Which of the following protects personally identifiable information (PII) used by financial services organizations?
Correct Answer: B
The law that protects personally identifiable information (PII) used by financial services organizations is the Gramm-Leach-Bliley Act (GLBA). GLBA is a federal law that was enacted in 1999 to regulate the privacy and security of the financial information of the customers of financial institutions, such as banks, credit unions, insurance companies, or securities firms. GLBA requires financial institutions to provide their customers with a notice of their privacy policies and practices, and to obtain their consent before sharing their nonpublic personal information with third parties. GLBA also requires financial institutions to implement safeguards to protect the security, confidentiality, and integrity of the customer information, and to report any breaches or unauthorized access to the customers and the regulators. National Institute of Standards and Technology (NIST) SP 800-53 is a publication that provides a set of security and privacy controls for federal information systems and organizations, but it is not a law that protects PII used by financial services organizations.
Payment Card Industry Data Security Standard (PCI-DSS) is a standard that provides a set of security requirements for organizations that store, process, or transmit cardholder data, such as credit card or debit card information, but it is not a law that protects PII used by financial services organizations. Health Insurance Portability and Accountability Act (HIPAA) is a law that protects the privacy and security of the health information of the patients of health care providers, health plans, or health care clearinghouses, but it is not a law that protects PII used by financial services organizations. References: [CISSP CBK Reference, 5th Edition, Chapter 1, page 40]; [CISSP All-in-One Exam Guide, 8th Edition, Chapter 1, page 34]