Federal & State Data Regulations

Security breaches are extremely costly in terms of time, money and loss of business. It’s a companies lawful responsibility to destroy private information on hard drives, server arrays, laptops and any other type of electronic media. Failure may have catastrophic consequences: financial loss, irreparable damage to a company’s reputation, as well as civil and criminal liability for Directors and Officers.

Compliance Detail Guides

Ponemon Studies

Free feel view these informative Ponemon Studies

Ponemon Institute conducts independent research on privacy, data protection and information security policy. Our goal is to enable organizations in both the private and public sectors to have a clearer understanding of the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations. Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise resource.

Veiw Whitepapers:

2010 Global CODBATC_DPPAveksa | Security 2010Financial ServicesData Protection UKPCI DSS | General

Data Accountability and Trust Act H.R. 2221

H.R. 2221 was created to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.

H.R.2221
Latest Title: Data Accountability and Trust Act
Sponsor: Rep Rush, Bobby L. [IL-1] (introduced 4/30/2009)      Cosponsors (4)
Related Bills: S.3742
Latest Major Action: 12/9/2009 Referred to Senate committee. Status: Received in the Senate and Read twice and referred to the Committee on Commerce, Science, and Transportation.
House Reports: 111-362


SUMMARY AS OF:
12/8/2009–Passed House amended.    (There is 1 other summary)

Data Accountability and Trust Act – (Sec. 2) Requires the Federal Trade Commission (FTC) to promulgate regulations requiring each person engaged in interstate commerce owning or possessing electronic data containing personal information, or contracting with a third party to maintain such data, to establish security policies and procedures.

Requires such policies and procedures to provide for: (1) a security policy with respect to the use, sale, dissemination, and maintenance of data; (2) an officer responsible for information security oversight; (3) vulnerability testing of security programs; and (4) a process for disposing of obsolete electronic and non-electronic data containing personal information.

Deems an information broker to be in compliance with the appropriate provisions of this Act if such broker is in compliance with: (1) any other federal information security statutes which provide similar or greater protections than those required under this Act; or (2) relevant provisions of the Fair Credit Reporting Act (FCRA).

Requires information brokers to submit their security policies to the FTC in conjunction with a security breach notification or on FTC request. Authorizes the FTC to conduct audits of the information security practices of such information broker, or require independent audits of their practices.

Requires information brokers to: (1) establish procedures to verify the accuracy of collected information that specifically identifies individuals; (2) provide annually, and without cost, to individuals whose personal information it maintains a means to review it; (3) place a notice on the Internet instructing individuals how to request access to such information; (4) correct inaccurate information upon request; and (5) in the case of information brokers that do use data for marketing purposes, allow individuals to decide if their information can be used.

Sets forth limitations to such access rights and website notice requirements.

Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information.

Prohibits information brokers from obtaining or disclosing, or soliciting to obtain, personal information by false pretenses (pretexting).

Exempts from the provisions of this section a service provider serving only as the conduit for the transmission, routing, or transient storage of information.

(Sec. 3) Requires any person engaged in interstate commerce owning or possessing data in electronic form to notify, within 60 days following the discovery of a security breach: (1) the FTC; and (2) each individual whose personal information was acquired or accessed.

Requires a third party agent maintaining or processing personal information in electronic form to notify the person owning or possessing the data in the event of a security breach.

Requires a service provider transmitting, routing, or providing transient routing of personal information owned or possessed by another person to notify the person who initiated the connection or transmission in the event of a security breach.

Requires a person required to provide notification to more than 5,000 individuals to notify the major credit reporting agencies of the timing and distribution of the notices.

Sets forth notification provisions, including: (1) notification timeliness and content; (2) notification delay for law enforcement or national security purposes when notification would threaten law enforcement or national security; and (3) substitute notification.

Requires a person providing notice to individuals to provide consumer credit reports or a credit monitoring service that enables consumers to detect misuse of their personal information.

Exempts a person from such notification requirements if following a security breach a person determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.

Establishes a presumption that there is no reasonable risk of identity theft, fraud, or other unlawful conduct if the personal information in electronic form subject to a security breach is unusable, unreadable, or indecipherable to an unauthorized third party. Directs the FTC to issue rules identifying security methodologies or technologies which render data unusable, unreadable, or indecipherable for the purpose of establishing such presumption.

Directs the FTC to: (1) place a security breach notice on its website if in the public interest; and (2) study the practicality and cost effectiveness of providing notice in languages in addition to English.

(Sec. 4) Limits the application of sections 2 and 3 of this Act to persons, partnerships, or corporations over which the FTC has authority pursuant to its authority to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.

States that a violation of section 2 or 3 shall be treated as an unfair and deceptive act or practice.

Prohibits the FTC, when promulgating rules under this Act, from requiring the deployment or use of any specific products or technologies.

Provides for civil action enforcement by the attorney general of a state, or an official or agency of a state, for violations of section 2 and 3. Sets forth: (1) methods for calculating civil penalties; and (2) limitations and obligations on state actions.

Establishes as an affirmative defense to certain enforcement or civil actions under this section that all of the personal information compromised in a particular security breach is lawfully acquired public record information.

(Sec. 5) Defines “information broker” as: (1) a commercial entity (or its contractor or subcontractor) whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell or provide access to such information to any nonaffiliated third party. States that such definition does not include a commercial entity to the extent that such entity processes information collected by or on behalf of and received from or on behalf of a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to provide benefits for its employees or transact business with its customers.

Defines “personal information” as an individual’s first name or initial and last name, address, or phone number, in combination with any one or more of the following data elements: (1) social security number; (2) driver’s license number, passport number, military identification number, or other government-issued identity document; and (3) financial account number or credit or debit card number and any related security access code or password.

Defines “service provider” as a person providing electronic data transmission, routing, intermediate and transient storage, or connections to its system, where the person providing such services does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and such person transmits, routes, stores, or provides connections for personal information in a manner that personal information is undifferentiated from other types of data.

(Sec. 6) Preempts any provision of a state law to the extent that the state law requires: (1) information security practices and treatment of data containing personal information similar to any of those required under section 2 of this Act; and (2) notification to individuals of a security breach resulting in unauthorized access to or acquisition of electronic data containing personal information.

Prohibits any person other than a person specified in section 4 of this Act from bringing a civil action under state law if such action is premised upon the defendant violating any provisions of this Act. (States that this provision shall not be construed to limit the enforcement of any state consumer protection law by an attorney general of a state.)

States that this Act shall not be construed to: (1) limit FTC authority; or (2) preempt state trespass, contract, tort, or fraud law.

(Sec. 7 ) Makes this Act effective one year after its enactment.

(Sec. 8 ) Authorizes FY2010-FY2015 appropriations to carry out this Act.


MAJOR ACTIONS:

4/30/2009 Introduced in House
12/8/2009 Reported (Amended) by the Committee on Energy and Commerce. H. Rept. 111-362.
12/8/2009 Passed/agreed to in House: On motion to suspend the rules and pass the bill, as amended Agreed to by voice vote.
12/9/2009 Referred to Senate committee: Received in the Senate and Read twice and referred to the Committee on Commerce, Science, and Transportation.

S. 1490:Personal Data Privacy and Security Act of 2009

A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.

S.1490
Latest Title: Personal Data Privacy and Security Act of 2009
Sponsor: Sen Leahy, Patrick J. [VT] (introduced 7/22/2009)      Cosponsors (7)
Latest Major Action: 12/17/2009 By Senator Leahy from Committee on the Judiciary filed written report. Report No. 111-110. Minority and Supplemental views filed.
Senate Reports: 111-110


SUMMARY AS OF:
11/5/2009–Reported to Senate amended.    (There is 1 other summary)

Personal Data Privacy and Security Act of 2009 – Title I: Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security – (Sec. 101) Amends the federal criminal code to add intentionally accessing a computer without authorization to the definition of racketeering activity.

