What is Gramm-Leach Bliley Act (GLBA)?
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a United States federal law that mandates financial institutions to disclose their information-sharing practices to their customers and proactively secure sensitive data. Complying with the GLBA puts financial institutions at lower risk of penalties or reputational damage caused by unauthorized sharing or loss of private customer data.
Key benefits include, but are not limited to:
- help to build and strengthen consumer reliability and trust
- cultivate customer loyalty through safety and security, resulting in a boost in reputation and repeat business
The primary data protection implications of the GLBA are outlined by Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Privacy of Consumer Financial Information Rule (Privacy Rule), created under the GLBA to drive implementation of GLBA requirements. The specific introduction of compliance is as follows.
Penalties for Non-compliance
GLBA applies to all penalties for non-compliance, including fines and imprisonment. Non-compliance penalties include:
- Financial institutions found in violation face fines of $100,000 for each violation.
- Individuals in charge found in violation face fines of $10,000 for each violation.
- Individuals found in violation can be put in prison for up to 5 years.
As a part of GLBA compliance, financial institutions are mandated to meet the following requirements:Safeguards Rule
The Safeguards Rule requires all financial institutions to design, implement, and maintain security measures to protect the private information.
Who does the Safeguards Rule apply to?
The rule applies not only to financial institutions that directly collect information from customers, but also to financial institutions, such as credit reporting agencies that receive customer information from third parties.
What does the Safeguards Rule entail?
To comply with the Safeguards Rule, companies must develop a written information security plan that describes how they protect customer information. The requirements are flexible depending on the company’s size, complexity, and circumstances, and are ultimately designed to ensure financial institutions assess and address the risks to customer information in all areas of their operation. The three areas that the GLBA identifies as particularly crucial in information security are:
- Employee Management and Training
- Information Systems
- Detecting and Managing System Failures
Under this rule, financial institutions must give their customers clear and conspicuous written notice describing their privacy practices and policies.
Who does the Financial Privacy Rule apply to?
All companies that offer consumers financial products or services are required to comply with this Rule. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information.
What does the Financial Privacy Rule entail?
This rule requires financial institutions to provide each consumer with a privacy notice about “consumer personal information” sharing practices and inform consumers of their right to opt-out. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected.
*** Consumer personal information refers to Nonpublic Personal Information (NPI) that is not publicly available such as address, income, and SSN.Pretexting Provisions
Another GLBA standard that involves cybersecurity is the Pretexting Provisions, which encourage financial institutions to develop safeguards for pretexting, also known as social engineering.
Who do the Pretexting Provisions apply to?
Same as Safeguards Rule and Financial Privacy Rule, the Pretexting Provisions apply not only to financial institutions that directly collect information from customers, but also to financial institutions, such as credit reporting agencies, that receive customer information from third parties.
What do the Pretexting Provisions entail?
To comply with this regulation, organizations often develop a written plan for monitoring account activity, as well as training staff that may provide NPI to a fraudulent entity. *** NPI: any “personally identifiable financial information” that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise “publicly available”
How WCG will help you comply with GLBA?
Wilson Consulting Group (WCG) assists financial institutions in determining the level of compliance within the GLBA. We conduct a risk assessment to catalog the systems used for managing NPI and to identify threats and vulnerabilities that put the information at risk. According to the assessment report, we developed and implemented a tailored GLBA compliance program which consists of, but not limited to:
- Compliance Program plan
- Data maps of all processes that transmit, process, and store PII
- Policies, processes, and standards
- Awareness, training, and education plan
- Service providers agreement and process evaluation
Our FedRAMP process and use of internal application provide a faster and simplified approach to evaluate controls and identify deficiencies. Depending on your application or service’s complexity, categorization of risk level, and maturity of infrastructure, we can effectively and efficiently get you ready for the authorization up to 60 days, which saves 80% faster time to market.
Our pricing is competitive and straightforward with no hidden agenda, miscellaneous charges, or add-on fees, which provides you with at least 40% cost savings compared to others’ pricing and approach.
Our dedicated team is incredibly talented, knowledgeable, and experienced in conducting FedRAMP assessments and providing consulting in accordance with NIST 800-53 Revision 5. We have unique experiences in working with both the federal government agencies (such as the Department of Homeland Security, Department of Defense, and General Services Administration) and corporate cloud services providers who serve the federal government. These experiences allow us to have the know-how to ensure businesses are successful with their assessments.
Knowledgeable and Experienced Team
Our team has unparalleled experience aiding governments and businesses around the world in defending themselves against cybercrime, reducing risks, complying with regulations, and transforming their IT, security operations & infrastructure.
WCG has hands-on IT experts who have extensive knowledge and experience helping businesses.
We provide simple, straightforward pricing with no hidden agenda, miscellaneous charges, or add-on fees.
Personalized Customer Service
Our personable, dedicated staff to answer any questions you have at any time throughout the process.
Proven Track Records
WCG has an exceptional reputation and track record for numerous services.
Adopting to Your Needs
We develop and customize an approach that suits your immediate requirements and future goals. To achieve this, WCG will provide pragmatic insights and balanced views on how to prioritize any associated actions.
Services you may be interested in
WCG’s IT Change Management services help organizations effectively manage and implement change within their environment ...Read More
Information technology was once only considered a tool to help an organization achieve its strategy, but today it is regarded...Read More
WCG understands the importance of timely project delivery that meets the budgetary requirements and objectives of an organization ...Read More
WCG utilizes its experience, state-of-the- art security techniques, processes, tools and best practices to assist...Read More
In today’s complex digital world, where connectivity, confidentiality and availability are essential components of doing...Read More
Subscribe to our newsletter to get the latest insights and research delivered straight towards your inbox.