What is GLBA Compliance? Understanding the Data Protection Requirements of the Gramm-Leach-Bliley Act
Learn about what GLBA means for data protection and how to achieve GLBA compliance in Data Protection 101, our series on the fundamentals of information security.
A DEFINITION OF GLBA COMPLIANCE
The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.
The primary data protection implications of the GLBA are outlined in its Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Financial Privacy Rule, created under the GLBA to drive implementation of GLBA requirements. The GLBA is enforced by the FTC, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies.
3 KEY RULES TO UNDERSTAND GLBA
The act has three main sections, consisting of two rules and a set of provisions. The term “3 rules” seems to have been adopted to help people better understand the requirements of the legislation.
Each of these three measures are designed to inform and guide organizations covered by the legislation about:
- The types of data to protect
- Specific measures expected from the bill
- Preventing and lessening the number of opportunities for unauthorized access
Here are brief descriptions of each of those 3 components in the GLBA:
Financial Privacy Rule: A company that is either a “financial institution” or receives “nonpublic personal information (NPI)” regarding consumers from a financial institution must adhere to the privacy rule of the GLBA. This rule covers most personal information (name, date of birth, Social Security number, etc.) as well as transactional data (card, bank account numbers). It also covers private information you may acquire during a transaction (a credit report, for instance). The FTC has a page detailing every aspect of the privacy rule, right here.
Safeguards Rule: This rule ensures that those under the jurisdiction of the GLBA have specific means to protect private information. According to the text of the rule itself, GLBA adherents must have “the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.” Many of these techniques are outlined in the text as well.
Notable requirements include:
- Employee training
- Proper software
- Testing and monitoring of vulnerabilities
Pretexting Provisions: In addition to protecting nonpublic personal information (NPI), organizations that fall under the GLBA must also take measures to detect and prevent as many instances of unauthorized access as possible. There are a number of nefarious scams trying to access personal data by phone, email or even in person. Pretexting provisions aim to mitigate this data loss and protect more consumers.
BENEFITS OF GLBA COMPLIANCE
Complying with the GLBA puts financial institutions at lower risk of penalties or reputational damage caused by unauthorized sharing or loss of private customer data. There are also several privacy and security benefits required by the GLBA Safeguards Rule for customers, some of which include:
- Private information must be secured against unauthorized access.
- Customers must be notified of private information sharing between financial institutions and third parties and have the ability to opt out of private information sharing.
- User activity must be tracked, including any attempts to access protected records.
Compliance with the GLBA protects consumer and customer records and will therefore help to build and strengthen consumer reliability and trust. Customers gain assurance that their information will be kept secure by the institution. Safety and security cultivate customer loyalty, resulting in a boost in reputation, repeat business, and other benefits for financial institutions.
HOW GLBA COMPLIANCE WORKS
The GLBA requires that financial institutions act to ensure the confidentiality and security of customers’ “nonpublic personal information,” or NPI. Nonpublic personal information includes Social Security numbers, credit and income histories, credit and bank card account numbers, phone numbers, addresses, names, and any other personal customer information received by a financial institution that is not public. The Safeguards Rule states that financial institutions must create a written information security plan describing the program to protect their customers’ information. The information security plan must be tailored specifically to the institution’s size, operations, and complexity, as well as the sensitivity of the customers’ information. According to the Safeguards Rule, covered financial institutions must:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program, and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
In order to achieve GLBA compliance, the Safeguards Rule requires that financial institutions pay special attention to employee management and training, information systems, and security management in their information security plans and implementation.
POTENTIAL GLBA PENALTIES
Once a GLBA non-compliance allegation is proven, the punishment can have business-altering, and even life-altering, ramifications.
Some non-compliance penalties include:
● Financial institutions found in violation face fines of $100,000 for each violation.
● Individuals in charge found in violation face fines of $10,000 for each violation.
● Individuals found in violation can be put in prison for up to 5 years.
Examples of Non-Compliance Allegations
Since the Act went into effect, there have been several allegations, including:
- PayPal (operating as Venmo) allegedly violated both the Federal Trade Act and the GLBA. According to one source, “The FTC also asserts that the privacy practices it alleges violate the GLBA and its Privacy Rule, and that the security failures it alleges violate the GLBA and the Safeguarding Rule.”
- Early in the Act’s existence, the FTC invoked the GLBA against several mortgage companies for a number of violations.
- In 2020, the FTC announced a complaint and settlement against Mortgage Solutions FCS, doing business as Mount Diablo Lending, and the company’s owner, alleging that the company posted sensitive personal and financial information from individuals’ mortgage applications and credit reports in response to negative Yelp reviews posted by customers and applicants.
BEST PRACTICES FOR GLBA COMPLIANCE
The main focus of the GLBA is to expand and tighten consumer data privacy safeguards and restrictions. The primary concern, related to the GLBA, of IT professionals and financial institutions is to secure and ensure the confidentiality of customers’ private and financial information. Maintaining GLBA compliance is critical for any financial institution, as violations can be both costly and detrimental to continued operations. However, by taking steps to safeguard NPI and comply with the GLBA, organizations will not only benefit from improved security and the avoidance of penalties, but also from increased customer trust and loyalty.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business