Overview of the Gramm-Leach-Bliley Act (GLBA)
In the regular course of business, many companies that possess consumers’ financial information share it with their affiliates and other business partners. Owing to the sensitive nature of such financial information, the U.S. Congress passed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, to protect consumer financial privacy. GLBA requires companies acting as “financial institutions” – i.e., companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
The provisions of the law limit when a company acting as a financial institution may disclose a consumer’s nonpublic personal information (NPI) to nonaffiliated third parties. Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to opt-out of the practice if they don’t want their information shared with certain nonaffiliated third parties. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information.
The law further requires that covered entities protect the security, confidentiality, and integrity of customer information.
Who must comply with this law
GLBA applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services to consumers. This includes many companies not traditionally considered to be financial institution such as check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, retailers that issue branded credit cards, professional tax preparers, and courier services. The law also applies to companies like credit reporting agencies and ATM operators that receive information about customers of other financial institutions. In addition to developing their own safeguards, companies covered by the law are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
The financial activities in which these companies engage require them to collect personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers.
GLBA compliance is mandatory. Whether or not a financial institution discloses NPI, there must be a policy in place to protect the information from foreseeable threats in security and data integrity.
The Penalties for non-compliance with GLBA
GLBA calls for severe civil and criminal penalties for noncompliance, including fines and imprisonment. If a financial institution violates GLBA:
- The institution will be subject to a civil penalty of not more than $100,000 for each violation
- Officers and directors of the institution will be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation
- The institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both
The top information protection requirements of GLBA
The Gramm-Leach-Bliley Act put several major requirements into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information or personally identifiable information (PII).
Financial Privacy Rule – This rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement.
Safeguards Rule – This rule requires financial institutions to develop a written information security plan describing its processes and procedures for protecting clients’ NPI. Covered entities must construct a thorough risk analysis on each department handling the nonpublic information, as well as develop, monitor, and test a program to secure the information. If there are changes in how information is collected, stored, and used, the safeguards must be updated as well. The Federal government provides a set of standards for safeguarding customer information.
Security requirements for GLBA
Section 501 of the GLBA, “Protection of Nonpublic Personal Information,” requires financial institutions to establish appropriate standards related to the administrative, technical, and physical safeguards of customer records and information. The scope of these safeguards is defined in the GLBA Data Protection Rule, which states that financial institutions must:
- Ensure the security and confidentiality of customer data
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such data
- Protect against unauthorized access to, or use of, such data that would result in substantial harm or inconvenience to any customer
Many federal agencies oversee financial institutions, and the Federal Financial Institutions Examination Council (FFIEC) designs and supervises audits for the majority of them. The FFIEC publishes the IT Examination Handbook, which provides guidance for the IT security controls that can or should be used to protect nonpublic information under GLBA.
According to the IT Examination Handbook, financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include:
- Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk
- Effective key management practices
- Robust reliability
- Appropriate protection of the encrypted communication’s endpoints