The Gramm-Leach-Bliley Act, which became effective in 2001, calls on financial institutions, as well as their partners and contractors, to protect the personal financial information of consumers. In that respect, it is very similar to the HIPAA; the difference being that HIPAA protects privacy for health care consumers, and GLB protects the privacy of banking consumers.

GLB is actually a set of guidelines for putting safeguards in place that protects the security, confidentiality, and integrity of information relating to financial customers; the parts of GLB that relate specifically to IT security and email security are the Financial Privacy Rule, which governs use of private financial information; and the Safeguards Rule, which mandates that financial institutions have a plan to protect consumer data’s confidentiality and integrity.

Like HIPAA, GLB imposes some major challenges to financial institutions in terms of providing privacy. Firewalling and access control are a major part of GLB, although email security also figures into the mix of compliance.

Data leakage within financial institutions can occur in several different ways, including email–without proper controls, it would be surprisingly simple for a rogue employee to email himself or herself sensitive financial information that could compromise the integrity of the corporation and its data.

Typically we tend to focus on inbound security (firewalling, etc.) with GLB compliance, although outbound security is essential as well as a means of preventing data leakage, and this is where email protection comes in with features like outbound filters.

A company that suffers from data leakage may be at risk of noncompliance with GLB, and data leakage can occur from several different places. On the inbound side, email can carry dangerous malware that can plant Trojans inside the network, designed to steal data and send it back to a covert host. Of course, insider sabotage and theft is a real possibility that does occur, so outbound email protection and logging is required as well. And in between, data can be stolen while in transit over the Internet, so encryption should be used when sending sensitive data via email.

Lastly, policy plays a big role. A well-meaning employee may email data to themselves at their personal Gmail or Yahoo account, so they can do work at home–but this of course is an enormous security breach and a theft waiting to happen. Telecommuting and working at home is popular and often encouraged, but when it is, policy must dictate that it be done on company-approved or company-issued computers that have security measures in place, and that personal email never be used for sending company information.