The Gramm-Leach-Bliley Act (GLBA), which can also be referred to as the GLB Act, or in some instances, the Financial Services Modernization Act of 1999, is a law enacted by the U.S. Congress to govern how financial institutions deal with sensitive personal information from their customers.
To comply with the provisions of this federal law, financial institutions must be transparent in how they deal with their customers’ private data, give notices when they share this data, and let customers know they have the right to opt-out of any data-sharing arrangements. In addition, the Safeguards and Privacy rules in the Act outline the specific steps that a financial institution must take to protect customer data.
The GLBA is enforced mainly by the Federal Trade Commission, other federal regulatory agencies, and state insurance oversight agencies. Following is a deep dive into the details of the GLBA and how organizations can ensure regulatory compliance at all times.
The Major Components of the GLBA
The Gramm-Leach-Bliley Act consists of three sections:
- The Financial Privacy Rule
- The Safeguards Rule
- Pretexting Provisions
The Financial Privacy Rule governs the collection and disclosure of financial information, while the Safeguards Rule mandates financial institutions implement security protocols to protect collected information. Pretexting Provisions cover any pretentious attempts to access sensitive information.
The primary purpose of the GLBA is to complement cybersecurity risk management strategies and programs companies already have in place. The GLBA, in essence, adds a further layer of security to financial personally identifiable information (PII).
The GLBA places the obligation of protecting sensitive PII on the institution collecting it with the premise of respecting the wishes of the customer that this data remains private. If a company wants to share some of a customer’s PII data or retain it for future use, the company must duly notify the customer and give them an option to opt out of data-sharing.
What Is a “Financial Institution” Under the GLBA?
The GLBA clearly defines what qualifies as a financial institution—both in terms of what is included and excluded. Specifically, any company that offers financial products like insurance, loans, financial advice, or investment advice is deemed a financial institution.
Under the GLBA, these companies MUST disclose their data-sharing practices and how they safeguard sensitive data for their customers. They must also notify their customers of their right to opt out of any data-sharing arrangements that might be in place.
The GLB Act limits the extent to which a financial institution may disclose sensitive data to non-affiliated third parties and how to notify their customers when they do it. In addition, any entity that might receive such information is restricted in how it uses it or discloses it to any other parties.
What Entities Must Comply With the GLBA?
The GLB Act or Financial Services Modernization Act of 1999 applies to all businesses that are significantly engaged in providing financial services and products to consumers.
The term significantly engaged is well-defined in the Act to include and exclude certain businesses. In a nutshell, all companies that, within their normal course of operation, come into contact with nonpublic personal information of a financial nature from their customers must meet the regulatory compliance requirements of this Act.
These include companies that might not ordinarily be referred to as financial institutions. Examples include:
- Real-estate appraisers
- Debt collectors
- Payday lenders
- Credit unions
- Tax preparers
- Check cashing businesses
- Accounting firms
- Courier services
- Mortgage brokers
- Car rental companies
- Credit reporting agencies
- ATM operators
- Hedge funds
Traditional financial institutions, such as banks, insurers, investment firms, and brokerage firms, that handle large amounts of sensitive data also qualify as financial services firms regulated by the GLBA. Accordingly, if an organization falls into any of these categories or any others that are significantly engaged in financial services, then compliance with the GLBA is MANDATORY.
Data Covered Under the GLBA
The GLBA covers nonpublic personal information (NPI) collected by financial institutions from their customers. NPI is legally defined as PII financial information. The GLBA does not cover public records or information widely distributed in the media. Some of the information that can be considered NPI include:
- Personal income
- Credit/debit card info
- Bank accounts
- Bank balances
- Credit history
- Property records
- Social Security information
- Tax information
This list is not exhaustive; these are just examples of the type of information that is considered NPI. For example, the GLBA covers even inferences made from this data.
How to Comply With the GLBA
The key to ensuring compliance with the Act lies in understanding the three rules. These are the three sections we previously outlined.
The Financial Privacy Rule
The Financial Privacy Rule outlines what organizations must comply with the Act and what type of information must be protected. It defines NPI, such as names, addresses, Social Security numbers, and other transactional data like bank accounts, credit card information, and credit reports.