(Sec. 102) Imposes a fine and/or prison term of up to five years for intentionally and willfully concealing a security breach involving sensitive personally identifiable information that causes economic damage to one or more persons. Defines “sensitive personally identifiable information” to include an individual’s name in combination with other personal information, such as a social security number, home address, date of birth, biometrics data, or financial account information.

(Sec. 103) Directs the U.S. Sentencing Commission to review and amend, if appropriate, federal sentencing guidelines for persons convicted of using fraud to access, or to misuse, digitized or electronic personally identifiable information, including sentencing guidelines for identity theft.

(Sec. 104) Amends the federal bankruptcy code to prohibit the dismissal or conversion of a bankruptcy case based upon a debtor’s failure to meet means testing eligibility requirements if such debtor is a victim of identity theft.

Title II: Data Brokers – (Sec. 201) Requires interstate data brokers (defined as business entities which, for monetary fees or dues, regularly engage in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals to nonaffiliated third parties on an interstate basis) to: (1) disclose to a requesting individual all personal electronic records pertaining to such individual in their databases or systems at the time of such request; (2) provide guidance to such individuals for correcting inaccuracies in their records; (3) provide written or electronic notice of any adverse action taken against an individual by a third party based upon information in their databases; and (4) correct any inaccurate information in their databases. Sets forth procedures for disputing the completeness or accuracy of information in a data broker’s database. Permits a data broker to decline to investigate or terminate a review of information disputed by an individual if the data broker reasonably determines that the dispute is frivolous and intended to perpetrate fraud.

(Sec. 202) Imposes civil penalties on data brokers who violate the requirements of this title. Grants the Federal Trade Commission (FTC) enforcement authority over data brokers. Allows state attorneys general to pursue civil remedies against data brokers who are deemed to pose a threat to state residents.

(Sec. 203) Preempts state regulation of data brokers.

(Sec. 204) Makes the provisions of this title effective 180 days after enactment of this Act.

Title III: Privacy and Security of Personally Identifiable Information – Subtitle A: A Data Privacy and Security Program – (Sec. 301) Imposes requirements for a personal data privacy and security program on business entities that maintain sensitive personally identifiable information in electronic or digital form on 10,000 or more U.S. persons. Exempts certain financial institutions, covered entities under the Health Insurance Portability and Accountability Act (HIPAA), and public records from such requirements.

(Sec. 302) Requires a business entity that is subject to data privacy and security requirements to: (1) implement a comprehensive personal data privacy and security program to ensure the privacy, security, and confidentiality of sensitive personally identifying information and to protect against breaches of and unauthorized access to such information that could create a significant risk of harm or fraud to any individual; (2) conduct risk assessments of potential security breaches; (3) adopt risk management and control policies and procedures; (4) ensure employee training and supervision for implementation of data security programs; and (5) undertake vulnerability testing and monitoring of personal data privacy and security programs.

(Sec. 303) Imposes civil penalties on business entities that violate the data privacy and security requirements of this subtitle. Grants enforcement authority for such requirements to the FTC.

(Sec. 304) Preempts state laws relating to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information.

Subtitle B: Security Breach Notification – (Sec. 311) Requires any agency or business entity with sensitive personally identifiable information to notify without unreasonable delay any U.S. resident of a security breach in which such resident’s information has been, or is reasonably believed to have been, accessed or acquired.

(Sec. 312) Exempts agencies or business entities from security breach notification requirements if they provide written certification to the Secret Service that providing such notification would impede a criminal investigation or damage national security. Requires the Secret Service to evaluate the merits of such certifications.

(Sec. 313) Requires an agency or business entity to give notice of a security breach to any affected individuals: (1) by written notice to their last known home mailing address, by telephone, or by email (if email notification was consented to); and (2) to major media outlets if the number of residents in a state affected by a security breach exceeds 5,000.

(Sec. 314) Requires the notification to individuals whose sensitive personally identifiable information has been accessed to include: (1) a description of the categories of information an unauthorized individual has acquired; and (2) toll-free numbers for contacting the agency or business entity whose databases have been breached and major credit reporting agencies.

(Sec. 315) Requires any business entity or agency that is required to provide notification to more than 5,000 individuals of a security breach to notify all consumer reporting agencies.

(Sec. 316) Requires any business entity or agency to notify the Secret Service of security breaches of sensitive personally identifying information within 14 days of any data security breach that involves: (1) more than 10,000 individuals; (2) a database that contains information about more than one million individuals nationwide; (3) a federal government database; or (4) individuals known to be government employees or contractors involved in national security or law enforcement. Requires the Secret Service to notify the Federal Bureau of Investigation (FBI), the U.S. Postal Service, and the attorney general of each affected state of a security breach within 14 days of receiving notice of any breach.

(Sec. 317) Authorizes the Attorney General to bring a civil action, including an injunction, in a U.S. district court for violations of security breach notification requirements.

(Sec. 318) Allows state attorneys general to bring a civil action in a U.S. district court to enforce security breach notification requirements. Authorizes the Attorney General to stay, or intervene in, any state action.

(Sec. 319) Declares that the provisions of this subtitle shall supersede any other provision of federal or state law relating to notification by an interstate business entity or agency of a security breach.

(Sec. 320) Authorizes appropriations to the Secret Service to carry out investigations and risk assessments of security breaches.

(Sec. 321) Requires the Secret Service to report to Congress on security breaches resulting from risk assessment exemptions.

(Sec. 322) Makes the provisions of this subtitle effective 90 days after enactment of this Act.

Title IV: Government Access to And Use of Commercial Data – (Sec. 401) Requires the Administrator of the General Services Administration (GSA), in awarding contracts totaling more than $500,000 to data brokers, to evaluate their data privacy and security programs, their compliance, the extent to which their databases and systems have been compromised by security breaches, and their responses to such breaches. Provides a compliance safe harbor for data brokers and penalties against data brokers for noncompliance with security breach notification requirements.

(Sec. 402) Requires federal agencies to audit and evaluate the information security practices of government contractors and third parties that support the information technology systems of such agencies.

(Sec. 403) Amends the E-Government Act of 2002 to require federal agencies that purchase or subscribe to personally identifiable information from a commercial entity to conduct privacy impact assessments on the use of those services.

Requires the Comptroller General to conduct a study and audit and prepare a report for submission to Congress on federal agency adherence to privacy principles in using data brokers or commercial databases containing personally identifiable information.

(Sec. 404) Requires the Department of Justice to designate a department-wide Chief Privacy Officer. Sets forth the duties and responsibilities of such Officer.

MAJOR ACTIONS:

7/22/2009 Introduced in Senate
11/5/2009 Committee on the Judiciary. Reported by Senator Leahy with amendments. Without written report.
12/17/2009 By Senator Leahy from Committee on the Judiciary filed written report. Report No. 111-110. Minority and Supplemental views filed.

S. 139: Data Breach Notification Act of 2009

A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.

S.1490
Latest Title: Personal Data Privacy and Security Act of 2009
Sponsor: Sen Leahy, Patrick J. [VT] (introduced 7/22/2009)      Cosponsors (7)
Latest Major Action: 12/17/2009 By Senator Leahy from Committee on the Judiciary filed written report. Report No. 111-110. Minority and Supplemental views filed.
Senate Reports: 111-110


SUMMARY AS OF:
11/5/2009–Reported to Senate amended.    (There is 1 other summary)

Personal Data Privacy and Security Act of 2009 – Title I: Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security – (Sec. 101) Amends the federal criminal code to add intentionally accessing a computer without authorization to the definition of racketeering activity.

(Sec. 102) Imposes a fine and/or prison term of up to five years for intentionally and willfully concealing a security breach involving sensitive personally identifiable information that causes economic damage to one or more persons. Defines “sensitive personally identifiable information” to include an individual’s name in combination with other personal information, such as a social security number, home address, date of birth, biometrics data, or financial account information.

