Toolbox User Guide

Safeguarding Customer Information

Toolbox Users Guide

Protecting our customers’ personal financial information has always been part and parcel of banking, and it remains the cornerstone of our industry today. But the information age is changing how we collect and store customer data, making it very important to re-examine how we protect customer information. Simply put, the security systems that worked well in the past may need to be retooled for today’s world.

In August 2000, the American Bankers Association completed the development of a Financial Privacy Toolbox under the tutelage of the ABA Task Force on Responsible Use and Protection of Customer Information. The Task Force members were drawn from institutions of all sizes and from all parts of the country. It also included representatives of non-bank affiliates and third-party providers.

As the name of our task force implies, the responsible use and the protection of customer information go hand-in-hand. Thus the voluntary guidelines for the responsible use and protection of customer information that the task force developed are as relevant for the purposes of safeguarding customer information as they are for its responsible use.

What the Toolbox Does

The ABA Safeguarding Customer Information Toolbox thus supplements our Financial Privacy Toolbox, providing tools to help your institution establish a comprehensive customer information security program. Each section is designed to be flexible, providing options where possible to suit a variety of organizational styles, sizes and information management practices.

The worksheets, questionnaires and other tools can be used separately or together to ensure that your institution has a program that not only complies with Section 501(b) of the Gramm-Leach-Bliley Act, but also ensures that your policy is consistently understood and enforced throughout your institution.

Whatever the size or complexity of your institution, the toolbox is designed to help you:

Build a culture where every employee and board member understands the importance of safeguarding customer information and understands his or her role in the process.

Assess the risks to your customer information and other databases and systems and manage those risks.

Assess and manage your third party technology service providers and incorporate this review into your risk assessment and security program,.

Set your business continuity planning and disaster recovery objectives and policy.

Ensure that your employees have the security training and experience appropriate for their position.

Communicate your security program to your customers in a way that they can understand and be comfortable with your efforts to secure their financial and other information.

How The Toolbox Is Organized

The toolbox is divided into seven separate tools.

1. Building Your Security Culture: From the Board Room to the Back Room. The objective of this tool is to help you put in place the organization to govern and manage your information security program. The tool outlines the responsibilities of the board and others under the GLB Act, as well as providing a sample board resolution and several examples of codes of conduct that your institution can use to alert employees of their security obligations.

2. Assessing Information Security and Risk in Your Institution.This tool provides you a basis for assessing your current technology environment, how your customer information is housed within that environment, and then most importantly gives you a framework for assessing and quantifying the risks to you customer information from disclosure, fraud or errors, or unavailability.

3. Managing and Controlling Risk: Gramm-Leach-Bliley and Beyond. This tool assists you in putting the controls and policies in place to protect customer information and applications, consistent with the risk presented to those applications.

4. Outsourcing Information Technology. This tool is designed to help you assess outsourcing risk, incorporate that risk assessment into the selection process, and then manage the outsourcing relationship contingent upon the risk it presents to your institution.

5. Business Continuity and Disaster Recovery. This tool provides you with a framework to protect your institution against destruction, loss, or damage of customer information from potential hazards, and to recover if in fact they occur.

6. Training Your Employees. This tool assists you in determining any gaps in the security training and experience of your employees, depending upon their functions within your institution.

7. Talking About Security: Communicating with Customers. This final tool provides potential language for you to use within your privacy and security policy and notices so that your customers know of your commitment to them. Lastly, this tool contains the recently completed ABA Crisis Communications Kit, developed by ABA’s Public Relations Department to assist you discussing a disaster or other crisis with your stakeholder and it’s impact on your institution.

A useful “Guidelines at a Glance: Safeguarding Customer Information,” is included and is used as a roadmap throughout this toolbox as a reference guide to the key questions and considerations confronting your institution as you refine our security program.

1

American Bankers Association