GLBA ENFORCEMENT

The government's approach to GLBA enforcement, places the burden of possessing current, adequate information security documentation as well as an effective Information Security (INFOSEC) program, on the business owner, and allows the FTC flexibility in determining whether you, the business owner, have met due diligence standards or not.  This is a critical fact to remember, and we strongly believe you should research these topics further in order to be well informed regarding your responsibilities.  (You likely don't want to be at the mercy of a government auditor who was recently notified, concerning a large data breach found within your business operations, causing damage to many clients.)

Contrary to some opinions expressed, the government framework as mentioned above demands much more than answering a few key questions posted on a bulleted list within a blog, or filling out meaningless paperwor:  Instead it demands participation and development of an active, well-managed, security program; similar in concept to the IRS system of forms, regulations, policies, procedures etc.

Example:  A data security plan is first developed based upon a value assessment made of the data to be protected.  For a financial institution, protecting client's sensitive data is critically important, due to potential catastrophic effects of losses.  Next there are several categories of well known risks to be addressed within a data security plan, so plan to invest a significant amount of time, in developing your program.

The government is starting to demonstrate a propensity for greater enforcement of GLBA for non-compliant businesses.  The 50 or so companies penalized for data breaches are just the beginning of this journey.  Once the majority of businesses are compliant in having a security program, the government will no doubt enforce stronger security standards for as long as security threats continue to increase.  Bottom line...  going forward security requirements will only increase, versus decrease.

What do you do?  Do you want to be found liable in a government audit, where your security program was found to be grossly deficient, enough to warrant stiff financial penalties?

In summary, legal interpretations are litigated between attorneys, but if you have designed and implemented a security program using the same standards the government applies to itself you are better positioned to withstand scrutiny from any government auditor, should a data breach occur within your business, or where a compliance audit is initiated.  In short, protect your business, protect your clients.

We're here to help!

Protect your business, protect your clients.

2020 ©. DataSecurityPlan.Com.  All Rights Reserved.

 

 

Leave a comment

Please note, comments must be approved before they are published

Back to ALL THINGS INFOSEC