(Sec. 103) Directs the U.S. Sentencing Commission to review and amend, if appropriate, federal sentencing guidelines for persons convicted of using fraud to access, or to misuse, digitized or electronic personally identifiable information, including sentencing guidelines for identity theft.

(Sec. 104) Amends the federal bankruptcy code to prohibit the dismissal or conversion of a bankruptcy case based upon a debtor’s failure to meet means testing eligibility requirements if such debtor is a victim of identity theft.

Title II: Data Brokers – (Sec. 201) Requires interstate data brokers (defined as business entities which, for monetary fees or dues, regularly engage in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals to nonaffiliated third parties on an interstate basis) to: (1) disclose to a requesting individual all personal electronic records pertaining to such individual in their databases or systems at the time of such request; (2) provide guidance to such individuals for correcting inaccuracies in their records; (3) provide written or electronic notice of any adverse action taken against an individual by a third party based upon information in their databases; and (4) correct any inaccurate information in their databases. Sets forth procedures for disputing the completeness or accuracy of information in a data broker’s database. Permits a data broker to decline to investigate or terminate a review of information disputed by an individual if the data broker reasonably determines that the dispute is frivolous and intended to perpetrate fraud.

(Sec. 202) Imposes civil penalties on data brokers who violate the requirements of this title. Grants the Federal Trade Commission (FTC) enforcement authority over data brokers. Allows state attorneys general to pursue civil remedies against data brokers who are deemed to pose a threat to state residents.

(Sec. 203) Preempts state regulation of data brokers.

(Sec. 204) Makes the provisions of this title effective 180 days after enactment of this Act.

Title III: Privacy and Security of Personally Identifiable Information – Subtitle A: A Data Privacy and Security Program – (Sec. 301) Imposes requirements for a personal data privacy and security program on business entities that maintain sensitive personally identifiable information in electronic or digital form on 10,000 or more U.S. persons. Exempts certain financial institutions, covered entities under the Health Insurance Portability and Accountability Act (HIPAA), and public records from such requirements.

(Sec. 302) Requires a business entity that is subject to data privacy and security requirements to: (1) implement a comprehensive personal data privacy and security program to ensure the privacy, security, and confidentiality of sensitive personally identifying information and to protect against breaches of and unauthorized access to such information that could create a significant risk of harm or fraud to any individual; (2) conduct risk assessments of potential security breaches; (3) adopt risk management and control policies and procedures; (4) ensure employee training and supervision for implementation of data security programs; and (5) undertake vulnerability testing and monitoring of personal data privacy and security programs.

(Sec. 303) Imposes civil penalties on business entities that violate the data privacy and security requirements of this subtitle. Grants enforcement authority for such requirements to the FTC.

(Sec. 304) Preempts state laws relating to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information.

Subtitle B: Security Breach Notification – (Sec. 311) Requires any agency or business entity with sensitive personally identifiable information to notify without unreasonable delay any U.S. resident of a security breach in which such resident’s information has been, or is reasonably believed to have been, accessed or acquired.

(Sec. 312) Exempts agencies or business entities from security breach notification requirements if they provide written certification to the Secret Service that providing such notification would impede a criminal investigation or damage national security. Requires the Secret Service to evaluate the merits of such certifications.

(Sec. 313) Requires an agency or business entity to give notice of a security breach to any affected individuals: (1) by written notice to their last known home mailing address, by telephone, or by email (if email notification was consented to); and (2) to major media outlets if the number of residents in a state affected by a security breach exceeds 5,000.

(Sec. 314) Requires the notification to individuals whose sensitive personally identifiable information has been accessed to include: (1) a description of the categories of information an unauthorized individual has acquired; and (2) toll-free numbers for contacting the agency or business entity whose databases have been breached and major credit reporting agencies.

(Sec. 315) Requires any business entity or agency that is required to provide notification to more than 5,000 individuals of a security breach to notify all consumer reporting agencies.

(Sec. 316) Requires any business entity or agency to notify the Secret Service of security breaches of sensitive personally identifying information within 14 days of any data security breach that involves: (1) more than 10,000 individuals; (2) a database that contains information about more than one million individuals nationwide; (3) a federal government database; or (4) individuals known to be government employees or contractors involved in national security or law enforcement. Requires the Secret Service to notify the Federal Bureau of Investigation (FBI), the U.S. Postal Service, and the attorney general of each affected state of a security breach within 14 days of receiving notice of any breach.

(Sec. 317) Authorizes the Attorney General to bring a civil action, including an injunction, in a U.S. district court for violations of security breach notification requirements.

(Sec. 318) Allows state attorneys general to bring a civil action in a U.S. district court to enforce security breach notification requirements. Authorizes the Attorney General to stay, or intervene in, any state action.

(Sec. 319) Declares that the provisions of this subtitle shall supersede any other provision of federal or state law relating to notification by an interstate business entity or agency of a security breach.

(Sec. 320) Authorizes appropriations to the Secret Service to carry out investigations and risk assessments of security breaches.

(Sec. 321) Requires the Secret Service to report to Congress on security breaches resulting from risk assessment exemptions.

(Sec. 322) Makes the provisions of this subtitle effective 90 days after enactment of this Act.

Title IV: Government Access to And Use of Commercial Data – (Sec. 401) Requires the Administrator of the General Services Administration (GSA), in awarding contracts totaling more than $500,000 to data brokers, to evaluate their data privacy and security programs, their compliance, the extent to which their databases and systems have been compromised by security breaches, and their responses to such breaches. Provides a compliance safe harbor for data brokers and penalties against data brokers for noncompliance with security breach notification requirements.

(Sec. 402) Requires federal agencies to audit and evaluate the information security practices of government contractors and third parties that support the information technology systems of such agencies.

(Sec. 403) Amends the E-Government Act of 2002 to require federal agencies that purchase or subscribe to personally identifiable information from a commercial entity to conduct privacy impact assessments on the use of those services.

Requires the Comptroller General to conduct a study and audit and prepare a report for submission to Congress on federal agency adherence to privacy principles in using data brokers or commercial databases containing personally identifiable information.

(Sec. 404) Requires the Department of Justice to designate a department-wide Chief Privacy Officer. Sets forth the duties and responsibilities of such Officer.


MAJOR ACTIONS:

7/22/2009 Introduced in Senate
11/5/2009 Committee on the Judiciary. Reported by Senator Leahy with amendments. Without written report.
12/17/2009 By Senator Leahy from Committee on the Judiciary filed written report. Report No. 111-110. Minority and Supplemental views filed.

SAS70

SAS 70 Definition

Statement on Auditing Standards No.70 (SAS 70) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) in 1992. It is used to report on the “processing of transactions by service organizations”, which can be done by completing either a Type I or a Type II audit. This is a must for any accounting organization.

Type I and Type II Audits

There are two types of service auditor reports. A Type I service auditor’s report includes the service auditor’s opinion on the fairness of the presentation of the service organization’s description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type IIservice auditor’s report includes the information contained in a Type I service auditor’s report and also includes the service auditor’s opinion on whether the specific controls were operating effectively during the period under review.

Service Auditor’s Report

The final deliverable for the audit is commonly called the SAS 70 Service Auditor’s Report, a lengthy document which contains a multitude of information regarding the service organization, its overall control structure, framework, test of controls (if a Type II audit), along with adjunct and supporting documentation, such as the Independent Accountant (or Service Auditor’s) Report, possible exceptions noted during testing, and any information provided by the service organization.

Service Organizations can benefit from Type I and Type II audits in a number of ways, such as gaining compliance for a well-known, industry wide accepted internal control audit. Additionally, a SAS 70 audit, if properly performed, helps service organizations mitigate or eliminate multiple requests from their customer’s auditors, ultimately saving and time and money. More and more user organizations who are obtaining bids and proposals for services from service organizations are requiring them to be SAS 70 Type II compliant. It’s quite common to see Request for Proposals (RFP) handed down from user organizations requiring SAS 70 compliance as mandatory for any service organization answering a RFP.

