GLBA and SOX - morgan-hanrahan/Tech-Journal GitHub Wiki

History and Background

GLBA

  • 1999
  • Background/Intentions: Repeal of the Banking Act of 1993

SOX

  • 2002
  • Background/Intentions: As a reaction to Enron and WorldCom

General Description

GLBA

  • Centers around financial organizations that offer services such as loans and other money lending services.
  • The GLBA requires said organizations to explain how they fully protect and share the more private information of its customers/users
  • Customers are given the opportunity to opt out in the case the service shares any sort of personal data.
  • The overall benefit to the GLBA agreement is not only are companies saved reputation wise but also customers are given a full explanation as to what's being shared and permission before its even shared

SOX

  • The SOX act was formed due the conflicts that occured back around 2002 with financial reporting being found fraudulent by corporations.
  • The focus for the law was to both protect any of the investors to fall for any sort of similar incidents.
  • Some of the implications would include a larger amount of protection as well as increasing the penalties for cases in order to discourage this activity.

Who must comply

GLBA

  • As stated previously, the financial institutions are responsible in complying with these terms. This is because all of the rule and regulations are on the organization to provide the prompts to its customers in the first place as well as training its employees.

SOX

  • According to the requirements within the act itself, any sort of publicly traded companies that deal with investors are required by law to follow the terms and conditions of the SOX act

Specific controls/requirements

GLBA

GLBA can be broken down into three main sections: Financial Privacy Rule, Safeguard Rule, and Pretexting Rule.

The Privacy Rule: specifies which data is gathered, how it will be used and shared, who has access to it, and the policies and procedures in place to safeguard it. Specifies how organizations may gather and disclose personal financial information.

The Safeguard Rule: includes procedures for ensuring information security. The Federal Trade Commission (FTC) issued and continues to enforce this rule. It advises businesses to create administrative, physical, and technical precautions against cyber attacks, email spoofing, phishing schemes, and other cybersecurity threats. This rule also requires an organization to designate at least one person to be responsible for all aspects of the information security plan.

The Pretexting Rule: prevents employees from gathering consumer information under false pretenses, such as social engineering. Although there are no specific requirements for pretexting in the GLBA, prevention requires developing employee training to avoid these instances.

SOX

The most critical SOX compliance criteria are 302, 404, 409, 802, and 906. These are especially crucial for firms involved in data protection.

Section 302: Corporate Responsibility for Financial Reports

  • Every public company must file periodic financial statements and the internal control structure with the SEC.

Section 404: Management Assessment of Internal Controls

  • All annual financial reports must include an Internal Control Report declaring that management is responsible for an acceptable internal control structure, as well as an evaluation of the control structures effectiveness by management.

Section 409: Real-Time Issuer Disclosures

  • Companies are required to disclose, on a real-time basis, any material changes in the financial condition or operations.

Section 802: Criminal Penalties for Altering Documents

  • Altering, destroying, mutilating, concealing, or falsifying financial records, documents, or tangible objects with the aim to hinder, impede, or influence legal investigations is punishable by up to 20 years in jail.

Section 906: Corporate Responsibility for Financial Reports

  • Criminal penalty for certifying a misleading or fraudulent financial report can be $5 million or more in fines and 20 years in prison.

Difficulty for Organizations to comply

GLBA

  • Being a data protection law, many of the affected organizations would already have controls in place
  • Financial institutions require trust to effectively operate, and the GLBA’s controls are all sensible in that regard
  • The Control Rule would be the most difficult to implement - solid cybersecurity can take time to implement

SOX

  • The SOX Act attempts to enforce a greater degree of transparency within public companies
  • This may require audits and restructuring of an organization, particularly those with a poor record
  • Section 409 would be the most difficult to implement - companies may be nervous to share results that may poorly influence their market position

Benefits

GLBA

  • Protects consumer/customer records
  • Helps to strengthen consumer reliability and trust
  • Protects banks and customers from unauthorized sharing or loss of private data

SOX

  • Crucial Information Can’t Be Withheld From Shareholders
  • Provides transparency in financial reporting

Drawbacks

GLBA

  • Critics say the law has no teeth when it comes to privacy and security
  • No national standard governing consumer privacy requirements

SOX

  • Additional Audits & audit costs
  • More regulations
  • Tough penalties