We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!
logo
  • Home
  • Products
    • Secure Drive Wiping SoftwareSecurely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software Erase & Diagnose iOS® & Android® Simultaneously
    • File Eraser SoftwarePermanently wipe files and folders, and erase traces of apps & Internet activity.
  • Solutions
    • Enterprise & SMBWipe hard drives, laptops, desktops, Mac® devices, mobile phones & rackmount storage.
    • Managed Service Provider & SIGlobally trusted data wiping & diagnostic solutions to augment your managed services competences
    • Government Attain Compliance by Securely Erasing Data on HDDs & SSDs in PC, Mac, Laptops, Servers & Mobile Devices.
    • ITAD & Refurbisher Bulk erase loose drives, laptops, desktops, Mac devices, rackmount storage & mobile devices with centralized control.
    • Individual & Home User Safeguard invasion of privacy at the time of disposing old PC, laptop & mobile phone
  • Resources
    • CertificationsBitRaser - Tested & certified by multiple International Bodies
    • Reports & Certficates Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure StandardsGlobal erasure standards that help you comply to international laws & regulations
    • Technical Articles Series of articles to help understand data erasure & diagnostics
    • Product FactsheetExplore in-depth details of the features, benefits..
    • Deployment Get instructions on using BitRaser for wiping PC..
    • Case Studies Read Our Customer Case Studies Illustrating The Real-World Usage In Diverse Business Scenarios.
    • Frequently Asked Questions (FAQs) Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog Gain Latest Insights Into Data Erasure, Data Protection, Privacy And Regulations.
  • Partners
  • Products

    CASE STUDIES

    The best way to know about our solution is to read our customer case studies illustrating the real-world usage in diverse business scenarios.

    Read All Case Studies

    • Secure Drive Wiping Software
      Securely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network
      Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software
      Erase & Diagnose iOS® & Android® Simultaneously
    • File Erasure Software
      Permanently Wipe Files & Folders, Erase Traces Of Apps & Internet Activity
  • Solutions

    BITRASER® DATA ERASURE SOFTWARE

    Efficient, Easy & Permanent Wiping Of Sensitive Data Across Storage Devices. Guaranteed Data Privacy.

    Learn More

    • Enterprise & SMB
      Wipe Hard Drives, Laptops, Desktops, Mac® Devices, Mobile Phones & Rackmount Storage.
    • Managed Service Provider & SI
      Globally Trusted Data Wiping & Diagnostic Solutions To Augment Your Managed Service Competences.
    • Government

      Attain Compliance by Securely Erasing Data on HDDs & SSDs in PC, Mac, Laptops, Servers & Mobile Devices.

    • ITAD & Refurbisher
      Bulk Erase Loose Drives, Laptops, Desktops, Mac Devices, Rackmount Storage & Mobile Devices.
    • Individual & Home User
      Safeguard Invasion Of Privacy At The Time Of Disposing Old PC, Laptop & Mobile Phone.
  • Resources
    • Product Certifications
      BitRaser - Tested & certified by multiple International Bodies
    • Sample Reports & Certificates
      Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure Standards
      Global erasure standards that help you comply to international laws & regulations
    • Technical Articles
      Series of articles to help understand data erasure & diagnostics
    • Product Factsheets
      Explore in-depth details of the features, benefits and specifications of our variants.
    • Deployment
      Get Instructions On using BitRaser for wiping PC, Mac, hard drives, mobile devices & files.
    • Case Studies
      Read our customer case studies illustrating the real-world usage in diverse business scenarios.
    • Frequently Asked Questions (FAQs)
      Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog
      Gain latest insights into data erasure, data protection, privacy and regulations.
  • Partners
  • +1-844-775-0101
  • Submit Enquiry

The Basics of Gramm–Leach–Bliley Act (GLBA) Worth Knowing

  • author image

    Written By Pravin Mehta linkdin

  • calender

    Updated on July 22, 2022

  • clock

    Min Reading 3 Min

The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that regulates the companies designated as “financial institutions” on how they handle their customer’s nonpublic personal information or NPI. GLBA mandates financial institutions to ensure the security, confidentiality, and integrity of their customer’s NPI including names, addresses, phone numbers, bank statement, social security number, credit history, etc. It also obligates financial institutions to notify the customers about their information-sharing practices and inform customers of their right to “opt-out” if they don't wish their information to be shared with third-party affiliates. The Federal Trade Commission (FTC) enforces compliance with GLBA.