AICPA Audit Guide

Gramm Leach Bliley (GLBA)

Gramm–Leach–Bliley Act (GLB) Overview

The Gramm–Leach–Bliley Act (GLB), also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999) is an act of the 106th United States Congress (1999–2001). It was signed into law by President Bill Clinton and it repealed part of the Glass–Steagall Act of 1933, opening up the market among banking companies, securities companies and insurance companies. The Glass–Steagall Act prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company.

The Gramm–Leach–Bliley Act allowed commercial banks, investment banks, securities firms, and insurance companies to consolidate.  This combination, announced in 1998, would have violated the Glass–Steagall Act and the Bank Holding Company Act of 1956 by combining securities, insurance, and banking, if not for a temporary waiver process. The law was passed to legalize these mergers on a permanent basis. GLB also repealed Glass–Steagall’s conflict of interest prohibitions “against simultaneous service by any officer, director, or employee of a securities firm as an officer, director, or employee of any member bank.”

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

Full Bill

S.900
Latest Title: Gramm-Leach-Bliley Act
Sponsor: Sen Gramm, Phil [TX] (introduced 4/28/1999)      Cosponsors (None)
Related Bills: H.RES.355, H.R.10
Latest Major Action: Became Public Law No: 106-102 [GPO: Text, PDF] Senate Reports: 106-44; Latest Conference Report: 106-434 (in Congressional Record H11255-11292)


TABLE OF CONTENTS:

  • Title I: Facilitating Affiliation Among Banks, Securities Firms, and Insurance Companies
  • Subtitle A: Affiliations
  • Subtitle B: Streamlining Supervision of Bank Holding Companies
  • Subtitle C: Subsidiaries of National Banks
  • Subtitle D: Preservation of FTC Authority
  • Subtitle E: National Treatment
  • Subtitle F: Direct Activities of Banks
  • Subtitle G: Effective Date
  • Title II: Functional Regulation
  • Subtitle A: Brokers and Dealers
  • Subtitle B: Bank Investment Company Activities
  • Subtitle C: Securities and Exchange Commission Supervision of Investment Bank
  • Holding Companies
  • Subtitle D: Banks and Bank Holding Companies
  • Title III: Insurance
  • Subtitle A: State Regulation of Insurance
  • Subtitle B: Redomestication of Mutual Insurers
  • Subtitle C: National Association of Registered Agents and Brokers
  • Subtitle D: Rental Car Agency Insurance Activities
  • Title IV: Unitary Savings and Loan Holding Companies
  • Title V: Privacy
  • Subtitle A: Disclosure of Nonpublic Personal Information
  • Subtitle B: Fraudulent Access to Financial Information
  • Title VI: Federal Home Loan Bank System Modernization
  • Title VII: Other Provisions
  • Subtitle A: ATM Fee Reform
  • Subtitle B: Community Reinvestment
  • Subtitle C: Other Regulatory Improvements

Gramm-Leach-Bliley Act – Title I: Facilitating Affiliation Among Banks, Securities Firms, and Insurance Companies – Subtitle A: Affiliations – Amends the Banking Act of 1933 (Glass-Steagall Act) to repeal prohibitions: (1) against affiliation of any Federal Reserve member bank with an entity engaged principally in securities activities (securities affiliate); and (2) against simultaneous service by any officer, director, or employee of a securities firm as an officer, director, or employee of any member bank (interlocking directorates).

(Sec. 103) Amends the Bank Holding Company Act of 1956 (BHCA) to permit a financial holding company (FHC) to engage in any activity or to acquire the shares of any company whose activities have been determined by the Board of Governors of the Federal Reserve System (the Board), after mandatory consultation with the Secretary of the Treasury (Secretary), to be either financial in nature, or incidental or complementary to financial activities without posing a substantial risk to the safety and soundness of depository institutions, or of the financial system generally. Prescribes consultation and coordination guidelines. Permits the Board and the Secretary to authorize financial subsidiaries of banks to engage in merchant banking.

Permits such financial activities upon the condition that all insured bank holding company (BHC) subsidiary depository institutions are well capitalized and well-managed, and upon BHC certification that they meet certain Board standards.

Authorizes the appropriate Federal banking agency to prohibit an FHC or insured depository institution from commencing any new activity, or acquiring control of a company engaged in such activity, if any of its insured depository institution subsidiaries or affiliates failed to receive a satisfactory rating at its most recent examination under the Community Reinvestment Act of 1977 (CRA).

Instructs the Board to apply capital and management standards that are comparable to a U.S. counterpart of a foreign bank that operates a branch or agency, or owns or controls a commercial lending company in the United States, giving due regard to the principle of national treatment and equality of competitive opportunity.

Cites circumstances under which certain companies that become BHCs after enactment of this Act are authorized to continue their commodities transactions and affiliations. Sets forth cross-marketing restrictions for FHC-controlled depository institutions. Nullifies a BHC election to become an FHC if its subsidiary insured depository institutions failed to achieve a rating of “satisfactory record of meeting community credit needs” at its most recent examination.

(Sec. 104) Retains the McCarran-Ferguson Act as the law of the United States.

Proscribes any State laws which impede or restrict insurance sales activities by an insured depository institution. Enumerates permissible State restrictions upon certain insurance sales practices conducted by insured depository institutions. Preserves certain State regulatory oversight over insurance. Preempts certain State affiliation laws governing insurance companies and affiliates.

Prohibits State regulation of the insurance activities of an insured depository institution or its affiliate that in any way discriminates adversely between insured depository institutions and other entities engaged in insurance activities.

(Sec. 105) Mandates that mutual BHCs be regulated on the same terms as BHCs.

(Sec. 106) Amends the Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994 to apply to any branch of a bank owned by an out-of-State BHC its prohibition against interstate branching by an out-of-state bank primarily to establish deposit production offices.

(Sec. 107) Amends the BHCA with regard to: (1) overdraft errors; (2) divestiture requirements; and (3) foreign bank subsidiaries of limited purpose credit card banks.

(Sec. 108) Directs the Board and the Secretary to study and report to Congress on the feasibility of requiring large insured depository institutions and depository institution holding companies whose failure could have serious adverse effects upon financial stability to maintain some portion of their capital in the form of subordinated debt in order to reduce the risk to any deposit insurance fund, and to minimize financial instability (“too big to fail syndrome”).

(Sec. 109) Instructs the Secretary to study and report to Congress on the extent to which credit is being provided to small businesses and farms as a result of this Act.

Subtitle B: Streamlining Supervision of Financial Holding Companies – Prohibits the Board from imposing any capital or capital adequacy criteria upon a BHC subsidiary that is not an insured depository institution, and is: (1) in compliance with State or Federal capitalization rules; (2) registered under the Investment Advisers Act of 1940; or (3) licensed as an insurance agent in the State. Prohibits the Board, when developing capital adequacy requirements, from taking into consideration any affiliated investment company which is neither a BHC, nor controlled by one holding 25 percent or more shares of the investment company worth more than $1 million.

(Sec. 111) Subjects securities and insurance activities conducted by a functionally regulated subsidiary of a bank to the jurisdiction of the Securities and Exchange Commission (SEC) and State regulatory authority, respectively.

(Sec. 112) Declares ineffective and non-enforceable any Board actions requiring an insurance company BHC or a registered securities broker-dealer BHC to provide assets to a subsidiary insured depository institution if either the State insurance authority or the SEC determines in writing that such actions would have a material adverse effect on the BHC’s financial condition. Permits the Board to order divestiture of the subsidiary in lieu of other action.

States that BHCA restraints placed upon Board authority over BHCs and their functionally regulated subsidiaries also limit the authority of the Federal banking agencies with respect to those companies and their subsidiaries. Allows the Federal Deposit Insurance Corporation (FDIC) to examine the affiliate of any depository institution to disclose fully its relationship with the institution, and the effect of that relationship on the institution.

