Learn about what GLBA means for data protection and how to achieve GLBA compliance in Data Protection 101, our series on the fundamentals of information security.
The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.
The primary data protection implications of the GLBA are outlined in its Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Financial Privacy Rule, created under the GLBA to drive implementation of GLBA requirements. The GLBA is enforced by the FTC, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies.
3 KEY RULES TO UNDERSTAND GLBA
The act has three main sections, consisting of two rules and a set of provisions. The term “3 rules” seems to have been adopted to help people better understand the requirements of the legislation.
Each of these three measures are designed to inform and guide organizations covered by the legislation about:
Here are brief descriptions of each of those 3 components in the GLBA:
Financial Privacy Rule: A company that is either a “financial institution” or receives “nonpublic personal information (NPI)” regarding consumers from a financial institution must adhere to the privacy rule of the GLBA. This rule covers most personal information (name, date of birth, Social Security number, etc.) as well as transactional data (card, bank account numbers). It also covers private information you may acquire during a transaction (a credit report, for instance). The FTC has a page detailing every aspect of the privacy rule, right here.
Safeguards Rule: This rule ensures that those under the jurisdiction of the GLBA have specific means to protect private information. According to the text of the rule itself, GLBA adherents must have “the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.” Many of these techniques are outlined in the text as well.
Notable requirements include:
Pretexting Provisions: In addition to protecting nonpublic personal information (NPI), organizations that fall under the GLBA must also take measures to detect and prevent as many instances of unauthorized access as possible. There are a number of nefarious scams trying to access personal data by phone, email or even in person. Pretexting provisions aim to mitigate this data loss and protect more consumers.
Complying with the GLBA puts financial institutions at lower risk of penalties or reputational damage caused by unauthorized sharing or loss of private customer data. There are also several privacy and security benefits required by the GLBA Safeguards Rule for customers, some of which include:
Compliance with the GLBA protects consumer and customer records and will therefore help to build and strengthen consumer reliability and trust. Customers gain assurance that their information will be kept secure by the institution. Safety and security cultivate customer loyalty, resulting in a boost in reputation, repeat business, and other benefits for financial institutions.
The GLBA requires that financial institutions act to ensure the confidentiality and security of customers’ “nonpublic personal information,” or NPI. Nonpublic personal information includes Social Security numbers, credit and income histories, credit and bank card account numbers, phone numbers, addresses, names, and any other personal customer information received by a financial institution that is not public. The Safeguards Rule states that financial institutions must create a written information security plan describing the program to protect their customers’ information. The information security plan must be tailored specifically to the institution’s size, operations, and complexity, as well as the sensitivity of the customers’ information. According to the Safeguards Rule, covered financial institutions must:
In order to achieve GLBA compliance, the Safeguards Rule requires that financial institutions pay special attention to employee management and training, information systems, and security management in their information security plans and implementation.
Once a GLBA non-compliance allegation is proven, the punishment can have business-altering, and even life-altering, ramifications.
Some non-compliance penalties include:
● Financial institutions found in violation face fines of $100,000 for each violation.
● Individuals in charge found in violation face fines of $10,000 for each violation.
● Individuals found in violation can be put in prison for up to 5 years.
Since the Act went into effect, there have been several allegations, including:
The main focus of the GLBA is to expand and tighten consumer data privacy safeguards and restrictions. The primary concern, related to the GLBA, of IT professionals and financial institutions is to secure and ensure the confidentiality of customers’ private and financial information. Maintaining GLBA compliance is critical for any financial institution, as violations can be both costly and detrimental to continued operations. However, by taking steps to safeguard NPI and comply with the GLBA, organizations will not only benefit from improved security and the avoidance of penalties, but also from increased customer trust and loyalty.