I'm working for a company that falls under the Gramm Leach Bliley Act, and think that it's a good standard. Let's face it, without some laws in place, most companies don't care squat about security. The law probably doesn't go far enough, but companies that don't do anything can now get screwed in lawsuits like these. That's a good thing.
The result of the law going into effect is pressure from up-on-high in the company to be in compliance with the law and gives justification to spend money on people and equipment/software/etc. Another company I worked at wouldn't even spend money for firewall software, because management dismissed IT's cost/benefit justification. If it didn't directly contribute to sales figures, it didn't happen. I'm glad I'm not there anymore.
Now, IT security is talked about at all levels, from IT all the way up through management. The question is asked and discussed "Is the sensitive information adaquately protected?". Having the GLBA as the hidden hammer, gives the question a lot of weight. And it's made a difference, with a lot more thought being put into it. Any planning does have project time and resources set aside specifically for security. There's actually time to audit and review existing equipment, and authorization to change any blatant findings.
Is it perfect? Well, no. More time and money could certainly be used. But the effort put into it certainly exceeds the bar that the GLBA provides. I do admire the company for that.
Danny