(Sec. 113) Prohibits the Board from taking certain statutory action against a functionally regulated BHC subsidiary unless it is necessary to prevent or redress an unsafe or unsound practice or breach of fiduciary duty that poses a material risk to the financial safety, soundness, or stability of either an affiliated depository institution or to the domestic or international payment systems.

(Sec. 114) Sets forth criteria under which the Comptroller of the Currency, the Board, and the FDIC, are authorized to restrict with prudential safeguards the relationships or transactions between entities and subsidiaries under their respective jurisdictions.

(Sec. 115) Denies a Federal banking agency examination authority over a registered investment company that is neither a BHC nor a savings and loan holding company. Grants the FDIC examination authority over an insured depository institution affiliate if necessary to determine the condition of the insured depository institution for insurance purposes.

(Sec. 116) Provides that a declaration filed by a company seeking to be an FHC shall satisfy BHC registration requirements but not any requirement to file an application to acquire a bank.

Revises BHCA divestiture procedures to permit a BHC to elect divestiture of either a nonbanking subsidiary or an insured depository institution.

(Sec. 117) Amends the FDIA to prohibit the use of the Bank Insurance Fund and the Savings Association Insurance Fund (SAIF) to benefit any shareholder or affiliate (other than an insured depository institution receiving FDIA assistance) (currently only any shareholder) of any insured depository institution: (1) in Federal conservatorship or receivership; (2) in default or in danger of default, or (3) in connection with the provision of certain insurance or other specified assistance.

(Sec. 118) Amends the BHCA of 1956 to repeal strictures governing activities of BHC subsidiaries in connection with insurance and savings bank life insurance.

Subtitle C: Subsidiaries of National Banks – Amends Federal banking law to set forth a statutory framework within which a national bank may control or hold an interest in a financial subsidiary. Restricts such subsidiary to activities that are: (1) financial in nature; or (2) permissible for a national bank to engage in directly. Bars such subsidiary from engaging in certain insurance, or real estate development and investment activities.

(Sec. 121) Prescribes guidelines for mandatory coordination between the Secretary and the Board with respect to any determination of whether an activity is financial in nature or incidental to a financial activity.

Requires a national bank that establishes or maintains a financial subsidiary to have in place: (1) procedures for identifying financial and operational risks within the bank and its subsidiary that adequately protect the bank from such risks; and (2) procedures to preserve the separate corporate identity and limited liability of the bank and its subsidiary.

Amends the Federal Reserve Act (FRA) to set forth: (1) statutory parameters for transactions between national banks and their financial subsidiaries; (2) a rebuttable presumption of control of portfolio companies; and (3) a deadline by which the Board must adopt final rules regarding derivative transactions and intraday credit.

Amends the FDIA to set forth requirements for safety and soundness firewalls applicable to financial subsidiaries of insured State banks that are in compliance with this Act. Permits State banks to retain interests or control in subsidiaries acquired prior to enactment of this Act.

(Sec. 122) Authorizes the Board and the Secretary to jointly adopt rules permitting financial subsidiaries to engage in certain merchant banking activities five years after enactment of this Act.

Subtitle D: Preservation of FTC Authority – Amends the BHCA to require the Board to notify the Federal Trade Commission (FTC) of its approval of a proposed acquisition, merger, or consolidation which involves acquisition of nonbanking interests.

(Sec. 132) Directs designated Federal banking agencies to make data available to the Attorney General and the FTC that they deem necessary for antitrust review under specified statutes. Prescribes confidentiality guidelines for such data and banking agency information sharing.

(Sec. 133) Excludes from FTC jurisdiction any nondepository institution subsidiary or affiliate of a bank or savings association.

Amends the Clayton Act to apply its premerger notification and waiting period requirements to any portion of a merger or acquisition transaction that does require notice under BHCA but does not require approval.

Subtitle E: National Treatment – Amends the International Banking Act of 1978 (IBA) to terminate immediately the grandfathered authority of a foreign bank or company to engage in any (nonbanking) financial activity if it files a BHCA declaration to function as a qualified BHC engaging in activities or acquiring and retaining shares of a company not permissible for a BHC before enactment of this Act. Allows imposition of restrictions and requirements comparable to those imposed on a domestic FHC if a grandfathered foreign bank or company does not file such a declaration within two years after enactment of this Act.

(Sec. 142) Amends the IBA to authorize the Board to examine any affiliate of a foreign bank conducting business in any State in which the Board deems it necessary to determine and enforce compliance with Federal banking law.

Subtitle F: Direct Activities of Banks – Amends Federal banking law to provide that limitations placed on securities transactions by a national banking association for its own account do not apply to State, local, or municipal bond transactions by a well-capitalized national banking association.

Subtitle G: Effective Date – Sets forth the effective date of title I of this Act.

Title II: Functional Regulation – Subtitle A: Brokers and Dealers – Amends the Securities Exchange Act of 1934 (Exchange Act) to include certain bank activities within the definition of “broker” and “dealer” (thus subjecting them to registration requirements and regulation under the Exchange Act).

(Sec. 203) Requires a registered securities association to create a limited qualification category, without a testing requirement, for certain bank employees effecting sales as part of a non-public primary securities offering (private placement sales).

(Sec. 205) Prohibits the SEC from requiring a bank to register as a broker or dealer because it engages in new hybrid product transactions unless such requirement has been promulgated pursuant to rulemaking procedures in accordance with this Act. Prohibits the SEC from imposing a requirement regarding a new hybrid product unless it determines that such product is a security necessitating such requirement in the public interest and for investor protection. Prescribes procedural guidelines under which the Board may obtain judicial review of any final SEC regulation.

(Sec. 206) Amends the Exchange Act to include a qualified Canadian government obligation within the definition of: (1) an identified financial product; (2) a swap agreement; (3) a qualified investor; and (4) a government security.

Subtitle B: Bank Investment Company Activities – Amends the Investment Company Act of 1940 to authorize the SEC (after consultation with designated Federal banking agencies) to prescribe conditions under which a bank or its affiliate, in addition to serving as promoter, organizer, or principal underwriter for either a registered management company, or a registered unit investment trust, may also serve as custodian of such company or trust.

(Sec. 212) Declares it unlawful for an affiliate, promoter, or principal underwriter for a registered investment company to lend to such company or its subsidiaries in contravention of SEC requirements.

(Sec. 213) Revises the definition of “interested person” to identify transactions, services, and loans taking place during the six months preceding determination of an “interested person” which would make a person an affiliated person of a broker or dealer.

Prohibits a registered investment company from having a majority of its board of directors composed of personnel or senior officers of the subsidiaries of any one bank, or of any single BHC, its affiliates, and subsidiaries.

(Sec. 214) Modifies guidelines pertaining to unlawful misrepresentation of guarantees, and to the deceptive use of names.

(Sec. 215) Redefines “broker” to exclude any person who would be deemed a broker solely by reason of the fact that such person is an underwriter for one or more investment companies.

(Sec. 216) Redefines “dealer” to exclude an insurance or an investment company.

(Sec. 217) Amends the Investment Advisers Act of 1940 to redefine “investment adviser” to remove the exclusion for banks that advise investment companies. Revises the definitions of broker and dealer.

(Sec. 220) Mandates interagency sharing between a Federal banking agency and the SEC regarding examination results and other information pertaining to the investment advisory activities of a registered BHC and its separately identifiable departments or divisions.

(Sec. 221) Amends the Securities Act of 1933 and the Exchange Act to exclude from their purview any interest or participation in any common trust fund (or similar fund) that is excluded from the definition of “investment company” under the Investment Company Act of 1940. Amends the Investment Company Act of 1940 to revise such exclusion guidelines for certain bank common trust funds.

Subtitle C: Securities and Exchange Commission Supervision of Investment Bank Holding Companies– Amends the Exchange Act to permit certain investment BHCs without a bank or savings association affiliate to elect SEC supervision.

