GLBA Privacy Rule
Protecting the privacy of consumer information held by “financial institutions” and other third party vendors and service providers that provide “support services” to these “financial institutions” is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions’ information-sharing practices. In turn, consumers have the right to limit some – but not all – sharing of their information.
The GLB Act applies to “financial institutions” and other third party vendors and service providers; companies that offer and support financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to “financial institutions” that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC’s regulation applies only to companies that are “significantly engaged” in such financial activities, such as DATA CENTERS.
The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.
Consumers and Customers
A company’s obligations under the GLB Act depend on whether the company has consumers or customers who obtain its services. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A customer is a consumer with a continuing relationship with a financial institution. Generally, if the relationship between the financial institution and the individual is significant and/or long-term, the individual is a customer of the institution. For example, a person who gets a mortgage from a lender or hires a broker to get a personal loan is considered a customer of the lender or the broker, while a person who uses a check-cashing service is a consumer of that service.
Thus, in short data centers may very well be called upon to become GLBA compliant via an audit or assessment process. My advice, find a competent SAS 70 auditor who can help incorporate GLBA tests into a SAS 70 or find a competent GLBA auditor.