When the Veterans Administration announced this week that some fool had taken its data home to work on it and then “lost” it, it marked the third time that George Toft has had his personal information stolen. As a military man, he was insured by TriWest, whose data was the last memorable Arizona data security breach. In addition, George’s bank also informed him in the past that his personal information had been compromised.
This would be less interesting if George were not one of the foremost authorities on preventing data theft. His business, MyITAZ (www.myitaz.com) specializes in providing secure information architecture and data security solutions to small and medium-size businesses that must comply with the Gramm-Leach-Bliley “Financial Modernization” Act of 1999. He gives seminars on this stuff, in between being victimized by it.
The problem is, most small businesses have no clue what “GLBA” is, much less how to comply with it. The name alone puts them to sleep. Only a small number of them find their way to George. All the publicity has gone to Sarbanes-Oxley compliance, and all the big companies have consultants to help them deal with SOX. But many businesses that aren’t subject to SOX because they’re private and small are subject to GLBA without knowing it.
And here’s why. GLBA applies to financial institutions. Okay, you think banks. But this is how the Act defines a financial institution:
Under the Federal Trade Commission’s Privacy Rule, a financial institution means “any institution the business of which is engaging in financial activities….
Financial activities include lending money, investing for others, insuring against loss, providing financial advice, or making a market in securities. Entities covered by these provisions… include, but are not limited to, mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, non-bank lenders, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors, and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors.
Additionally, the Privacy Rule restricts the use and disclosure of nonpublic personal information you obtain from a nonaffiliated financial institution….
This is pretty broad. I’m no attorney, but it seems to me almost anyone who keeps customer data can be seen as a financial institution if there are transactions involved. Ironically, even accountants and lawyers fit under these categories.
This law was passed six or seven years ago. And yet companies still don’t have adequate provisions in place to protect customer data. We only hear about the big losses, but for every TriWest or Veterans Administration there are law firms, accounting firms, mortgage brokers and check cashers galore who don’t know how to keep your identity safe when you are their customer.
I find this shocking. How did we put ourselves at risk in this fashion without knowing it?
It happens because we trust the big institutions to have the resources to do things correctly. But we shouldn’t. I never used to shred my bills, but now I try to remember to do so. I faithfully check my credit report to make sure someone isn’t pretending to be me. I shred my expired credit cards, and the ones they send me in the mail that I don’t accept. I’m not a person who lives in fear, I’m not particularly attentive to detail, and yet I feel I must protect myself from what I’ve read is the nightmare of stolen identity. I’ve read stories about people who spent years trying to re-establish their credit, get their jobs back, and put their lives back together after having their identities stolen.
But I’m under no illusion that I’m safe. Not even with George as a friend. Unless I took him with me to every entity that collected my data, and he studied their information architectures, I would never be sure. And I’m certain he doesn’t want to accompany me to many of the places that collect my data. They are very diverse: Pottery Barn, Elizabeth Arden, a mortgage broker whom I won’t name, and several (former) financial advisors. You get the idea: almost EVERYONE collects your data.
Next time you talk to your real estate broker, your accountant, or your payday lender, just for fun ask them if they know about Gramm-Leach-Bliley. When their eyes glaze over, you can start comparing it to Sarbanes-Oxley and talking about secure information architectures. When they’re really deep asleep, you can start telling them about jail time.