Based in Denver, CO, Agile Ideation collects the thoughts and experiences of Ed Schaefer. His posts explore agile and devops related topics as he works to maximize team effectiveness and minimize waste through continuous learning, coaching and empowering teams.

IT Security Laws


In response to a number of very public corporate and accounting scandals, SOX was enacted July 30, 2002. Public confidence in securities markets was shaken as companies like Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom collapsed and investors lost billions of dollars without warning. As the activities of these companies were examined and better understood, it was clear certain aspects were similar across companies and needed to be addressed and considered as part of the act. These issues include conflicts of interest among auditors, boardroom oversight failures, conflicts of interest among securities analysts, poor banking practices, executive compensation relating to stock options as compensation, issues related to the internet bubble that could happen again, and finally poor rule creation and enforcement by the SEC due to underfunding.

Measuring the impact of SOX is complicated as other factors that influence the stock market are difficult to isolate and remove. Even with significant analysis and research many different conclusions have been reached in regards to the benefits and costs of SOX thus far as well as into the future. Since the primary concern is the accuracy of financial reporting data, under SOX the importance of IT only relates to its ability to make that reporting more reliable. The negative impact primarily revolves around compliance costs, while the goals of the act itself make up the majority of the benefits.

The Sarbanes-Oxley Act is very divisive, making it difficult to determine if the benefits outweigh the costs. No matter the side of the argument, SOX was clearly successful in accomplishing its goal of enhancing the standards for compliance, transparency and accountability. Debate continues to this day, and detractors are one of the biggest potential challenges as the constitutionality of the law has been brought under scrutiny and there has been some pressure to repeal from the financial industry. Perhaps finding a way to simplify compliance without impacting transparency would be an acceptable solution to all.


The Gramm-Leach-Bliley (GLB) Act

            The Gramm-Leach-Bliley Act is also known as the Financial Modernization Act and was passed in 1999. GLB specifically impacts financial institutions and companies that provide other financial products or services to consumers. This act contains provisions related to protecting the personal financial information of consumers held by financial institutions. It is made up of the Financial Privacy Rule, the Safeguards Rule, and Pretexting Protection.

            The Financial Privacy Rule requires that consumers be given a privacy notice by a financial institution when a relationship is established, then on an annual basis thereafter. This privacy notice must provide an explanation about what consumer information is collected, where or with whom it is shared, how the information is utilized, and what protections are in place for storage and maintenance of the information. Additionally, this notice gives the consumer information about their right to choose to opt out of information sharing with any third party organizations. The Safeguards Rule requires the design, implementation and maintenance of safeguards by financial institutions to ensure personal consumer information is protected both in terms of confidentiality and integrity. This is essentially a requirement for an information security plan demonstrating preparedness, which most organizations should already be doing. Finally, Pretexting provisions relate to an organization putting safeguards in place to protect against phishing or other social engineering attacks. This would likely include a well written plan and regular employee training.

            Overall, I believe GLB is fairly successful. It brings to light a number of issues that are tantamount to providing high quality security, and requires organizations to comply with a set of standards. There are many benefits to both companies and consumers, but there are certainly challenges. Consumers may still not read privacy notices, but by being required to send out notices and maintain records of this, an organization has some protection if a consumer fails to review the policy and feels they were tricked or manipulated. Organizations should have already had strong information security plan, but it is possible this was overlooked or underfunded at some organizations, so creating a requirement helps ensure protection as well. Social engineering can be extremely difficult to prevent, but by simply being required to be aware of these types of attacks and implementing safeguards, especially training, helps bring this very common type of attack to the attention of consumers and employees alike, helping to reduce the number of successful attacks.


Electronic Funds Transfer Act

            The Electronic Funds Transfer Act was passed in 1978. This act established the responsibilities of parties involved in electronic funds transfer activities in addition to the rights and potential liabilities of consumers. The ability to electronically transfer funds was very new in 1978 and even today mistakes occur, so it was important to establish a set of rules to make consumers and firms more comfortable with utilizing electronic funds transfers.

            The act primarily considers ETF errors, consumer liability and the liability of the financial institution. In relation to errors both the consumer and financial institution are held to certain requirements, the first of which is that errors may occur and the customer does have responsibility for reviewing statements regularly to verify an error has not occurred. If the customer notices an error, he or she must contact the financial institution as soon as possible, the notification must be within 60 days from the date of the erroneous statement, explain why it is believed there is an error, and if required by the firm may have to send details in writing. Financial institutions must investigate errors and provide a resolution within 45 days, if there was an error they must recredit the amount in question, and notify customers of the results of the investigation including providing copies of documents related to the investigation if requested by the customer. In terms of liability, the act states that if a card is reported missing before any transaction occur, the customer is not liable for any charges. If, however, the customer does not meet certain criteria they may be liable for unauthorized transactions, specifically related to the amount of time it takes a customer to notify the financial institution. The financial institution must provide information to the client about their liability if a card is lost or stolen, including details of the resolution process and a phone number that can be used to report loss or theft.

            The Electronic Funds Transfer Act seems to be very successful since it was enacted. It helps limit the liability of customers, making them feel safer and more confident in their financial providers. It also provides more specific and detailed information about financial institutions in terms of what they must provide to consumers, how research should be done, and even some limits to liability if a customer did not follow proper procedure


Fair and Accurate Credit Transaction Act (FACTA)

            The Fair and Accurate Credit Transaction Act was passed in November 2003. This act is an amendment to the Fair Credit Reporting Act. The primary feature is that it allows consumers to obtain a free credit report from each of the three national credit reporting agencies once every twelve months. The act also had provisions related to helping prevent or reduce identify theft.

            In relation to the goal of prevention of identity theft, regulations about “fraud alerts” and “active duty alerts” were created. With this act, if a consumer believes that he or she may be or become a victim of fraud or identity theft, they have the ability to place a fraud alert on their file for at least 90 days. Credit reporting agencies are required to offer this ability to customers, and notify other reporting agencies of this fraud alert. There is also the option for a consumer to request an extended fraud alert. The active duty alert allows any active duty member of the military to request the alert which requires that if a reporting agency distributes a list to a third party in relation to the extension of credit or offering other services, that they must the active duty member with this alert. Additionally, the act requires that debit or credit card numbers are truncated on receipts or other documents pertaining to point of sale transactions. Finally, the law established a set of rights for victims of identity theft, including blocking information on a credit report if it was the result of identity theft, establishes general procedures for dealing with and resolving issues of identity theft, and finally requires that corporations have some method by which information regarding consumer complaints about fraud or identity theft is shared across organizations.

            The results of this act can be viewed as somewhat mixed. Certainly, on the face it is good to have protections in place for consumers, may help establish better credit by having access to regular credit reports, and helps consumers resolve issues related to identity theft. At the same time, however, there are certainly some potential issues. This seems to put more onus on the financial firms that consumers themselves, which has the potential to lead consumers to feel like they need to take fewer steps to protect themselves. Additionally, in some cases requesting less consumer information when establishing an account may open the door to additional identity theft attempts, or certain consumers may try to take advantage by claiming transactions they completed were actually fraudulent. Also, in my opinion this act does not provide enough in terms of requirements or steps to help a consumer who was the victim of substantial loss or theft to regain their previous credit status in a quick and efficient manner.

Systems Lifecycle Management

Role Play