By Danielle Sheer, VP and General Counsel, Carbonite; and Alan Guichard, Northeastern University School of Law
In this month’s edition of “Compliance in the Cloud” we take a look at the Gramm–Leach–Bliley Act and the downstream compliance requirements on cloud service providers. The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, focused on reforming the financial services industry, in part by removing regulations that prevented the merger of banks, stock brokerage companies and insurance companies. As a result of permitting these types of mergers, however, financial institutions have access to an incredible amount of personal information.
Prior to the GLBA, the insurance company that maintained your health records was distinct from the bank that mortgaged your house and the stockbroker that traded your stocks. Once these companies merge, all personal information could be kept under a singular institution. The GLBA, therefore, included three requirements to protect the personal data of individuals:
· First, banks, brokerage companies, and insurance companies must securely store personal financial information.
· Second, they must advise you of their policies on sharing of personal financial information.
· Third, they must give consumers the option to opt-out of some sharing of personal financial information.
The requirement to securely store personal financial information has downstream implications for cloud service providers (and their partners) that are looking to meet the specific cloud backup and storage needs of those institutions regulated by the GLBA.
In Section 501(b) of the GLBA, Congress requires financial institutions to establish appropriate “administrative, technical, and physical safeguards” for protecting the security and confidentiality of their customers' “non-public personal information”. Non-public personal information is personally identifiable financial information provided by a consumer to a financial institution − or in other words, your name, social security number, account information, account balance, payment history, credit card information, social security number, income, credit score, and even addresses and other contact information.
Sound familiar? It should. Last month we discussed the Top Tips on Navigating HIPAA Revisions and highlighted the similar “administrative, technical, and physical safeguards” required by HIPAA. And similar to HIPAA, GLBA contains Privacy Rules and Safeguard Rules that require financial institutions to take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information.
When selecting a cloud service provider for a client in the financial services industry, partners should look for companies that implement a variety of administrative, physical, and technical safeguards to protect against unauthorized access and disclosure of customer data. A SOC 2 or similar report is a good indication that a given service provider has appropriate safeguards in place. In addition, cloud backup providers that encrypt all information using 128-bit Blowfish encryption, utilize Secure Socket Layer (SSL) technology to transfer data and ensure that customer data remains encrypted while stored on data center servers, provide added security and integrity. For an additional layer of security, financial institutions should also consider a solution which provides the option to self-manage encryption keys, so even the cloud service provider cannot access, decrypt, or produce readable data. These are just a few of the features and issues partners should consider when selecting the right cloud service provider for clients in the financial services industry.
The standards for protection of personal information in our digital world are continuously evolving. With an ever-increasing amount of competition in the cloud services industry, it is incumbent on us in the industry to take responsibility for how compliance in the cloud continues to mature. Do you have any comments on the above? If so, please share your thoughts below in the comments section.