(Sec. 231) Provides for voluntary withdrawal from SEC supervision by specified investment bank holding companies. Sets forth the parameters of SEC supervision of investment bank holding companies.

Mandates SEC deference to regulatory banking agencies and State insurance regulators with respect to the banking and insurance laws under their respective purviews.

Shields the SEC from compulsory disclosure (except to Congress) of certain information furnished by a domestic or foreign regulatory agency regarding the financial or operational condition of: (1) any associated person of a broker or dealer; or (2) any investment bank holding company or its affiliate.

Subtitle D: Banks and Bank Holding Companies – Requires the SEC to consult and coordinate comments with the appropriate Federal banking agency before taking action or rendering an opinion regarding the manner in which an insured depository institution or depository institution holding company reports loan loss reserves in its financial statement, including the amount of such reserves.

Title III: Insurance – Subtitle A: State Regulation of Insurance – Mandates State functional regulation of insurance sales activity (including a national bank exercising FRA agency powers).

(Sec. 302) Prohibits a national bank and its subsidiaries from providing insurance as principal in a State, except for certain authorized products (which may not include title insurance or taxable annuity contracts).

(Sec. 303) Prohibits national banks and subsidiaries from selling or underwriting title insurance, except for certain grandfathered banks and subsidiaries already doing so. Permits a national bank and its subsidiary to sell title insurance as agent in a State which permits its State banks to do so, subject to the same conditions.

(Sec. 304) Establishes expedited dispute resolution for regulatory conflicts between State insurance regulators and Federal financial regulators.

(Sec. 305) Amends the FDIA to direct the Federal banking agencies to issue consumer protection regulations that: (1) prohibit an insured depository institution from conditioning the extension of consumer credit upon insurance product purchases from the institution; (2) require physical segregation of banking activities from insurance product activities; and (3) prohibit discrimination against victims of domestic violence.

Mandates that the Federal banking agencies jointly establish a consumer complaint mechanism to address expeditiously violations of this Act.

(Sec. 306) Preempts State law restricting: (1) insurance companies or insurance affiliates from becoming an FHC or acquiring control of a depository institution; and (2) the amount of an insurer’s assets that can be invested in a bank (except that the insurer’s State of domicile may limit such investments to five percent of the insurer’s admitted assets). Preempts State laws that restrict reorganization by an insurer from mutual form to stock form.

(Sec. 307) Declares that it is the intention of Congress that the Federal Reserve Board, as the umbrella supervisor for financial holding companies, and the State insurance regulators, as the functional regulators of companies engaged in insurance activities, coordinate efforts (including confidential sharing of information on financial condition, risk management policies, operations, transactions, and institutional relationship) to supervise companies that control both a depository institution and a company engaged in insurance activities regulated under State law.

Subtitle B: Redomestication of Mutual Insurers – Declares this title applicable only to a mutual insurance company in a State which has not enacted legislation expressly establishing reasonable terms for a mutual insurance company domiciliary to reorganize into a mutual holding company.

(Sec. 312) Authorizes a mutual insurer organized under the laws of any State to transfer its domicile to another State pursuant to a reorganization in which such insurer becomes a stock insurer that is a subsidiary of a mutual holding company. Requires prospective redomesticating insurers to comply with specified reorganization requirements of the State insurance regulator of the transferee domicile.

Preempts State laws restricting such redomestication.

Subtitle C: National Association of Registered Agents and Brokers – Sets forth a regulatory framework for uniform multistate licensing for insurance sales practices, to take effect only if a majority of the States have not enacted uniform laws and regulations governing the licensure of insurance sales by individuals and entities within three years after enactment of this Act.

(Sec. 322) Establishes the National Association of Registered Agents and Brokers (the Association) as a nonprofit, non-Federal agency to provide a mechanism for uniform licensing, appointment, continuing education, and other insurance producer sales qualification requirements which can be adopted and applied on a multistate basis, while preserving the right of States to regulate insurance producers and insurance-related consumer protection and unfair trade practices.

(Sec. 324) Subjects the Association to regulation by the National Association of Insurance Commissioners. Requires the Association to establish an office of consumer complaints. Vests management of the Association in a board of directors. Cites circumstances under which Association rules preempt State regulation of insurance producers. Requires the Association to coordinate with the National Association of Securities Dealers in order to mitigate administrative burdens that may result from dual membership.

Subtitle D: Rental Car Agency Insurance Activities – Establishes a presumption for a three-year period that no State law imposes any licensing, appointment, or education requirements on any person who solicits the purchase or sells insurance in connection with a motor vehicle lease or rental. Declares the preeminence of pertinent State insurance law.

Title IV: Unitary Savings and Loan Holding Companies – Amends the Home Owners’ Loan Act to prohibit new affiliations between savings and loan holding companies and certain commercial firms, except in specified circumstances.

Title V: Privacy – Subtitle A: Disclosure of Nonpublic Personal Information – Declares it is the policy of Congress that each financial institution has an affirmative, continuing obligation to respect the privacy and to protect the confidentiality of customer nonpublic personal information.

(Sec. 501) Instructs specified regulatory agencies to establish standards for financial institution safeguards that: (1) ensure security and confidentiality of customer records and information; and (2) protect against hazards or unauthorized access to such information.

(Sec. 502) Conditions financial institution disclosure of customer nonpublic personal information to a nonaffiliated third party upon compliance with consumer notification requirements that include: (1) clear, conspicuous disclosures that such information may be disseminated to third parties; and (2) consumer opportunity to prevent such dissemination.

Prohibits a financial institution from disclosing a consumer’s access number or code to a nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

(Sec. 504) Requires selected Federal regulatory agencies to jointly prescribe implementing regulations. Confers enforcement authority upon designated Federal functional regulators, State insurance authorities, and the FTC.

(Sec. 506) Revamps the Fair Credit Reporting Act enforcement guidelines to require certain Federal banking agencies to jointly prescribe regulations governing dissemination by holding companies and their affiliates of customer nonpublic personal information.

(Sec. 508) Directs the Secretary of the Treasury, in conjunction with Federal functional regulators and the FTC, to study and report to Congress on information sharing practices among financial institutions and their affiliates.

Subtitle B: Fraudulent Access to Financial Information – Declares it is a violation of this Act to obtain, disclose, or provide documents under false pretenses pertaining to customer information of a financial institution. Exempts from such proscription: (1) law enforcement agencies; (2) financial institutions and insurance institutions which are engaged in specified activities; (3) customer information of financial institutions available as a public record under Federal securities laws; and (4) State-licensed private investigators acting under court authorization to collect child support from a person adjudged delinquent.

(Sec. 522) Grants the FTC enforcement powers under this Act. Subjects violations of this Act to Federal civil and criminal penalties.

(Sec. 525) Requires each Federal banking and securities regulatory agency to update guidelines applicable to the financial institutions under their respective jurisdictions to ensure such institutions have controls in place to deter and detect the activities proscribed by this Act.

(Sec. 526) Requires the Comptroller General to report to Congress on: (1) the efficacy and adequacy of the remedies provided in this Act; and (2) recommendations for additional action to address threats to financial information privacy. Directs the FTC and the Attorney General to report annually to Congress on enforcement actions taken pursuant to this Act.

Title VI: Federal Home Loan Bank System Modernization – Federal Home Loan Bank System Modernization Act of 1999 – Amends the Federal Home Loan Bank Act (FHLBA) to expand Federal Home Loan Bank (FHLB) membership parameters to make a Federal savings association’s membership in the FHLB system voluntary instead of mandatory.

