S Top Logo

Dreher Tomkies LLP
Attorneys at Law
2750 Huntington Center
41 South High Street
Columbus, Ohio 43215
Telephone: 614-628-8000
Fax: 614-628-1600

T Alerts
Pic Alerts


“Financial Institutions” subject to the FTC’s jurisdiction for purposes of the Gramm‑Leach‑Bliley Act (GLBA) must implement an information security program pursuant to the FTC rule on safeguarding customer information no later than May 23, 2003. Financial institutions subject to the FTC’s jurisdiction include mortgage lenders, payday lenders, finance companies, mortgage brokers, non‑bank lenders, check cashers and collection agencies.

GLBA required the FTC to establish standards for these financial institutions relating to administrative, technical and physical safeguards for customer information. The objectives of these standards are to: ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of such records and protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer.

Under the rule, financial institutions must:

  • Designate an employee or employees to coordinate its information security program;

  • Identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. Such a risk assessment should include consideration of risks in:

    • Employee training and management;

    • Information systems; and

    • Detecting, preventing and responding to attacks, intrusions or other systems failures;

  • Design and implement information safeguards to control the risks identified and regularly test or otherwise monitor the effectiveness of the safeguards;

  • Oversee service providers, by:

    • Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and

    • Requiring service providers by contract to implement and maintain such safeguards [the rule contains a grandfathering clause for existing service contracts (as of June 24, 2002) effective until May 24, 2002];

  • Evaluate and adjust information security programs in light of the results of the testing and monitoring; material changes to operations relevant; or any other relevant circumstances.

Mike Tomkies and Elizabeth Anstaett