GLB Act

The Gramm-Leach-Bliley Act

GLBA is the Financial Services Modernization Act of 1999 designed to enhance competition in the financial services industry. The legal barriers that have traditionally separated mergers of the insurance, banking and securities industries have been substantially eliminated from federal law. While creating broader opportunities, financial institutions are now tasked with new consumer privacy safeguards and disclosure requirements.

(Sections 501 and 505 of GLBA)

The Federal Reserve has established guidelines for standards for safeguarding customer information. As a potential correlation to the business continuity arena, the guidelines are as follows: Each institution is required to implement a written information security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities.

Other Regulatory Issues you need to be aware of:

Regulatory Checklist
Gramm-Leach-Bliley Act	Financial	Web Site Link & detailed description.
Turnbull Report: Combined Code on Internal Controls in the UK (1999)	Companies listed on London Stock Exchange	Institute of Chartered Accountants in England and Wales code governing risk management and control processes, requiring annual review and documentation. Similar to regulations in the US with Board of Director involvement. Business contingency planning is referenced in the appendix.
HCFA-0049-P Proposed Rule HIPAA regulations (scheduled for fall 2000)	Healthcare including both caregivers and insurance	Draft regulations covering electronic security and transmission of patient records. Documented, tested disaster recovery plan is required.
ISO 9000, 9001, etc. (1994) Also see (ISO 17799)	Manufacturing	Purpose is to determine elements of quality control systems, especially maintenance of records and verification standards. While business continuity planning is not required by statute, vendors report that records retention and data availability are issues with their customers, and that they are specifically asked about their plans.
Paperwork Reduction Act (44 U.S.C. Chapter 35 1995)	Federal Government	Creates security plan for Information Resources requiring contingency planning
Computer Security Act (1987)	Federal Government	Requires security plans for all federal computer systems to assure data integrity, availability, and confidentiality.
FFIEC SR97-16 (SPE) (May 1997)	Banking and any related service providers	This set the objectives for the Y2K projects with testing and contingency planning recommendations. Includes audit questions. Provides a good foundation despite the date.
FFIEC FIL-67-97; Stronger wording on client/server environment replacement for FFIEC FIL 82-96	Banking and any related service providers	Board of Directors is responsible for ensuring that a comprehensive business resumption and contingency plan has been implemented, to encompass distributed computing and external service bureaus.
Consumer Credit Protection Act (CCPA) section 2001 Title IX (1992)	Cross-Industry	Outlines Due Diligence for availability of data in Electronic Funds Transfers including Point of Sale.
FEMA FRPG 01-94 1994	Federal Government and associated contractors	All department and agency heads must formally plan for continuity of essential operations.
Foreign Corrupt Practices Act (1977)	Cross-Industry	Management accountability through record keeping
Comptroller of Currency BC-177 (1983, 1987) superceded by FFIEC	Banking	Amended since original in 1983; requires banking institutions to develop and maintain Business Recovery Plans
Inter-Agency Policy from Federal Financial Institutions Examination Council (FFIEC - 1989, revised and made stronger 1997)	Banking and any related service bureaus, includes credit unions	Requires business wide resumption planning and extends regulation to require contingency plans from any service bureaus or outsourcing companies which service such banks.
Federal Home Loan Bank Bulletin R-67 (1986) superceded by FFIEC	Banking	Follows intent of BC-177
IRS Procedure 86-19	Cross-Industry	Legal backup and recovery requirements for computer records containing tax data.
Fair Credit Reporting Act	Credit Reporting Agencies	Ensure credit information is accurate and up-to-date and available.
Clinical Laboratory Information Act (1988)	Healthcare	Require protection of critical laboratory data
JCAHO Accreditation Manual for Hospitals (1997)	Healthcare	Guidelines for information management established by JCAHO
Various State Dept. of Administrative Services Policies, e.g., Texas, (1 TAC 210.13(b)), Oregon’s Dept. of Information Resources (ORS 291.038)	State Government	Policies assigning responsibility for contingency planning within state agencies.
BS7799 Section 9 (ISO17799 and now ISO 002005	Pan European Industry	British Standard Institute Code of Practice for Information Security Management. Requires Business Continuity Planning.
GAO/IMTEC-91-56 Financial Markets: Computer Security Controls	Financial	Guidelines for stock markets