GLBA & SOX

Since 1851, the US industry has complied only with the laws of a state-based regulatory system. That changed in 2010 when the Dodd-Frank Wall Street Reform and Consumer Protection Act became law. The Dodd-Frank Act created several entities, including the Federal Insurance Office and the Financial Stability Oversight Council, that play a role in the insurance and HIPAA regulatory system.

HIPAA, GLBA and SOX all have one thing in common. They all require technical safeguards to protect or guarantee the privacy of critical information. Failing to comply can bring a variety of negative consequences, including putting customers in jeopardy, losing customers, legal liability, and damage to reputation.

Gramm-Leach-Bliley Act – GLBA

A federal law, the Gramm-Leach-Bliley Act (GLBA) requires any entity offering consumers financial products or services like loans, financial or investment advice, or insurance to explain their information-sharing practices to customers and to safeguard sensitive data.

Regulation Explained

The Gramm-Leach-Bliley Act (GLBA) includes provisions to protect consumers’ personal financial information held by financial institutions. Two areas of greatest concern to most companies are the Financial Privacy Rule, which covers the collection, use, and disclosure of nonpublic personal information, and the Safeguards Rule, which says how companies must protect that information.

Penalties for Non-Compliance

GLBA includes severe civil and criminal penalties for noncompliance. Civil penalties include fines up to $100,000 for each violation, and key officers may be fined up to $10,000 per violation.

Affected Industries

  • Insurance
  • Banking
  • Investing

Enforcement

  • Federal Deposit Insurance Corporation
  • Federal Reserve Board
  • Federal Trade Commission
  • National Credit Union Administration
  • Office of the Comptroller of the Currency
  • Office of Thrift Supervision
  • Securities and Exchange Commission
  • State attorneys general

Penalties

  • Company fines up to $100,000 per violation
  • Officer fines up to $10,000 per violation
  • Imprisonment up to five years
  • Doubling of fines and sentencing in certain circumstances
  • Individual and class-action lawsuits

Examples

Although GLBA provides no private right of action, a 2005 data breach at TJX Companies resulted in over $50 million in settlement costs and an estimated $250 million in total costs.

FTC Bureau of Consumer Protection Business Center
Public Law 106-102

Sarbanes-Oxley – SOX

The Sarbanes-Oxley (SOX) Act, which affects publically traded companies, has broad applications for information protection and includes criminal penalties for executives who fail to comply with regulations. As a result, IT departments must have strict controls and mechanisms to provide for the security, accuracy, and reliability of systems that manage and report financial data.

Regulation Explained

A federal law, the Sarbanes-Oxley Act protects investors from fraudulent accounting activities by publicly traded companies and accounting firms that offer auditing services to those companies. It requires the CEO and CFO—under risk of fines and imprisonment—to attest to the accuracy of financial statements. It also says that all financial reports must include an internal controls report saying that adequate controls are in place to safeguard financial data.

Penalties for Non-Compliance

SOX non-compliance penalties range from the loss of exchange listing to multi-million dollar fines and imprisonment. A CEO or CFO who submits a wrong certification can face a fine up to $1 million and imprisonment for up to 10 years. If the wrong certification was submitted “willfully,” the fine can increase up to $5 million and the prison term can increase up to 20 years.

Affected Industries

  • All publicly traded companies in all industries and accounting firms that offer auditing services to those companies.

Enforcement

  • Securities and Exchange Commission
  • The Public Company Accounting Oversight Board

Penalties

  • CEO and CFO fines up to $5,000,000 each
  • CEO and CFO imprisonment up to 20 years
  • Whistle-blower lawsuits

Examples

The law firm of Katz, Marshall & Banks publishes a SOW Whistleblower Blog with multi-million-dollar case examples.

Protected Trust complies with SOC 1 (SSAE 16) and SOC 2 to assure public companies and accounting firms that we have controls to protect their financial data under SOX requirements.

SEC summary
Public Law 107-204