The Gramm-Leach-Bliley Act (GLBA, GLB Act or the Financial Services Modernization Act of 1999) is a United States federal law requiring financial institutions to explain how they share and protect their customers' nonpublic personal information (NPI). Show
The GLBA also repealed part of the Glass-Steagall Act of 1993 and the Bank Holding Company Act of 1956 (BHCA), removing barriers for banking, securities and insurance companies to act as any combination of an investment bank, commercial bank and insurance company. The primary concern of GLBA is to ensure the confidentiality of customers' personally identifiable information (PII) and financial information by following certain privacy and security standards:
The GLBA gives the following entities the ability to implemented further regulations to ensure appropriate privacy provisions and security.:
State law can require greater compliance, but not less than what is otherwise required by the GLBA. Who is Regulated by GLBA?The GLBA applies to financial institutions, any business offering financial products and services to individuals like loans, financial advice, investment advice or insurance. As well as limited obligations on certain third-parties who receive nonpublic personal information (NPI) from GLBA regulated financial institutions. Examples of financial institutions include:
As GLBA is focused on customer data, financial institutions who only provide services to other businesses are not covered by GLBA. Nor is an individual who uses an ATM or cashes a check because there is no ongoing customer relationship. What is Nonpublic Personal Information (NPI)?Nonpublic personal information (NPI) is all personally identifiable information (PII) and financial information that is:
Information that is publicly available, or information that the financial institution has a reasonable basis to believe is, is not nonpublic personal information (NPI). That said, information that is generally public but has been made private (e.g. having an unlisted phone number), must be treated as nonpublic. Examples of nonpublic personal information (NPI) include:
What are the Benefits of GLBA Compliance?GLBA compliance is a requirement for the majority of financial institutions in the United States. It also lowers the risk of penalties and reputational damage caused by data breaches and data leaks. With the average cost of a data breach reaching $3.92 million globally, it pays to prevent data breaches. GLBA compliance can also help with compliance with the European Union's General Data Protection Regulation (GDPR), which became enforceable in 25 May, 2018. GDPR povides provisions on data collection, rights to access, rights to erasure, right to restriction of processing and right to data portability. These additional privacy and security requirements, alongside the FTC's Privacy of Consumer Financial Information Rule (Privacy Rule) provide consumer protection benefits like:
These benefits improve the reputation of your organization and increase customer trust, leading to greater customer loyalty, lower churne, higher lifetime value and less regulatory fines. The multinational nature of banking and possible implementation of corresponding regulation in some US states means financial institutions need to take privacy and data protection laws seriously. What are the Major Components of the Gramm-Leach-Bliley Act?There are three major components of the GLBA, designed to work together to govern the collection, disclosure and protection of customers' nonpublic personal information (NPI), namely:
What is the GLBA Financial Privacy Rule?The GLBA Financial Privacy Rule restricts the sharing of nonpublic personal information (NPI) and requires customers to be given a privacy notice at the start of the customer relationship and annually thereafter. The notice outlines what information is collected, where the information is shared, how the information is used and how it is protected, as well as highlight the customer's right to opt out of information sharing with nonaffiliated third parties pursuant to the provisions of the Fair Credit Reporting Act. If the financial institution's privacy policy changes, customers be notified for acceptance of changes. Whenvere the privacy notice is reestablished, the consumer has the right to opt out again. When customers agree to have their information shared with unaffiliated parties, the unaffiliated parties must handle the information in accordance with the original privacy notice agreement. In short, the Financial Privacy Rule provides a privacy agreement between the financial institution and the customer pertaining to the protection of their nonpublic personal information (NPI). An important thing to understand that sharing with affiliates (any company controlling, controlled by or under common control) is not subject to the right to opt-out but customers must be informed by the privacy notice. Unaffiliated parties who are excluded from the right to opt-out include consumer reporting agencies, third-party vendors whose sole purpose is to perform marketing for the financial institution and participants in private label credit card programs where participants are identified to the customer when they enter the program. What is the GLBA Safeguards Rule?The Safeguards Rule requires financial institutions to develop, implement and maintain a comprehensive information security plan that outlines administrative, technical and physical safeguards that are appropriate for the size and complexity of the organization and its financial activities. Safeguards should:
The information security plan must include:
In summary, the Safeguards Rule forces financial institutions to take a closer look at their information security, data security, network security and cybersecurity to develop an understanding of the cybersecurity risk of their current controls, systems and procedures. To prevent nonpublic personal information (NPI) data leaks, invest in a cybersecurity product to automatically scan for leaked credentials and data exposures. What is the GLBA Pretexting Protection?Pretexting, or social engineering, refers to when an individual attempts to gain access to customer information under false pretenses. This could be the result of impersonating a customer via phone, email or through email spoofing phishing or spear phishing campaigns. GLBA Pretexting Protection encourages organizations to implement safeguards against social engineering. For example, a financial institution may employ social engineering awareness training as part of its overall information security program to reduce the risk that employees will damage consumer privacy as the result of a social engineering attacks. Other privacy protections controls may include OPSEC and waste management. Read more about common social engineering defense mechanisms. What are the Vendor Risk Management Requirements of GLBA?Under GLBA, financial institutions who disclose nonpublic personal information (NPI) to a third-party vendor or service provider must enter into a contractual agreement prohibiting the disclosure or use of the sensitive information other than to carry out the purposes for which the institution disclosed the information, e.g. marketing. This means that financial institutions are required to oversee service providers by:
Avoid vendors without SOC 2 assurance and consider investing in a cybersecurity tool that can automate vendor risk management by monitoring your vendors' security performance instantly, assigning them a security rating. This will allow your vendor risk team to remediate the most at-risk vendors first. These tools can provide vendor risk assessment questionnaire templates and help your organization develop a robust third-party risk assessment framework based on GLBA compliance and other frameworks like ISO 27001 and the NIST Cybersecurity Framework. Read more about vendor risk management. What are the Penalties for GLBA Non-Compliance?Non-compliance penalties include:
How UpGuard Can Help With GLBA ComplianceUpGuard helps businesses maintain GLBA compliance by identifying and addressing specific security vulnerabilities impacting the regulation. UpGuard also empowers businesses to track third-party compliance against popular regulations by mapping risk assessment responses to security controls. This identifies any compliance gaps placing third-party at a heightened risk of regulatory fines and data breaches. Click here to try UpGuard for free for 7 days. What is the main purpose of the GrammThe Gramm-Leach-Bliley Act seeks to protect consumer financial privacy. Its provisions limit when a "financial institution" may disclose a consumer's "nonpublic personal information" to nonaffiliated third parties.
What are the two main rules of the GLBA?The GLBA requires companies that qualify as “financial institutions” to take several affirmative steps in order to prevent the unauthorized collection, use, and disclosure of NPI. It imposes these obligations under two “Rules”: (i) the Privacy Rule, and (ii) the Safeguards Rule.
What is a key component of GLBA?There are three major components of the Gramm-Leach-Bliley Act including a Financial Privacy Rule, Safeguards Rule, and Pretexting Protection.
|