Gramm-Leach-Bliley Act (GLBA) Compliance
The Gramm-Leach-Bliley Act (i.e., GLBA, GLB Act, the Financial Services Modernization Act of 1999) is a United States federal law that repealed large portions of the Glass-Steagall Banking Act of 1933 and the Bank Holding Company Act of 1956.
It amended the rules, making merger activity easier for banks, brokerage houses, and insurance firms. The result was very large, wide-reaching organizations that were created by bank holding companies and acquired full-service investment banks and insurance companies, or vice versa.
GLBA was updated in 2015, and significant changes were introduced. The objective was to fortify the rules that obligate financial institutions to respect their customers’ privacy and securely protect their sensitive personal information against unauthorized access.
To address concerns about the individual data that these organizations would have, GLBA compliance rules include specific directives to ensure that financial institutions protect the privacy and security of personally identifiable financial information relating to individuals.
Under GLBA compliance rules are particular requirements for financial institutions that explain how they collect, share, and protect non-public personal information or NPI.
What Is Non-Public Personal Information (NPI)? In terms of GLBA compliance, non-public personal information is all personally identifiable information (PII) and financial information that is: Provided by an individual to a financial institution Resulting from any transactions with an individual or any service provided to a financial institution Obtained by a financial institution in other ways Generally public, but has been made private (e.g., an unlisted phone number) Examples include: Information a financial institution has obtained through a relationship with an individual or collected through cookies PII, such as an individual’s income, social security number, marital status, amount of savings or investments, payment history, loan or deposit balances, credit or debit card purchases, account numbers, or credit score Inferences drawn from other data The fact the individual has an account with a particular financial institution |
GLBA compliance is broken into three main sections, each of which defines a subset of rules that financial institutions must follow. The three sections include the following:
1. Financial Privacy Rule or Privacy Rule
Limits and regulates organizations’ collection and disclosure of non-public customer data
2. Safeguard Rule
Requires organizations to implement administrative, physical, and technical safeguards to ensure data protection
3. Pretexting Rule
Prohibits employees or business partners from gathering customers’ information under false pretenses
To enforce these rules, the GLBA authorizes various federal agencies to implement further regulations to ensure that the appropriate security and privacy protocols are in place at financial institutions, thus helping with the enforcement of GLBA compliance:
- Consumer Financial Protection Bureau (CFPB)
- The Securities Exchange Commission (SEC)
- The Commodity Futures Trading Commission (CFTC)
- The Federal Trade Commission (FTC)
- Federal banking agencies
- Federal regulatory agencies
- State insurance oversight agencies
- State laws, such as the California Privacy Rights and Enforcement Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA)
Other regulations, such as the European Union’s General Data Protection Regulation (GDPR)
Let’s jump in and learn:
The Privacy of Consumer Financial Information Rule
For GLBA compliance, the Financial Privacy Rule, or Privacy Rule, mandates strict controls to protect individuals’ privacy and non-public information. The Privacy Rule restricts the sharing of non-public personal information by requiring that a privacy agreement between the financial institution be in place.
GLBA compliance comes into play at the start of a financial institute’s relationship with an individual. The Privacy Rule mandates that financial institutions provide any individuals who engage with their products or services with information about their privacy policies and practices.
Financial institutions must inform individuals if they intend to disclose non-public information in the privacy policy. Also, the privacy policy statement must include a mechanism for individuals to opt-in or out if they do not want to share their personal data with third parties.
The Privacy Rule outlines which data will be collected, how it will be used and shared, who has access to it, and the policies and procedures used to protect it. Aligned with the Fair Credit Reporting Act (FCRA), individuals must receive annual notifications of the privacy policy along with an option to opt-out of sharing information with unaffiliated third-party entities.
Compliance with the Safeguards Rule
A major part of GLBA compliance is the raft of requirements that come with the Safeguards Rule. This requires financial institutions to develop an information security plan that details how an organization will protect both customers’ and former customers’ non-public information. Financial institutions are also required to ensure that affiliates or third-party service providers implement systems to secure customer information.
According to the Safeguard Rules, to maintain GLBA compliance, financial institutions must have a plan that is designed to ensure the confidentiality, integrity, and availability of customer records and information.
They must also have data protection systems in place to keep customer records safe from potential cyber-attacks, cyber-threats, and any other attack vectors. Safeguard Rules also require financial institutions to protect against unauthorized access to or use of customer records or information that could harm or inconvenience the customer (e.g., data breaches).
The Safeguard Rules also require financial institutions to implement security protocols (i.e., both logical and physical) per the plan. To meet GLBA compliance requirements, they must also provide breach notifications if individuals’ non-public information is compromised.
GLBA Compliance Requirements for Information Security Plan Highlights at a Glance Designate at least one employee, or third-party contractor, to be responsible for the information security program and its safeguards Evaluate and adjust the program based on testing and monitoring, changes in business operations or arrangements, and any other events of material impact, such as how sensitive data is collected, stored, or used Identify foreseeable internal risks, third-party risks, and fourth-party risks to the security, confidentiality, integrity, and availability of non-public personal information that could result in the disclosure, misuse, alteration, destruction, or other theftImplement safeguards to protect against foreseeable risks Perform thorough cybersecurity risk assessments that assess the sufficiency of the current safeguards in place to mitigate first, third and fourth-party risk Regular testing of current controls, systems, and procedures |
Who Must Comply with GLBA?
GLBA compliance applies to financial institutions, meaning any business offering financial products and services to individuals. This includes loans, debt collection, financial advice, investment advice, or insurance.
