Information Security Policy

Summary

This template is a model policy, and it addresses information security requirements for financial institutions to protect against compromise or loss of customer information under the Gramm-Leach-Bliley Act of 1999 (GLBA), 15 U.S.C. § 6801 et seq. This template includes practical guidance and drafting notes. The primary data protection implications of the GLBA are described in the so-called, "Safeguards Rule," codified at 16 CFR Part 314, as well as additional privacy and security requirements issued under the Federal Trade Commission (FTC) Privacy Rule. The GLBA requires that financial institutions act to ensure the confidentiality and security of customers' "nonpublic personal information," or NPI. Nonpublic personal information includes social security numbers, credit and income histories, credit and bank card account numbers, phone numbers, addresses, names, and any other personal customer information received by a financial institution that is not public. This policy is designed for use by commercial banks, savings associations, credit unions, and other "financial institutions," including nonbanks and banks (as defined by 15 U.S.C. § 6809). The GLBA requires financial institutions to protect customers' private information. The GLBA is enforced by the FTC, each of the federal banking agencies (with respect to the institutions they supervise), and other federal regulators, as well as state insurance oversight agencies. To comply with GLBA, financial institutions are required to implement and maintain policies and procedures regarding sharing of sensitive customer data, and to apply specific protections in accordance with a memorialized information security policy. You should adapt this policy as suitable for your organization's operations and activities. For a full listing of key materials necessary to develop consumer-related bank policies and procedures central to regulated depository institution operations, see Developing Bank Policies and Procedures Resource Kit. For a full listing of key content covering fundamental financial services regulation related topics, see Financial Services Regulations Fundamentals Resource Kit. For more information, see Financial Services Regulation Resource Kit. To learn more about the GLBA as it pertains to financial institutions generally, see GLBA Privacy Requirements For a primer on data privacy generally, see Data Protection and Privacy in International Jurisdictions. For a full listing of related workplace data security content, see Workplace Internal Data Security Best Practices Resource Kit. For a full listing of data security content that applies to federal government agencies, see Data Security & Privacy for Government Agencies Resource Kit. To compare state laws on financial institutions, see the Financial Institution Regulation topic in the Financial Service Regulation State Law Comparison Tool.