GLBA is also known as -

  • Financial Services Modernization Act of 1999
  • Federal Home Loan Bank System Modernization Act of 1999
  • Program for Investment in Micro-entrepreneurs Act of 1999

Failure to comply with GLBA can lead to significant penalties and even imprisonment, as discussed in a later section of this article.

Key Objectives of the Gramm-Leach-Bliley Act

Key objective of GLBA is to ensure the confidentiality of customers' financial information and Personally Identifiable Information (PII) through the implementation of proper privacy and security standards, as follows:

1. Privacy Standards

According to GLBA Privacy standards, organizations must notify their customers about their information-sharing practices. The customers must be provided with a means to opt-out of unnecessary sharing, if needed.

2. Security Standards

The security standards of GLBA seek:

  • To ensure that the confidentiality and integrity of private records and data are maintained
  • To safeguard customer information from potential cyber threats and attacks
  • To protect consumer data and information from unauthorized access that may cause damage or problems to the customer.

Along with Financial Privacy Rule and protection against social engineering or pretexting (Pretexting Provision), GLBA also lays down an explicit compliance component called the Safeguards Rule. The Safeguards Rule obligates financial institutions to develop and implement detailed information security plans to protect the Nonpublic Public Information (NPI) of customers.

Who Must Comply with GLBA?

All companies or entities designated as a “financial institution” as per the law fall under the ambit of GLBA. As per FTC guidance, “the Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services.” These businesses may include

  • Insurance services
  • Investment guidance
  • Financial advisors
  • Check-cashing business
  • Credit card facilities
  • Payday lenders
  • Loans like student, personal, or business loans
  • Mortgage brokers
  • Nonbank lenders
  • Debt collection
  • Personal property or real estate appraisers
  • Online money transfer
  • Professional tax preparers
  • Courier services, etc.

The GLBA applies to any company providing financial products and services like those mentioned above irrespective of the size of their business.

It is important to note here that as per 16 CFR § 682.3 - Proper disposal of consumer information, “all persons subject to the GLBA and the FTC “Safeguards Rule” must properly dispose of nonpublic personal information (NPI) by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”

What is Nonpublic Personal Information (NPI)?

As per FTC, NPI is any "personally identifiable financial information" that a financial institution collects about an individual with regard to providing a financial product or service, unless that information is otherwise "publicly available."

The scope of NPI includes—

  • Any information that a customer shares with a financial institution to get a product or service
  • Information that is a result of transactions between the customer and the financial institution or due to a service provided by the financial institution to the customer
  • Any information procured by the financial institution by using other means

Nonpublic Personal Information (NPI) commonly includes the following details of a customer:

  1. Social security number
  2. Personal income
  3. Marital status
  4. Details regarding investments and savings
  5. Loan details
  6. Deposit balance
  7. Biometric data
  8. Asset Information
  9. Credit Card History
  10. Bank account details

In most cases, publicly available information is not considered as NPI.

What are the GLBA Compliance Requirements?

GLBA compliance is a part of the Federal Trade Commission (FTC). According to the GLBA, the three main components that a company needs to meet are:

1. The Financial Privacy Rule

The first component of the GLBA compliance checklist is the Financial Privacy Rule. The main purpose of the Financial Privacy Rule is to provide an agreement between financial institutions and their customers regarding the protection of their Non-Personal Information (NPI).

According to the Financial Policy Rule, a business should provide suitable notices of its privacy norms and policies to consumers. Consumers are defined as those individuals who are using the product or services of the business. The notice should include details regarding:

  • With whom the information is being shared?
  • How will the shared information be used?
  • How will private data be protected?

The Financial Policy Rule provides details pertaining to the collection and disclosure of private financial information to regulate the sharing of Non-Personal Information (NPI) of your customers with external agencies. It also requires businesses to provide the customers the choice to opt-in or out of having their NPI (Non-Personal Information) disclosed to non-affiliated third parties.

2. The Safeguards Rule

According to the Safeguards Rule, financial institutions must develop, implement, and maintain a detailed information security plan that explains how the business is protecting customers' and previous customers' nonpublic personal information (NPI). The ‘Safeguards Rule’ should provide details regarding the measures adopted towards building up an NPI protection plan for better cybersecurity including:

  • Protection against common attack vectors, cyber threats, and cyber attacks
  • Protection from data leaks, data breaches, and unauthorized access for use of nonpublic personal information (NPI).

