The Gramm Leach Bliley Act, commonly known as GLBA, has certain provisions that require organizations, such as financial institutions (bank, online trading entities) to protect confidential consumer information. Unfortunately, like much of the legislation that ushers out of the halls of Congress, it can be quite vague, allowing users of these very legislative laws to implement them as they see fit. Just look at HIPAA, more than a decade later, it still is looked upon as a large, encompassing, and bureaucratic law that is still being defined.
GLBA has gained some clarity in the past few years, thanks in part to the rise of the SAS 70 auditing standard along with the advent of the Sarbanes-Oxley Act of 2002. In short, SAS 70 audits are compliance audits conducted on organizations (known simply as “service organizations”) for ensuring they have a strong system of internal controls. These very financial institutions that sell and offer services to consumers that are “financial” in nature, must be in compliance with the GLBA provisions.
One of the best ways for testing for GLBA compliance is to have a SAS 70 Type II audit conducted on the financial organization that is offering financial products or services to the consumer. To learn more about GLBA and SAS 70, learn about the Privacy Rule of GLBA and SAS 70 and learn about the Safeguards rule of GLBA and SAS 70.