What is the Gramm-Leach-Bliley Act (GLBA)?

What is the purpose of the GLBA?

The purpose of the Gramm-Leach-Bliley Act (GLBA) was to allow for a more efficient and integrated financial services sector without degrading the privacy rights of consumers.

Allowing for a more integrated financial sector

Prior to the Gramm-Leach-Bliley Act (GLBA), legislation blocked banks, insurance companies, and investment firms from merging or partnering in an effort to prevent another Great Depression. Though sensible, this legislation countered the growing consumer demand for a simpler financial services industry. It was this economic pressure paired with a landmark merger between Citicorp and Travelers Group that led to the GLBA being passed.

Protecting consumer’s non-public personal information

Giving financial service providers the freedom to consolidate their services meant also giving them freedom to consolidate the highly sensitive financial data they had been collecting from customers. This introduced several risks:

1. Financial institutions would hold significant amounts of sensitive information, making a single data breach far more destructive
2. Financial institutions would have enough data to profile, target and discriminate against consumers
3. Financial institutions would now hold data about customers who didn’t consent to them collecting it

To mitigate these risks the GLBA mandated a series of rules that ensure consumers have control over their data while holding financial institutions accountable for data security.

The GLBA’s rules & how to comply with them

The GLBA introduced 3 rules for financial service providers to follow.

1. Financial Privacy Rule
2. Safeguards Rule
3. Pretexting Protection Rule.

Each rule tackles a specific aspect of collecting, disclosing, and protecting consumers’ non-public personal information.

The Financial privacy rule

The financial privacy rule requires all financial institutions to provide their consumers with a privacy notice (privacy policy) when they start doing business and annually thereafter. It also requires financial institutions to notify customers each time their privacy notice is updated, giving customers the right to opt out again each time the privacy notice is re-established.

Privacy policy requirements for the GLBA

The GLBA requires financial institutions to explain their information-sharing practices to their customers from within their privacy policy. To do this, their privacy policy must state:

• What information the institution collects, how it’s used, shared, and protected.
• The privacy rights of consumers, including the right to opt out of information being shared with unaffiliated parties

Need a GLBA ready privacy policy? Try our Privacy Policy Generator!

The Safeguards Rule

The Safeguards Rule requires financial institutions to have reasonable measures in place to protect their customers’ non-public personal information through an information security program. To ensure financial institutions develop, implement, and maintain an adequate information security program, the Safeguards Rule also sets standards for financial institutions to follow.

Developing an information security program to GLBA standards

To meet the requirements of the Safeguards Rule, financial institutions must develop an information security program that is to the standard set by the GLBA. To meet these standards, all financial institutions must:

1. Designate a qualified individual responsible for:
   • the development of their information security program
   • the writing of a status report, at least annually, to the board of directors or equivalent governing body
2. Conduct a risk assessment to identify any foreseeable internal and external threats to personal data security
3. Develop, test, and monitor safeguards to control risks identified in their risk assessment.
   • Results from testing and monitoring must be evaluated
   • In light of results, any required adjustments to the information security program must be made.
4. Implement policies and procedures to ensure the information security program is followed
5. Take reasonable precautions and responsibility over any service providers who have access to their personal data
6. Establish a written incident response plan for incidents relating to the security of customers’ personal data
7. Notify the Federal Trade Commission about any event that involves ‘the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains’.

The Pretexting Protection Rule

The GLBA’s rule for pretexting protection prohibits obtaining customer information of a financial institution by false pretenses and requires organizations to implement safeguards against pretexting. Pretexting, or social engineering, refers to deceptive practices to obtain private information under false pretenses.

Under pretexting protection, financial institutions are required to:

1. Have mechanisms in place to detect unauthorized access to personal non-public information
2. Train employees to recognize and deflect pretexting attempts, including through phone, mail, email, and phishing.
3. Audit protective measures frequently to ensure their effectiveness.

What types of companies does the GLBA regulate?

The GLBA defines financial institutions as: “companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance”.

This includes:

• Banks
• Mortgage lenders
• Financial advisers
• Tax preparers
• Real estate appraisers & settlement service providers
• Loan brokers
• Debt collectors

GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity.

What types of data does the GLBA protect?

The GLBA’s rules were implemented to protect the customer information of consumers.

What is ‘customer information’?

Customer information, or customer data, is a collection of details and data points about a company’s customers. In the context of the financial industry, the FTC defines customer information as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates”.

What is ‘nonpublic personal Information’ (NPI)?

Nonpublic personal information (NPI) refers to private financial details about a person that are protected and aren’t publicly available such as personally identifiable financial information or lists or groupings of consumers created using private financial data.

Some examples of nonpublic personal information are:

• Social Security numbers
• Credit scores
• Account numbers, such as bank account or credit card numbers
• Income history
• Information obtained through tracking cookies

What are the fines for violating the GLBA?

The penalties for violating the GLBA are fines of up to $100,000 per violation for institutions and up to $10,000 per violation for individuals, such as directors or officers.