GLBA

Download PDF

Introduction

About the Gramm-Leach-Bliley Act (GLBA)

The Gramm Leach Bliley Act (GLBA) is a federal law requiring financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of customer information.

What You Don’t Know CAN Hurt You

Under GLBA, penalties for non-compliance can include fines of up to $100,000 per violation, with fines for officers and directors of up to $10,000 per violation. And if that wasn’t enough, the provisions include criminal penalties of up to five years in prison, and the revocation of licenses.

But I’m Not a Bank. Does GLBA Apply to My Business?

Under GLBA, a “financial institution” is defined any business, regardless of size, that is “significantly engaged” in providing financial products or services.

Now that may sound like a bank, but it also includes many business types that you normally wouldn’t think of as “financial institutions.”

These include, mortgage brokers, real estate appraisers, tax preparers, and even auto dealers that extend credit to their customers.1

How does SmartVault Support You In Complying with GLBA?

In addition to requiring financial institutions to develop and maintain safeguards around their data, companies covered under GLBA are also responsible for ensuring that their service providers provide the same safeguards for customer information in their care.

As your trusted document management provider, SmartVault provides industry standard security measures such as encryption, authentication, access controls, and auditing to support your GLBA requirements.

By working within this rigid set of technical and process controls, we believe you can incorporate SmartVault into a GLBA compliant solution.

GLBA, require financial institutions in the United States to create an information security program to:

• Insure the security and confidentiality of customer information;
• Protect against any anticipated threats or hazards to the security or integrity of such information; and
• Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

As part of this security program, the Safeguards Rule requires companies to assess and address risks to customer information in their care, including three specific aspects of information security:

• Employee Management and Training;
• Information Systems; and
• Detecting and Managing System Failures.

GLBA Requires...SmartVault Responds...
Board level oversight of information securityProtecting your information and the information of your customer is something we take very seriously and at the highest level at SmartVault. Our Board of Directors has chartered our information security program and is actively engaged with our leadership to ensure that SmartVault takes every reasonable precaution safe guard its user’s data.
Comprehensive written Information Security ProgramSmartVault’s information security program is clearly documented, with supporting policies and procedures for all aspects of safeguarding your information, and it is reviewed on an annual basis to ensure it is still meeting the needs of the changing business landscape.
Risk Assessment and RemediationOn an annual basis, we at SmartVault evaluate not only our own internal processes and controls, but also those of our data center providers.
Administrative SafeguardsAs part of the administrative safeguards in place at SmartVault, each and every employee has clearly defined roles and responsibilities for protecting our customer’s data. We provide training on information security to all new hires, and on an annual basis to all employees and contractors.
We also have clearly documented processes and procedures for every aspect of our services and ensure that our staff understand and operate by those procedures.
Technical SafeguardsIndustry Standard SSL encryption for documents in transit – protecting your documents, passwords and interactions with SmartVault from eavesdropping
Granular access – ability to grant access to specific folders
Activity Logs – complete audit history of who accessed and/or modified documents stored in SmartVault
Document access via authenticated login – files are only accessible to users of the service (no anonymous sharing of files)
Physical SafeguardsPhysical access to the SmartVault offices, as well as our data centers is strictly controlled. Only those employees and contractors with a demonstrated need are permitted access and that access is controlled through a series of technical controls such as badge readers on the doors, biometric locks on the data center and physically keyed or combination locks on cabinets and safes.
An ongoing process to determine whether the Security Program is effectiveAt SmartVault, we are constantly seeking to improve our services and security is no exception. We continuously gather and analyze new information regarding threats and vulnerabilities, adjusting our security controls to ensure their effectiveness in the face of these changes. And we update our security strategy, the administrative, technical and physical safeguards to ensure we are providing our customers with the most comprehensive protection that we can.

In Summary

Keep in mind that GLBA compliance is a financial institution obligation, not a technical specification. So when we say that SmartVault supports a GLBA compliant workflow, what we mean is that our service gives you the tools that financial institutions need in order to work in a GLBA-compliant fashion.

While we are not a GLBA compliance consulting firm, we are happy to assist you in getting pointed in the right direction. Feel free to contact us at security@smartvault.com for more insight.

About SmartVault

SmartVault adds value to your financial services workflow by giving you the ability to store all of your files securely online, access documents when you need them, and safely share files with the right people. It’s easy for you to use with features specifically designed for financial service companies to automate workflow and meet compliance mandates.

Our customers can store all of their business documents online and securely share those files with the right people. And with our growing ecosystem of integrated applications – our customers can access and manage their documents from lots of popular business applications, over the web, or from their mobile or tablet.

Footnotes

  1. Financial Institutions and Customer Information: Complying with the Safeguards Rule