GLBA Questions for Compliance:
Administrative Safeguards
1) Do you check references prior to hiring employees who will have access to customer information?
2) Do you ask every new employee to sign an agreement to follow your organization's confidentiality and security standards for handling customer information?
3) Do you train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:
a. locking rooms and file cabinets where paper records are kept;
b. using password-activated screensavers;
c. using strong passwords (at least eight characters long);
d. changing passwords periodically, and not posting passwords near employees' computers;
e. encrypting sensitive or confidential customer information when it is transmitted electronically over networks or stored online;
f. referring calls or other requests for customer information to designated individuals who have had safeguards training; and
g. recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.
4) Do you instruct and regularly remind all employees of your organization's policy - and the legal requirement - to keep customer information secure and confidential. This includes providing employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information) and posting reminders about their responsibility for security in areas where such information is stored - in file rooms, for example?
5) Do you limit access to customer information to employees who have a business reason for seeing it? For example, grant access to customer information files to employees who respond to customer inquiries, but only to the extent they need it to do their job.
6) Do you impose disciplinary measures for any breaches?
7) Do you use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information? For example, supplement each of your customer lists with at least one entry (such as an account number or address) that you control, and monitor use of this entry to detect all unauthorized contacts or charges.
8) Do you maintain systems and procedures to ensure that access to nonpublic consumer information is granted only to legitimate and valid users? For example, use tools like passwords combined with personal identifiers to authenticate the identity of customers and others seeking to do business with the financial institution electronically.
9) Do you notify customers promptly if their nonpublic personal information is subject to loss, damage or unauthorized access?
If you were unable to answer yes to all of these questions you may have significant risk exposure to your organization, both legally and reputationally.