(Sec. 604) Expands parameters governing long-term advances to: (1) include advances to any community financial institution for small farms, and small agri-businesses; (2) state that FHLB cash and deposits are eligible collateral for securing a bank’s interest in a loan or advance; and (3) repeal the 30 percent capital cap on the aggregate amount of outstanding advances that are secured by real estate related collateral. States that, in the case of any community financial institution, the collateral that is eligible for an FHLB loan includes secured loans for small business, agriculture, or securities representing a whole interest in secured loans. Authorizes an FHLB to renew certain advances on its own determination without concurrence by the Federal Housing Finance Board (FHFB). Requires an FHLB member with an advance secured by insufficient eligible collateral to reduce its level of outstanding advances according to a schedule determined by the FHLB (currently, by the FHFB ). Authorizes such Board to: (1) review the collateral standards applicable to each FHLB for designated classes of collateral; and (2) require an increase in such standards for safety and soundness purposes.

(Sec. 605) Revises eligibility criteria to permit certain community financial institutions to gain FHLB membership regardless of the percentage of total assets represented by residential mortgage loans.

(Sec. 606) Amends the FHLBA to restructure the management of the FHLB boards of directors pertaining to: (1) residency requirements; (2) staggered terms of office; (3) election of chairpersons; and (4) compensation limitations and expenses.

Repeals the mandates for: (1) a procedure for informal review of certain supervisory decisions; and (2) the Housing Opportunity Hotline program.

Repeals: (1) the prohibition against an FHLB’s acquisition of a bank building by purchase or over ten-year lease; (2) the requirement for FHFB approval of personnel decisions as well as the exercise of corporate powers by any FHLB; and (3) the authorization for an FHLB president to be a member of the FHLB board.

Empowers the FHFB to: (1) charge an FHLB or any executive officer or director with violation of law or regulation in connection with the granting of any application or other request by the bank, or any written agreement between the bank and the FHFB; (2) take affirmative action to correct conditions resulting from violations or practices; (3) limit FHLB activities; and (4) address any insufficiencies in capital levels resulting from application of statutory requirements of FHLB membership.

Repeals FHFB jurisdiction to approve the granting by an FHLB of a member’s application to secure an advance.

Revises guidelines governing reserves and dividends to permit dividend payments out of previously retained earnings or current net earnings (currently, only out of net earnings). Repeals the requirement for: (1) FHFB approval for such dividend payments; and (2) investment of FHLB reserves exclusively in U.S. obligations or certain other Federal Government-related securities.

(Sec. 607) States that FHLB payments to the Resolution Funding Corporation to cover interest payments on obligations shall be a specified percentage of net earnings (currently an aggregate sum certain).

(Sec. 608) Revamps FHLB capital structure parameters to direct: (1) the Finance Board to issue uniform capital standards regulations governing FHLB leverage limitation and risk-based capital requirements; and (2) each FHLB board of directors to submit for FHFB approval a capital structure plan determined to be best suited for the bank’s condition and operation as well as for the interests of its shareholders. Prescribes plan contents.

Title VII: Other Provisions – Subtitle A: ATM Fee Reform – ATM Fee Reform Act of 1999 – Amends the Electronic Fund Transfer Act to mandate fee disclosures at the time of service by any automated teller machine (ATM) operator which imposes a fee for providing host transfer services to a consumer.

(Sec. 703) Mandates disclosure at the time the consumer contracts for electronic fund transfer services that fees may be imposed for initiating electronic fund transfers from an electronic terminal which is not operated by the issuer of the consumer’s access card.

(Sec. 704) Requires the Comptroller General to study and report to Congress the feasibility of requiring specified fee disclosures to the consumer before such consumer is irrevocably committed to completing the transaction.

Subtitle B: Community Reinvestment – Amends the FDIA to require full public disclosure and an annual status report of any agreement entered into pursuant to or in connection with the CRA, between an insured depository institution, its affiliate, and any non-governmental party, that involves depository institution resources (including full text disclosure to the appropriate Federal banking regulatory agency). Imposes sanctions for violation of such mandate by a non-depository institution.

(Sec. 712) Amends the CRA to set forth a graduated schedule of decreasing CRA examinations of certain small-sized banks commensurate with their record of meeting CRA “community credit needs”. Emphasizes retention of the CRA examination schedule for regulated financial institutions in connection with deposit facility applications.

(Sec. 713) Directs the Board of Governors of the Federal Reserve System to conduct a comprehensive study of the CRA and report to Congress and the public on CRA default, delinquency, and profitability data.

(Sec. 715) Instructs the Secretary of the Treasury to study and report to Congress on the extent to which adequate services are being provided as intended by the CRA.

Subtitle C: Other Regulatory Improvements – Instructs the Comptroller General to study and report to Congress on selected possible revisions to rules governing S corporations, and the impact such revisions might have on community banks.

(Sec. 722) Mandates a “plain language” requirement for Federal banking agency rules.

(Sec. 723) Amends Federal law to declare that any depository institution whose charter is converted from that of a Federal savings association to a national or State bank after enactment of this Act may retain “Federal” in its name so long as it remains an insured depository institution.

Program for Investment in Microentrepreneurs Act of 1999 (PRIME Act) – Amends the Reigle Community Development and Regulatory Improvement Act of 1994 to add a new subtitle C, Microenterprise Technical Assistance and Capacity Building Program. Directs the Administrator of the Small Business Administration to establish a microenterprise technical assistance and capacity building program to provide grants to qualified nonprofit organizations for: (1) training and technical assistance to disadvantaged entrepreneurs; (2) training and capacity building services to help microenterprise development organizations and programs develop training and services; and (3) aid in researching and developing the best practices for disadvantaged entrepreneurs. Sets forth an allocation formula for such assistance and for grants benefitting very low-income persons, including those residing on Indian reservations.

Authorizes a qualified organization to provide subgrants to small and emerging microenterprise entities. Mandates matching funds from non-Federal sources.

Authorizes appropriations.

(Sec. 726) Amends the FRA to direct the Board to order an annual independent audit of the financial statements of each Federal reserve bank and of the Board.

(Sec. 727) Authorizes such Board to release confidential supervisory information concerning a State member bank to any Federal or State regulatory counterpart. Amends the Right to Financial Privacy Act of 1978 to authorize the Federal Financial Institutions Examination Council, the Securities and Exchange Commission, and the Commodities Futures Trading Commission to share information regarding a financial institution .

(Sec. 728) Instructs the Comptroller General to study and report to Congress on conflict of interest issues confronting the Board of Governors of the Federal Reserve System in its role as: (1) primary regulator of the banking industry; (2) vendor of services to the banking and financial services industry; and (3) both regulator of the payment system and its participation in such system as a competitor with private entities providing payment services.

(Sec. 729) Directs the Federal banking agencies to: (1) study and report to Congress on banking regulations governing the delivery of financial services; and (2) submit recommendations on adapting existing requirements to online banking and lending.

(Sec. 730) Amends the FDIA to cite circumstances under which a Federal banking agency (including an appointed conservator or receiver) is shielded from liability (source of strength doctrine) regarding assets transferred to a depository institution by a controlling shareholder or depository institution holding company (including its affiliates or subsidiaries).

(Sec. 731) Amends the FDIA to prescribe a statutory formula for maximum interest rates or other charges levied by interstate branches of an insured depository institution.

(Sec. 732) Amends the IBA to permit a foreign bank to upgrade its interstate branches or agencies to Federal or State status.

(Sec. 733) Expresses the sense of Congress that individuals offering financial advice and products should offer such services and products in a nondiscriminatory, nongender-specific manner.

(Sec. 734) Amends the Emergency Steel Loan Guarantee Act of 1999 and the Emergency Oil and Gas Guarantee Loan Program Act to include as alternative members of both the Emergency Steel Loan Guarantee Board and the Emergency Oil and Gas Loan Guarantee Board: (1) a member of the Board of Governors of the Federal Reserve System; and (2) a commissioner of the Securities and Exchange Commission (each designated by the pertinent Chairman).

(Sec. 735) Amends the Federal Reserve Act to repeal: (1) the Board’s power to restrict the percentage of individual bank capital and surplus represented by loans secured by stock or bond collateral; and (2) the Board’s duty to establish such restrictions with a view to preventing the undue use of bank loans for the speculative carrying of securities.

