GLBA in a work from home environment
Financial institutions across the country closed their lobbies in response to COVID-19 and have asked many of their employees to work from home.
The requirements of the Gramm-Leach-Bliley Act (GLBA) remain in place, even during a pandemic, causing financial institutions extra challenges enforcing the physical security of nonpublic personal information (NPPI), such as customer sensitive information, while employees are in a work from home environment.
Some of the safeguards that financial institutions must consider include:
Security of virtual private network (VPN) connections
Many financial institutions had to either configure a VPN or implement VPN connections for additional devices when switching to a work from home environment. The financial institution should test that the VPN configuration was implemented following their Information System security policies.
Bring your own device (BYOD) configurations
If the financial institution allowed employees to use their own devices, such as personal computers or mobile phones, has adequate protection been implemented for these systems? Is the NPPI sandboxed from the rest of the employee’s device? Are employees allowed to print or save NPPI to non-financial institution devices?
Security of paper documents
Are paper documents containing NPPI allowed to be used in the employee’s WFH environment? If so, are there requirements surrounding the employee’s use of these documents, secure physical storage of these documents when not in use, shredding of these documents prior to disposal, etc.
Modern telephone systems and voice over internet protocol (VOIP) have allowed financial institutions to route telephone calls to employees working from home. When employees are answering customer telephone calls at the office, fellow office mates will have undergone security awareness training and signed the financial institution’s confidentiality agreements. In a work from home environment spouses, roommates, children and other family members might be able to overhear the calls and potential NPPI. This is a very real threat to customer sensitive data that was not applicable before everyone was working from home. Financial institutions must ensure that employees are trained on protecting the information that can be overheard in phone calls when working from home.
Information risk assessments
Financial institutions perform annual information risk assessments to identify threats to NPPI. The financial institution’s existing information risk assessment may not have considered the threat environment of employees working from home. The financial institution should review the information risk assessment and ensure that additional threats in the current environment are being considered. In addition, new technology, such as VPNs, VOIP or video conferencing may have been introduced as part of the financial institution’s transition to a work from home environment. The threats introduced by these new technologies should be evaluated as part of the updated information risk assessment.
Some financial institution employees are working from home for the first time. The financial institution should ensure that these employees are provided with training on their requirements to protect NPPI. In addition, financial institutions should provide employees who are working from home with regular information security reminders and updates about the new threats they might encounter.
All essential businesses, including financial institutions, are doing their best to continue providing services while responding to COVID-19. With work from home being part of the strategy for many financial institutions, GLBA requirements need to be reviewed to ensure they are still being met. The considerations above are among those that should be evaluated while continuing to provide customer service.
Need more help with COVID-19 issues?
We’re here to help you navigate the uncertainty of the COVID-19 pandemic and its impact on your people, finances and business. We have developed a library of resources in our COVID-19 resource center to help you stabilize today and prepare for tomorrow.
See our articles on:
Talent and strategy
Legislation and regulation