Everything You Need to Know to be GLBA Compliant

Cybercrimes, along with human error, can put a business at risk for legal repercussions when confidential information is stolen or corrupted. Companies are also susceptible to downtime when security issues occur, which can halt production and impact productivity.

The goal of IT security compliance is to help organizations avoid fines and penalties while simultaneously protecting customer information. This is usually accomplished by implementing technologies that safeguard consumer data privacy and prevent costly data breaches. Organizations can also preserve their business's reputation and improve company culture by adhering to applicable security requirements. GLBA is one such important security standard to be aware of.

What is the Gramm-Leach-Bliley Act?

Many companies that store financial information about their customers share it with their affiliates and other business partners on a regular basis. The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, was passed by the United States Congress to safeguard consumer financial privacy due to the sensitive nature of such information.

Companies that act as "financial institutions" – that is, companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance – are required by GLBA to inform their customers about their information-sharing practices and to protect sensitive data. 

The law places restrictions on when a financial institution may release a customer's nonpublic personal information (NPI) to unaffiliated third parties. Customers must be informed about financial institutions' information-sharing practices, as well as their right to opt out if they do not want their information shared with certain nonaffiliated third parties.

Furthermore, any company that gets consumer financial information from a financial institution may be limited in its ability to reuse and re-disclose that information.

Importance of GLBA

The GLBA's central objective is to broaden and tighten consumer data privacy protections and limits. The key priority of IT professionals and financial institutions in relation to the GLBA is to secure and ensure the confidentiality of clients' private and financial data. GLBA compliance is essential for every financial institution, as noncompliance can be both costly and destructive to the company's ability to continue operating.

Organizations will profit not just from enhanced security and the avoidance of penalties, but also from greater consumer trust and loyalty, if they take steps to secure NPI and comply with the GLBA.

Who is Regulated by GLBA?

The Gramm-Leach-Bliley Act covers all businesses that are "significantly engaged" in providing financial products or services to customers, regardless of size. 

Check cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, retailers who issue branded credit cards, professional tax preparers, and courier services are all examples of businesses that aren't traditionally thought of as financial institutions. 

The regulation also applies to organizations that obtain information about clients from other financial institutions, such as credit reporting agencies and ATM operators. Companies subject to the regulation must take steps to guarantee that their affiliates and service providers preserve client information in their care, in addition to creating their own safeguards. 

These businesses must gather personal information from their consumers, such as names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers, as part of their financial activities. 

Compliance with the GLBA is required. Regardless of whether a financial institution publishes NPI, it must have a policy in place to secure the data from foreseeable security and data integrity issues.

Major components of Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act has three primary components: Financial Privacy Rule, Safeguards Rule, and Pretexting Protection. 

1. Financial Privacy Rule

The Financial Privacy Rule requires financial institutions to give each customer a privacy notice at the start of the relationship and every year after that. This privacy notice must describe the information acquired about the customer, where that information is shared, how it is used, and how it is safeguarded.

The consumer's right to opt out of having their information shared with unaffiliated parties must also be indicated in the notification. 

2. Safeguards Rule

The Safeguards Rule requires financial institutions to create a written information security plan that explains how they will prepare for and secure nonpublic personal information of their customers. The College has a Data Classification Policy in place to meet the requirements of this rule, and programme coordinators have been designated to oversee compliance with various forms of protected personal information. 

3. Pretexting Protection

The Gramm-Leach-Bliley Act requires the financial institution to take reasonable precautions against pretexting, which occurs when someone tries to get access to personal nonpublic information without the proper authority. This rule's criteria are met by the College's Fair & Accurate Credit Transaction Act Policy, often known as Red Flag Rules. 

It comprises an annual risk assessment of the covered accounts' security and privacy threats and any necessary changes to security systems. In addition, the yearly examination of procedures for employees who have access to protected data and information is also part of the annual assessment. 

Requirements of GLBA

Financial institutions, or companies that give consumers financial products or services such as loans, financial or investment advice, or insurance, are required by the Gramm-Leach-Bliley Act to explain their information-sharing policies to their clients and to preserve sensitive data.

Financial institutions are required to create suitable standards linked to the administrative, technical, and physical safeguards of customer records and information under Section 501 of the GLBA, "Protection of Nonpublic Personal Information." The GLBA Data Protection Rule defines the extent of these measures, stating that financial institutions must: 

  • Ensure the security and privacy of consumer information. 
  • Protect against any dangers or hazards to the data's security or integrity that could be reasonably anticipated. 
  • Protect against unauthorized access to or use of such data that could cause a customer significant harm or annoyance.

GLBA also mandates that financial institutions use encryption to reduce the risk of sensitive data being disclosed or altered while in storage or transit. Implementations of encryption should include: 

  • Encryption strength is adequate to shield the information from exposure until there is no serious risk of revelation 
  • Key management principles that work 
  • Reliability that is strong 
  • Endpoints of encrypted communication must be adequately protected.

Penalties of GLBA Non-Compliance

Gramm-Leach-Bliley Act applies to all penalties for noncompliance, including fines and imprisonment. If a financial institution breaks the GLBA standards: 

  • Each breach will result in a civil penalty of up to $100,000 for the institution. 
  • For each infraction, the institution's officers and directors will be subject to and personally accountable for a civil penalty of not more than $10,000. 
  • Fines or imprisonment for not more than five years, or both, will be imposed on the institution and its officials and directors under Title 18 of the United States Code.
Published on Jul 2, 2020
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is the co-founder and CEO of Appknox, a mobile security suite that helps enterprises automate mobile security. Over the last decade, Harshit has worked with 500+ businesses ranging from top financial institutions to Fortune 100 companies, helping them enhance their security measures.
Beyond the tech world, Harshit loves adventure. When he's not busy making sure the digital realm is safe, he's out trekking and exploring new destinations.

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now