BLOG - GLBA ENFORCEMENT

The government's approach to GLBA enforcement, places the burden of possessing current, adequate information security documentation (as well as a technically effective security posture of the business) on the business owner, and allows the FTC flexibility in determining whether you, the business owner, have met their security mitigation due diligence standards or not.  This is a critical fact to remember, and we strongly believe you should research these topics further in order to be well informed regarding your responsibilities.  (You likely don't want to be at the mercy of a government auditor who just found a large data breach within your program causing damages to many clients.)

Contrary to some opinions expressed, the government framework as mentioned above demands much more than answering a few key questions posted on a bulleted list within a blog:  Instead it demands the development of an active, well-managed, security program, similar in concept to the IRS system of forms, regulations, policies, procedures etc.

Example:  A data security plan is first developed based upon a value assessment made of the data to be protected.  For a financial institution, protecting client's sensitive data is critically important, due to potential catastrophic effects of losses.  Next there are several categories of well known risks to be addressed within a data security plan, so plan to invest a significant amount of time, in developing your program.

The government is starting to demonstrate a propensity for greater enforcement of GLBA for non-compliant businesses.  The 50 or so companies penalized for data breaches are just the beginning of this journey.  Once the majority of businesses are compliant in having a security program, the government will no doubt enforce stronger security standards for as long as security threats continue to increase.  Bottom line...  going forward security requirements will only increase, versus decrease.

What do you do?  Do you want to be found liable in a government audit, where your security program was found to be grossly deficient, enough to warrant stiff financial penalties?

In summary, legal interpretations are litigated between attorneys, but if you have designed and implemented a security program using the same standards the government applies to itself you are better positioned to withstand scrutiny from any government auditor, should a data breach occur within your business, where the FTC initiates an audit.  In short, PROTECT YOUR BUSINESS!  PROTECT YOUR CLIENTS!