The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a United States federal law that mandates financial institutions to disclose their information-sharing practices to their customers and proactively secure sensitive data. Complying with the GLBA puts financial institutions at lower risk of penalties or reputational damage caused by unauthorized sharing or loss of private customer data.
The primary data protection implications of the GLBA are outlined by Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Privacy of Consumer Financial Information Rule (Privacy Rule), created under the GLBA to drive implementation of GLBA requirements. The specific introduction of compliance is as follows.
GLBA applies to all penalties for non-compliance, including fines and imprisonment. Non-compliance penalties include:
As a part of GLBA compliance, financial institutions are mandated to meet the following requirements:Safeguards Rule
The Safeguards Rule requires all financial institutions to design, implement, and maintain security measures to protect the private information.
Who does the Safeguards Rule apply to?
The rule applies not only to financial institutions that directly collect information from customers, but also to financial institutions, such as credit reporting agencies that receive customer information from third parties.
What does the Safeguards Rule entail?
To comply with the Safeguards Rule, companies must develop a written information security plan that describes how they protect customer information. The requirements are flexible depending on the company’s size, complexity, and circumstances, and are ultimately designed to ensure financial institutions assess and address the risks to customer information in all areas of their operation. The three areas that the GLBA identifies as particularly crucial in information security are:
Under this rule, financial institutions must give their customers clear and conspicuous written notice describing their privacy practices and policies.
Who does the Financial Privacy Rule apply to?
All companies that offer consumers financial products or services are required to comply with this Rule. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information.
What does the Financial Privacy Rule entail?
This rule requires financial institutions to provide each consumer with a privacy notice about “consumer personal information” sharing practices and inform consumers of their right to opt-out. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected.
*** Consumer personal information refers to Nonpublic Personal Information (NPI) that is not publicly available such as address, income, and SSN.Pretexting Provisions
Another GLBA standard that involves cybersecurity is the Pretexting Provisions, which encourage financial institutions to develop safeguards for pretexting, also known as social engineering.
Who do the Pretexting Provisions apply to?
Same as Safeguards Rule and Financial Privacy Rule, the Pretexting Provisions apply not only to financial institutions that directly collect information from customers, but also to financial institutions, such as credit reporting agencies, that receive customer information from third parties.
What do the Pretexting Provisions entail?
To comply with this regulation, organizations often develop a written plan for monitoring account activity, as well as training staff that may provide NPI to a fraudulent entity. *** NPI: any “personally identifiable financial information” that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise “publicly available”
Wilson Consulting Group (WCG) assists financial institutions in determining the level of compliance within the GLBA. We conduct a risk assessment to catalog the systems used for managing NPI and to identify threats and vulnerabilities that put the information at risk. According to the assessment report, we developed and implemented a tailored GLBA compliance program which consists of, but not limited to:
Our team has unparalleled experience aiding governments and businesses around the world in defending themselves against cybercrime, reducing risks, complying with regulations, and transforming their IT, security operations & infrastructure.
WCG has hands-on IT experts who have extensive knowledge and experience helping businesses.
We provide simple, straightforward pricing with no hidden agenda, miscellaneous charges, or add-on fees.
Our personable, dedicated staff to answer any questions you have at any time throughout the process.
WCG has an exceptional reputation and track record for numerous services.
We develop and customize an approach that suits your immediate requirements and future goals. To achieve this, WCG will provide pragmatic insights and balanced views on how to prioritize any associated actions.
WCG’s IT Change Management services help organizations effectively manage and implement change within their environment ...Read More
Information technology was once only considered a tool to help an organization achieve its strategy, but today it is regarded...Read More
WCG understands the importance of timely project delivery that meets the budgetary requirements and objectives of an organization ...Read More
WCG utilizes its experience, state-of-the- art security techniques, processes, tools and best practices to assist...Read More
In today’s complex digital world, where connectivity, confidentiality and availability are essential components of doing...Read More