GBLA (Gramm-Leach-Bliley Act) requires financial institutions doing business in the US to establish appropriate standards for protecting the security and confidentiality of customers’ non-public personal information. The objectives are to:
The Federal Financial Institutions Examination Council (FFIEC) states the following:
“Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.” Financial Institutions that do not deploy encryption may be called upon by the FFIEC to prove that it considered deploying encryption and justify why it decided against it.
GLBA requires protection and recommends protection for the following fields:
If the information above is encrypted, the following fields do not require protection because this data is considered anonymized:
GLBA requires public notification of breaches. However, the loss of adequately encrypted data is not generally considered a breach, and is exempt from notification requirements.