E-Business Compliance: Gramm-Leach-Bliley Act

October 27, 2004 —

The idea of starting a business today is daunting, not just because of the competitive landscape and bumpy economy, but because of regulation. That's not to say that regulation is necessarily bad, it's just confusing, and it's often hard to tell who needs to comply, what you need to comply with, and how you need to do it. Some regulations just get bogged down in paperwork, get filled with loopholes as part of the legislative process, or lack teeth.

On the "lack of teeth" front, I'll give you an example. When visiting a third world country in Southeast Asia, I encountered a gauntlet of officials at the border immigration office, each of which required a fee. Last in the line was the health inspector, who sets up shop at a table in the immigration office - which is itself nothing more than a collection of folding tables and plastic chairs underneath a canopy. Now the government's intended purpose of said health officer was to have someone there to provide health advice and prevent the spread of contagious diseases. But after standing in his line, he will present you with a piece of paper with his health stamp on it after you give him the equivalent of about one American dollar. If you are being carried in on a litter and your skin is falling off your body from leprosy, you will still receive the stamp so long as you have the required fee. To his credit, he did notice the nail fungus on my fingernails and suggested to me that I should eat more seafood.

The situation is not quite so egregious here in the Western world, but we are indeed flush with confusion and paperwork. Let's take a look at one of the scads of compliance acts in particular, Gramm-Leach-Bliley, and how it affects e-business. This act requires financial institutions to securely store personal financial information, and to give consumers privacy notices that explain the institution's information sharing practices. The Act also gives consumers the right to opt out of some of that information sharing. Now I have seen those privacy notices. Those are the little slips of paper you get with your bank statement that nobody ever reads. I certainly haven't. They could plainly state, "we reserve the right to post your personal information, including details pertaining your bank account, credit cards, and the size and color of your underwear, on the Internet," and I would never know it. And, financial institutions are allowed to share your information with their affiliates, and you can't opt out of that - and in these days of huge bank mergers and acquisitions, a financial institution may have hundreds of affiliates engaging in a wide variety of businesses.

Gramm-Leach-Bliley only pertains to financial institutions, but it's one of those Acts that all e-businesses can benefit from. No, that doesn't mean we all should issue slips of paper in unreadable fine print to all of our customers, but it does bring up issues of protecting our customers' financial data. The purpose of the Act is to protect private financial data. Whether the presence of those privacy notices does any good or not is yet to be seen, but it's a useful goal, for financial institutions and the rest of us as well. Retailers who accept credit cards don't fall under the purview of GLB, but said retailer nonetheless has an obligation to protect the private financial data that comes into his or her place of business. Keeping this data safe is just good business practice, and calls for regular secure backups, storage of copies in secure off-site locations, and usage of encryption with sensitive data.

ITworld.com, Ebusiness Insights