Generally, companies are left on their own to develop security programs that are appropriate to their individual size and operations. The federal agencies determined flexibility was necessary because of the many different kinds and sizes of companies that would have to comply.
In the end, security under GLB ( Graham Leach Bailey’s act)translates to “guidelines” rather than strict rules for compliance. There are some things a financial institution must do. For example, financial institutions are required to:
1. Develop a written security plan.
2. Designate responsible employees.
3. Assess risks to customer data.
4.Test and monitor safeguards.
Other than these requirements, security procedures are generally left up to the financial institution.
The FTC identified three areas as important to security: (1) employee management and training; (2) information systems; and (3) managing system failures. The FTC’s Safeguards Rule goes on to suggest steps a company might take to secure information.
There is no such mention that financial data being sent out of the country violates the safeguard laws … or else all major companies like WAMU / Chase/ Countrywide/ Ameriquest … will be out of business.
It is very important to be in compliance and take necessary steps to be in compliance. I am very much aware of them…
Thank you anyways for your insights…