(Sec. 736) Amends the FDIA and the Deposit Insurance Funds Act of 1996 to eliminate the Special Reserve of the SAIF and of the Deposit Insurance Fund, respectively (established to provide emergency funds if the reserve ratio of either fund is below 50 percent of its designated ratio for one year).

(Sec. 737) Amends the Federal Power Act to cite circumstances under which its proscriptions against interlocking directorates (enacted to address abuses of interlocking directorates) are inapplicable to a person that holds or proposes to hold the positions of an officer or director of: (1) a public utility; and (2) a bank, trust company, banking association, or firm authorized to underwrite or participate in the marketing of securities of a public utility.

(Sec. 738) Amends the FRA proscription against bank securities transactions with affiliates to permit securities acquisitions approved as sound by a majority of the bank directors, irrespective of the fact that a bank affiliate is a principal underwriter of such securities.

(Sec. 739) Permits Federal savings associations, with the approval of the Comptroller of the Currency or the appropriate State bank supervisor, to convert into national banks if the resulting bank meets all applicable financial, management, and capital requirements.

(Sec. 740) Amends Federal criminal law to cite circumstances under which a court may direct disclosure of grand jury information concerning a banking law violation to certain personnel of a Federal or State financial institution.


MAJOR ACTIONS:

4/28/1999 Introduced in Senate
4/28/1999 Committee on Banking. Original measure reported to Senate by Senator Gramm. With written report No. 106-44. Additional views filed.
5/6/1999 Passed/agreed to in Senate: Passed Senate with amendments by Yea-Nay Vote. 54-44. Record Vote No: 105.
7/20/1999 Passed/agreed to in House: On passage Passed without objection.
11/2/1999 Conference report H. Rept. 106-434 filed.
11/4/1999 Conference report agreed to in Senate: Senate agreed to conference report by Yea-Nay Vote. 90-8. Record Vote No: 354.
11/4/1999 Conference report agreed to in House: On agreeing to the conference report Agreed to by the Yeas and Nays: 362 – 57 (Roll no. 570).
11/4/1999 Cleared for White House.
11/9/1999 Presented to President.
11/12/1999 Signed by President.
11/12/1999 Became Public Law No: 106-102 [TextPDF]

Healthcare Insurance Portability and Accountability Act (HIPAA)

HIPAA: Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) created new regulations which require physicians to ensure they are protecting the privacy and security of patients’ medical information and using a standard format when submitting electronic transactions, such as submitting claims to payers.

The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

Your Health Information Is Protected By Federal Law

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.

Who Must Follow These Laws

We call the entities that must follow the HIPAA regulations covered entities.

Covered entities include:

  • Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health Care Clearinghouses—entities processing  non-tandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

HIPAA Compliance Resources

The AMA has many helpful tools to assist physicians to understand and comply with the different components of HIPAA, including sample forms and documents, updates on new Guidance from the Federal government, and useful compliance tips.
What you need to know about the new health privacy and security requirements Under HIPAA and ARRA, physicians are required to control the ways in which they use and disclose patients’ protected health information. This resource outlines the newly expanded requirements for protection of patient health information, patient rights to this information and administrative protections physicians must have in place.

Sarbanes Oxley Act (SOA)

SOA for Beginners

The Sarbanes–Oxley Act of 2002 also known as the ‘Public Company Accounting Reform and Investor Protection Act’ (in the Senate) and ‘Corporate and Auditing Accountability and Responsibility Act’ (in the House) and commonly called Sarbanes–OxleySarbox or SOX, is a United States federal law enacted on July 30, 2002, which set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It is named after sponsors U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH).

A multitude of new government and quasi-government regulatory activities designed to protect investors by improving the accuracy and reliability of corporate disclosures. Since its passage into law on 7/30/02, literally thousands of references, comments, and discussions have been posted to the Internet. This seemingly incessant posting will probably continue for quite some time or at least until such time as the law is fully implemented.

http://www.gpo.gov/fdsys/pkg/PLAW-107publ204/html/PLAW-107publ204.htm

FACTA

The Fair and Accurate Credit Transactions Act

FACTA is an amendment to FCRA (Fair Credit Reporting Act ) that was added, primarily, to protect consumers from identity theft. The Act stipulates requirements for information privacy, accuracy and disposal and limits the ways consumer information can be shared.

Here are a few of the more prominent details of FACTA:

  • The three major credit reporting agencies are required to provide consumers’ credit reports to the consumer, without charge.
  • Consumers can place an alert message on their files if they suspect they have been victims of fraud.
  • Systems that print payment card receipts must employ PAN truncation (personal account number truncation) so that the consumer’s full account number is not viewable on the slip.
  • According to a 2005 provision, any employer who maintains an employee’s personal information must destroy that data before disposal

For more information on FACTA go to the Privacy Rights Clearinghouse

DOD5022.22M and Nist 800-88

Standard DoD 5220.22-M / NISPOM 8-306 /Nist 800-88

US Department of Defense in the clearing and sanitizing standard DoD 5220.22-M recommends the approach “Overwrite all addressable locations with a character, its complement, then a random character and verify” (see table with comments) for clearing and sanitizing information on a writable media.
US Department of Defense 5220.22-M Clearing and Sanitization Matrix

Media Clear Sanitize
Magnetic Tape1
Type I a or b a, b, or m
Type II a or b b or m
Type III a or b m
Magnetic Disk
Bernoullis a, b, or c m
Floppies a, b, or c m
Non-Removable Rigid Disk c a, b, d , or m
Removabel Rigid Disk a, b, or c a, b, d , or m
Optical Disk
Read Many, Write Many c m
Read Only m, n
Write Once, Read Many (Worm) m, n
Memory
Dynamic Random Access memory (DRAM) c or g c, g, or m
Electronically Alterable PROM (EAPROM) i j or m
Electronically Erasabel PROM (EEPROM) i h or m
Erasable Programmable (ROM (EPROM) k l, then c, or m
Flash EPROM (FEPROM) i c then i, or m
Programmable ROM (PROM) c m
Magnetic Bubble Memory c a, b, c, or m
Magnetic Core Memory c a, b, e, or m
Magnetic Plated Wire c c and f, or m
Magnetic Resistive Memory c m
Nonvolatile RAM (NOVRAM) c or g c, g, or m
Read Only Memory ROM m
Static Random Access Memory (SRAM) c or g c and f, g, or m
Equipment
Cahtode Ray Tube (CRT) g q
Printers
Impact g p then g
Laser g o then g

US Department of Defense 5220.22-M Clearing and Sanitization Matrix

a. Degauss with a Type I degausser

b. Degauss with a Type II degausser.

c. Overwrite all addressable locations with a single character.

d. Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.

e. Overwrite all addressable locations with a character, its complement, then a random character.

f. Each overwrite must reside in memory for a period longer than the classified data resided.

g. Remove all power to include battery power.

h. Overwrite all locations with a random pattern, all locations with binary zeros, all locations with binary ones.

i. Perform a full chip erase as per manufacturer’s data sheets.

j. Perform i above, then c above, a total of three times.

k. Perform an ultraviolet erase according to manufacturer’s recommendation.

l. Perform k above, but increase time by a factor of three.

m. Destroy – Disintegrate, incinerate, pulverize, shred, or melt.

n. Destruction required only if classified information is contained.

o. Run five pages of unclassified text (font test acceptable).

p. Ribbons must be destroyed. Platens must be cleaned.

q. Inspect and/or test screen surface for evidence of burned-in information. If present, the cathode ray tube must be destroyed.

For more information regarding clearing and sanitizing security standard DoD 5220.22-M see US Defence Security Service Web Site(Chapter 8)

Recycling and deposition

Recycling and deposition

EPA Disposal Compliances

ECycling Green Ewaste Compliances

NIST special publication 800-88 media sanitization guidelines

Alternate Resources

http://www.legislation.gov.uk/ukpga/1998/29/contents

Security resources at www.attrition.org