About UsWhy Choose GCG?ServicesResourcesProfilesContact UsHome

FINANCIAL SERVICES

GLBA Deadlines: Are Your
Service Provider Contracts Ready for Data Security Examiners?

April 2002

By Susan B. Hollinger, Esq.,
and Susan N. LeDuc, CRCM*
 
This article was published in Volume 2, Issue 7 of
Privacy and Information Law Report

Among the many issues addressed by the federal Gramm-Leach-Bliley Act (GLB), Section 501 of GLB required the federal banking supervisory agencies to issue guidelines relating to administrative, technical and physical safeguards for customer records and information (i.e., data security). Those joint guidelines were issued and became effective July 1, 2001 and set forth key considerations as well as clarifications of several troubling issues. We now have further guidance in the form of examination procedures issued by the supervisory agencies that help to evaluate the guidelines, and some experiences with recent regulator examinations that are worth sharing.

Flexibility

As a preliminary matter, the guidelines were written with the understanding that because GLB applied to a broad range of banks, the guidelines would have to be flexible enough to allow each financial institution reasonable discretion to design an information security program that suits its particular size, complexity and type of activities. A bank examiner will review a bank's information security program to determine if it complies with the guidelines, but will not impose the same criteria across the banking landscape.

Service Providers

An important component of the guidelines requires that an institution protect customer information that is provided to a service provider by oversight of service provider arrangements. A "service provider" means any person or entity that maintains, processes or otherwise is permitted access to customer information through its provision of services directly to the bank. Such oversight includes exercising appropriate due diligence in selecting service providers; requiring service providers to implement appropriate measures to meet the objectives of the guidelines; and, depending on the financial institution's risk assessment, monitoring its service providers to confirm that the service providers' obligations to implement appropriate measures to meet the objectives of the guidelines have been met.

Contract Review

Banks are already being examined for compliance with the GLB data security requirements, and contracts that were entered into after March 5, 2001 are expected to include the data security provisions contained in the examination procedures. Pursuant to the examination procedures, some of the key considerations that service provider contracts should address, include:

  • How does the bank assess risk to its customer information systems? The examiners will review contractual requirements with outside parties.
     
  • Does the risk assessment include vendor oversight requirements?
     
  • What is the service provider's response when it suspects unauthorized access — Are procedures in place to appropriately report unauthorized access to the bank?
     
  • Does the service provider contract provide for sufficient reporting from the service provider to allow the bank to appropriately evaluate the service provider's performance and security, both in ongoing operations and when malicious activity is suspected or known?

Examiners have indicated that the service provider requirements set out in the data security guidelines are in addition to the service provider requirements imposed by the GLB privacy regulations. This means that contractual confidentiality requirements with service providers are in addition to the data security contractual requirements with service providers. So, regardless of whether the service provider is receiving customer information pursuant to a joint marketing arrangement (Section .13 exception to the GLB privacy regulations) or pursuant to a customer's specific request for a product or service (Section .14 exception to the GLB privacy regulations) or pursuant to, for example, judicial process (Section .15 exception to the GLB privacy regulations), or pursuant to sharing outside of the GLB exceptions, all service provider contracts will be examined to determine whether they contain language to the effect that the service providers have implemented procedures to safeguard the security and integrity of data disclosed to them.

Thus, based on the data security guidelines, the published examination procedures and some regulatory experience, examiners have and will continue to review service provider contracts to determine that there are provisions for reporting attempted or actual security breaches and for provisions that sufficiently allow the institution to evaluate the service provider's data security performance.

Compliance Dates

Note that the compliance dates for data security requirements in contracts are different than those for privacy. Under GLB and the data security guidelines, banks were given a two-year transition period to bring their service provider contracts into compliance. Contracts entered into after March 5, 2001 must require that the service provider implement appropriate measures designed to meet the objectives of the data security guidelines. Contracts entered into prior to March 5, 2001 must be brought into compliance with the data security guidelines by July 1, 2003.

*Susan B. Hollinger is admitted in New Hampshire and Massachusetts.

 

Return to top of page

Return to Financial Services Articles
Return to Firm Publications

 

 

 

 

 

 

 

 

 

You may contact Susan Hollinger or Susan LeDuc at 603-228-1181.
About Us - Why Choose GCG? - Services - Resources - Professional Profiles - Contact Us - Home