The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
Learn about what GLBA means for data protection and how to achieve GLBA compliance in Data Protection 101, our series on the fundamentals of information security.
A DEFINTION OF GLBA COMPLIANCE
The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.
The primary data protection implications of the GLBA are outlined its Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Privacy of Consumer Financial Information Rule (Privacy Rule), created under the GLBA to drive implementation of GLBA requirements. The GLBA is enforced by the FTC, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies.
BENEFITS OF GLBA COMPLIANCE
Complying with the GLBA puts financial institutions at lower risk of penalties or reputational damage caused by unauthorized sharing or loss of private customer data. There are also several privacy and security benefits required by the GLBA Safeguards Rule for customers, some of which include:
- Private information must be secured against unauthorized access.
- Customers must be notified of private information sharing between financial institutions and third parties and have the ability to opt out of private information sharing.
- User activity must be tracked, including any attempts to access protected records.
Compliance with the GLBA protects consumer and customer records and will therefore help to build and strengthen consumer reliability and trust. Customers gain assurance that their information will be kept secure by the institution; safety and security cultivate customer loyalty, resulting in a boost in reputation, repeat business, and other benefits for financial institutions.
HOW GLBA COMPLIANCE WORKS
The GLBA requires that financial institutions act to ensure the confidentiality and security of customers’ “nonpublic personal information,” or NPI. Nonpublic personal information includes Social Security numbers, credit and income histories, credit and bank card account numbers, phone numbers, addresses, names, and any other personal customer information received by a financial institution that is not public. The Safeguards Rule states that financial institutions must create a written information security plan describing the program to protect their customers’ information. The information security plan must be tailored specifically to the institution’s size, operations, and complexity, as well as the sensitivity of the customers’ information. According to the Safeguards Rule, covered financial institutions must:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program, and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
In order to achieve GLBA compliance, the Safeguards Rule requires that financial institutions pay special attention to employee management and training, information systems, and security management in their information security plans and implementation.
POTENTIAL GLBA PENALTIES
Once a GLBA non-compliance allegation is proven, the punishment can have business-altering, and even life-altering, ramifications.
Some non-compliance penalties include:
● Financial institutions found in violation face fines of $100,000 for each violation.
● Individuals in charge found in violation face fines of $10,000 for each violation.
● Individuals found in violation can be put in prison for up to 5 years.
Examples of Non-Compliance Allegations
Since the Act has went into effect, there have been several allegations, including:
- Paypal (operating as Venmo) allegedly violated both the Federal Trade Act and the GLBA. According to one source, “The FTC also asserts that the privacy practices it alleges violate the GLBA and its Privacy Rule, and that the security failures it alleges violate the GLBA and the Safeguarding Rule.”
- Early in the Act’s existence, the FTC invoked the GLBA against several mortgage companies for a number of violations.
BEST PRACTICES FOR GLBA COMPLIANCE
The main focus of the GLBA is to expand and tighten consumer data privacy safeguards and restrictions. The primary concern, related to the GLBA, of IT professionals and financial institutions is to secure and ensure the confidentiality of customers’ private and financial information. Maintaining GLBA compliance is critical for any financial institution, as violations can be both costly and detrimental to continued operations. However, by taking steps to safeguard NPI and comply with the GLBA, organizations will not only benefit from improved security and the avoidance of penalties, but also from increased customer trust and loyalty.