If your business performs any of the following business processes, the likelihood is that you are. GLBA requires the organization to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. GLBA mandates that this Information Security Program be subject to periodic review and adjustment. The most frequent of these reviews will occur within IT Security & Policy where constantly changing technology and constantly evolving risks indicate the wisdom of regular reviews. Processes in other relevant areas of the organization such as data access procedures and the training program should undergo regular review.
Examples of Activities the FTC is Likely to Consider as a Financial Product or Service includes:
1. Student (or other) loans, including receiving application information, and the making or servicing of such loans
2. Financial or investment advisory services
3. Credit counseling services
4. Tax planning or tax preparation
5. Collection of delinquent loans and accounts
6. Sale of money orders, savings bonds or traveler’s checks
7. Check cashing services
8. Travel agency services provided in connection with financial services
9. Real estate settlement services
10. Money wiring services
11. Issuing credit cards or long term payment plans involving interest charges
12. Personal property and real estate appraisals
13. Career counseling services for those seeking employment in finance, accounting or auditing
14. Services provided by a principal, broker or agent with respect to life, health, liability or disability insurance products
15. Obtaining information from a consumer report
16. Providing or issuing annuities
The plan itself as well as the related data retention policy should be reevaluated annually in order to assure ongoing compliance with existing and future laws and regulations.