’ll focus on three imperatives that we believe will put any organization in a good position for its next GLBA audit.
1. Encrypt your data
Every reputable financial institution is aware of the need to encrypt its data. Your organization has probably already put robust encryption tools in place. But are you sure your data is really encrypted?
For example, perhaps your data is shared on a peer-to-peer network. It won’t travel through a central server, which reduces the chances of interception. But that doesn’t mean the data is encrypted during transit.
Or perhaps you’re sending data over a virtual private network (VPN). This approach will limit your data to a select group of recipients—unless hackers get in. Without encryption tools in place, anyone who breaches a VPN can intercept the data that users are sending.
One of the biggest mistakes financial institutions make is to assume that because data on a device is encrypted, all of their data is safe. On the contrary, you must put controls in place that ensure data will be encrypted in transit, too. This is important in regards to all three portions of GLBA compliance.
2. Implement a disaster recovery plan
We’re not suggesting that financial institutions simply sit back and accept the fact that hackers will breach their network defenses at some point. But in order to adhere to the Safeguards Rule, we do advise that they build a disaster recovery plan with the full intention of using it someday.
Encrypting files in transit is a good start. But what if hackers breach your defenses and compromise your servers? You won’t be able to trust any of the files on your servers—and in fact, you may not be able to access them because the cyber criminals will probably lock you out.
That’s why you need an encryption solution that also backs up all your files. When your servers are compromised, you can simply access all your most important files on the servers of your encryption provider while your IT team deals with the aftermath of the cyber attack. Your business can continue with minimal interruption.
3. Strive for business resiliency
No GLBA compliance checklist would be complete without mentioning business resiliency. When it comes to the Safeguards Rule, many financial institutions have come to rely on cloud partners as they build their networks and establish their data centers. But as reliable as these cloud partners are, they’re not perfect. They do have outages. What happens then?
By working with an encryption partner that backs up your files and runs on a different cloud network, you can ensure your business users will be able to keep processes moving even in the event of a major network outage. As long as your employees can log onto your encryption partner’s site, they’ll be able to communicate and get work done until you resolve your outage. And—unlike the secondary data centers of the past that offered a fraction of the processing power you needed—today’s cloud encryption partners can scale to meet your business demand.
More Thoughts for Your GLBA Compliance Checklist
Wondering where to find an encryption solution that ensures your most sensitive data is protected? Cocoon Data fits the bill.
Cocoon Data goes beyond yesterday’s PKI technology to give you an unprecedented level of protection. It decentralizes encryption key management and generates a unique key for every file regardless of where the file exists across the digital landscape. This approach puts encryption keys and policy management in the hands of the data owner, where it belongs.
In addition:
- Cocoon Data dynamically creates a watermark on each file each time it is viewed. Once enabled, the Content Viewer generates a unique detailed identity profile for every single collaborator who views the sensitive document. This feature enables you to maintain a full audit trail of who has done what with each document.
- With geofencing, an object owner can lock files anywhere they exist through a managed encryption key service. Users only get the keys if they are inside the “fence,” which may be an office address, region, or country.
- Each object is encrypted with its own unique AES 256-bit key. At any time, the administrator can log in and “kill the key” to any file without refreshing the viewer's browser.
Let’s discuss the most important items on your GLBA compliance checklist—and figure out how Cocoon Data can help you meet your security objectives. Contact us to schedule a consultation.