The FTC casts a wide net with regards to which organizations are considered financial institutions for the purposes of GLBA compliance. These include:
- ATM operators
- Banks
- Car rental companies
- Check-cashing businesses
- Consumer credit reporting agencies
- Credit counseling services
- Courier services
- Credit card companies
- Credit reporting agencies
- Credit unions
- Debt collection agencies
- Financial advisory firms
- Hedge funds
- Insurance advisors
- Loan brokers
- Mortgage brokers
- Mortgage lenders
- Non-bank lenders
- Non-bank mortgage lenders
- Property appraisers
- Real estate firms
- Real estate settlement service providers
- Investment advisers
- Stockbrokers
- Tax preparation services
In addition, any organization that receives data from financial institutions must also adhere to GLBA compliance requirements. And, financial institutions are responsible for ensuring that these organizations implement safeguards to ensure non-public customer information in their care is protected.
Penalties for Non-Compliance with GLBA
GLBA compliance is to be taken very seriously. A misstep can be a costly problem. Failure to meet GLBA compliance requirements can result in significant fines and even time in prison. GLBA compliance violations carry penalties not just for financial institutions, but also for individuals.
In cases involving intentional disregard for GLBA compliance requirements, financial institutions, their owners, and directors face criminal prosecution in a federal district court with criminal fines and imprisonment as possible sentences.
The penalties for failing to meet GLBA compliance requirements include:
- Fines of $100,000 for each violation for financial institutions found in violation of GLBA compliance
- Fines of $10,000 for each violation for officers and directors in charge of institutions found to be in violation of GLBA compliance
- Up to 5 years in prison for officers and directors in charge of institutions found in violation of GLBA compliance
Data Security, Data Encryption, and GLBA
Although its original purpose was to allow different types of financial institutions (i.e., banks, insurance companies, securities firms) to merge, GLBA compliance has come to be known for its privacy stipulations.
To ensure the protection of the significantly increased amounts of data these new institutions would have access to, GLBA compliance came to include requirements for financial institutions to secure customers’ information and protect their privacy. To meet these requirements, data security and data encryption are widely used.
The initial requirements for GLBA compliance referred to data protection in generalities and allowed financial institutions to exercise discretion on how to implement safeguards. Meeting GLBA compliance now entails using more specific data security measures.
Four Key Areas of Data Security for GLBA Compliance
1. Risk assessment
To meet GLBA compliance requirements, financial institutions’ security programs must be based on the organizations’ identification and assessment of reasonably foreseeable internal and external risks to customer information.
While risk assessments must include the following topics, each financial institution can tailor its assessments to its own structures and needs. The topics that GLBA compliance risk assessments must include in a written report are the criteria used to:
- Evaluate and categorize identified security risks
- Assess the “confidentiality, integrity, and availability” of customers’ non-public information and IT systems, including whether the existing controls are adequate in the context of the identified risks to customers’ non-public information
- Describe how risks identified will be accepted or mitigated based on the risk assessment and how the IT security program will address them
2. Workforce and personnel
GLBA compliance requires that financial institutions designate a single “qualified individual” to be responsible for the security program. This can be an employee, an agency, or a third-party contractor. Among their responsibilities is providing the Board of Directors or governing body reports on all material matters related to the security program.
3. Overall security program
Financial institutions must maintain a written security plan. This should be comprehensive with detailed information about the security program, including the administrative, technical, and physical safeguards that are in place to ensure the security, confidentiality, and integrity of customers’ non-public information.
4. Security safeguards
To meet GLBA compliance requirements, financial institutions are required to implement a number of security safeguards, including the following. In cases where exceptions are made, such as for small businesses.
- Access controls for all customers’ non-public information
- Protections for physical records (e.g., paper-based files)
- Physical restrictions on access to hardware containing information stored electronically (e.g., servers, storage media)
- Implementation of least-privilege protocols to limit employee access to only the data that they need to perform their job duties
- Continuous monitoring
- Encryption of customers’ non-public information at rest and in transit over internal networks and external networks
- Governing the use of personal devices with strict bring your own device (BYOD) policies
- Inventory and classification of all data, devices, and systems
- Monitoring and logging system and network activity to detect unauthorized users or suspicious activity
- Multifactor authentication for consumer and internal users who access an information system
- Penetration testing and vulnerability assessments
- Secure development practices for in-house software and applications, including policies and processes for change management
- Secure disposal of customer information within two years of when the data was last used
- Security awareness training programs and updates for all personnel
- Steps to select and retain service providers capable of maintaining appropriate safeguards for customers’ non-public information
- Strong password policy that includes frequent updates and complex passwords
- Systems to monitor new security threats
- Written incident response plan that details steps to be taken in the event of any security event that materially affects the confidentiality, integrity, or availability of customers’ non-public information
The Good News About GLBA Compliance
GLBA compliance is a challenging regulation and one with teeth. However, GLBA compliance reduces the risk of penalties and reputational damage that often comes with the data leaks or data losses that come with breaches. This is because following GLBA compliance requirements means that customers’ sensitive, non-public information (NPI) is protected according to industry best practices.
In addition, GLBA compliance can help meet the stringent requirements of other privacy rules, such as the European Union’s General Data Protection Regulation (GDPR), the California Privacy Rights and Enforcement Act (CPRA), the Colorado Privacy Act, and the Virginia Consumer Data Protection Act (VCDPA). Despite the heft of the requirements, most organizations agree that GLBA compliance does align with data security best practices that should be adopted and followed.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 9th November, 2022