The Financial Privacy Rule stipulates that an organization must give “clear and conspicuous notice” of all its privacy and data confidentiality policies at the start of a customer relationship. Customers must also receive annual privacy notices.
The Financial Privacy Rule goes further to define who is a customer versus a consumer. A customer is someone who has an ongoing relationship with a financial institution. A consumer, on the other hand, is someone who doesn’t have a relationship with an institution.
The Safeguards Rule
The Safeguards Rule outlines the means required to protect the information identified under the Financial Privacy Rule. It states that those organizations under the GLBA must have technical, administrative, and physical safeguards in use when collecting, accessing, using, distributing, and sharing customer information.
Cybersecurity risks covered under the Safeguards Rule include:
- Email spoofing
The Safeguards Rule issued by the Federal Trade Commission in 2002 further requires that a financial institution, as defined by the Act, must designate one person to be accountable for the development and testing of an integrated security risk and threat management plan for the organization.
A financial institution sharing any NPI data must have a third-party risk management plan in place. Further, the collecting institution is responsible in case of a security breach.
Pretexting Provisions aim to seek all loopholes clever or malicious actors might exploit to access and steal confidential data. Financial institutions regulated by the GLBA must have measures to detect and prevent such unauthorized access to data in their possession.
Penalties for Noncompliance With the GLBA
A financial institution that falls within the regulatory framework of the GLBA faces stiff financial penalties if they violate provisions of the law. In addition, executives and employees responsible for data protection face individual fines.
For institutions, the fine is up to $100,000 for each violation. In the case of executives and employees, they can face fines up to $10,000 and up to five years of imprisonment, or both, if found guilty of negligence.
Beyond the potential penalties and fines, there is an increased risk of loss of customer trust and confidence in business practices by customers, partners, and investors, which may incur greater negative impact than the financial penalties and fines.
One common way that companies avoid compliance issues with the GLBA and other laws is by investing in a robust cybersecurity platform designed to meet their business needs and customer needs as well as ensure compliance with the law.
Another way to ensure GLBA compliance is by hiring independent consulting firms to audit your cybersecurity infrastructure and practices to identify loopholes that may lead to compliance issues.
Benefits of GLBA Compliance
In addition to avoiding penalties and fines, compliance with the GLBA ensures that a financial institution safeguards its brand reputation, which, in turn, creates a sense of trust that fosters more business. There are ancillary benefits that come with GLBA compliance as well. For example, the cybersecurity risk management capabilities an organization requires for GLBA compliance also enables security. Specifically, while complying with the GLBA, the security risk management capabilities a company institutes extend threat protections to other types of confidential information—protected health information (PHI), company intellectual property (IP), controlled unclassified information, and more. These security risk management controls can even help protect against supply chain threats.
Another significant benefit of complying with the GLBA is that it bolsters compliance and protection for other data privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Data Protection Act (DPA) in France and the United Kingdom.
GLBA Breach Notification Procedures
In some cases, even when an organization is compliant, a breach might occur. In such a case, the GLBA requires that the affected organization investigate the breach to determine if sensitive customer PII was accessed. The affected customers should be notified in a reasonable time frame.
The notice should detail the type of breach, what data was accessed, what the customer needs to do to safeguard their identity, and a telephone number for further assistance.
Sensitive Content Communications Privacy and Compliance With the GLBA
Sensitive content communications falls under the jurisdiction of the GLBA. Financial services firms that send, share, receive, and store confidential information—both internally and externally—must be compliant with the GLBA. With most organizations still struggling to manage sensitive content communications over multiple channels with a hodgepodge of technology tools, this can be a significant undertaking. Without metadata on all sensitive content communications, organizations must spend valuable time and resources piecing together data from each of those tools. And without centralized and automated security and compliance governance, effective security risk management can be difficult if not impossible.
The Kiteworks platform centralizes all sensitive content communications—secure email, file sharing, file transfer, managed file transfer, web forms, and application programming interfaces (APIs)—so that organizations can ensure consistent and compliant execution of governance, compliance, and security across every communications channel. Kiteworks enables organizations to create Private Content Networks, which include the option of FedRAMP authorized hosting, that minimize risk of noncompliance with regulations like the GLBA and breaches of private information.
Get email updates with our latest blogs news