3. The Pretexting Provisions

The Pretexting Provisions rule supports financial institutions to build up protection against the problem of social engineering or pretexting. This usually happens when a fraud person impersonates the account holder by telephone, mail, or often by phishing or spear-phishing and tries to get unauthorized or fraudulent access to personal information. The most popular compliances for Pretexting Provisions include:

  • A comprehensive written plan for scrutinizing account activity
  • Conducting staff training exercises to ensure the prevention of providing NPI to fraudulent entities by employees
  • Identifying and carrying out Operations Security (OPSEC) processes for risk management

What are Penalties for GLBA Non-Compliance?

GLBA non-compliance penalties can be quite serious for financial institutions. They include both monetary fines as well as imprisonment. The GLBA non-compliance penalties include:

  • A fine of up to $100,000 for each violation
  • A fine of up to $10,000 for officers and directors of the financial institution
  • In case of a serious violation, individuals may be imprisoned for up to 5 years
  • Revocation of licenses

GLBA non-compliance also means a damage to the organization’s reputation. In the past, companies such as PayPal and Venmo had also faced GLBA non-compliance issues and had to reach settlements with the FTC.

GLBA Compliance Checklist

Following are some of the key items that can help attain compliance with GLBA regulations especially the Safeguards Rule that mandates a documented information security plan to protect customer information:

  • Appoint specific people within the organization to coordinate the information security program as per GLBA guidelines
  • Determine and evaluate the risks to customer information in pertinent area of the company’s operation
  • Design and set up a data safeguard program and routinely monitor and evaluate it
  • Partner only with those affiliates that can maintain the required standard checks
  • Ensure that the contract compels partners to maintain safeguards for protecting NPI

How Data Erasure Can Help Attain Compliance with GLBA?

A significant provision of GLBA is anchored on safeguarding the nonpublic personal information of customer through implementation of an information security plan. The Safeguards Rule identifies three key areas for ensuring information safety and thereby compliance, which include Employee Management and Training, Information Systems, and Detecting and Managing System Failures. Of these areas, Information Systems deals with collection and storage of NPI, i.e. what information is being collected, how it is stored and whether there is a business need to collect the information.

Data erasure technology can help businesses meet the compliance needs concerning this Information Systems provision in the Safeguards Rule of GLBA. Software tools such as BitRaser can overwrite (i.e. erase) all the unwanted or redundant NPI stored on hard drives & SSDs of computers and servers to safeguard the data from breach or unwanted exposure. By wiping clean the data storage media along with offering tamperproof certificate and reports of erasure, BitRaser can guarantee compliance with GLBA.

BitRaser is NIST Certified

See All Certifications

Related Articles

Meet GDPR Compliance with Secure Data Erasure

Oct 21, 2019

Are Multiple Passes Necessary For Permanent Data Erasure?

Sept 17, 2021

New York Privacy Act 2021: An Insight

June 23, 2021


REACH US

Stellar Data Recovery Inc.

48 Bridge Street Metuchen, New Jersey 08840, United States

Call Us

+1-844-775-0101

Email Us

sales@bitraser.com

Follow Us

linkedin youtube

Useful Links

  • About Us
  • Legal Policy
  • Privacy Policy
  • Cookies Policy
  • Sitemap

NEWS AND EVENTS

  • News & Press Release
  • Events

PARTNERS

  • Our Partnership Models
  • Reseller
  • Distributor
  • OEM
  • ITAD

RESOURCES

  • Knowledge Series
  • Technical Articles
  • Knowledge Base
  • Blogs
  • Reports & Certificates
  • Download Brochure
  • Deployment
  • Product FactSheets
  • Case Studies
  • Our Clients
  • Residual Data Study

BitRaser® & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2023 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

ISO Certified
NAID VENDOR
ERN VENDOR

Submit Enquiry

Submit Enquiry

Usage*:     Business   Personal
GncqA

I understand that the above information is protected by Stellar's Privacy Policy.

xlfMC

I understand that the above information is protected by Stellar's Privacy Policy.

Modal body..
24 Internationally Recognized Erasure Standards
NIST Clear
NIST-ATA Purge
US Department of Defense, DoD 5220.22-M (3 passes)
US Department of Defense, DoD 5200.22-M (ECE) (7 passes)
US Department of Defense, DoD 5200.28-STD (7 passes)
Russian Standard – GOST-R-50739-95 (2 passes)
B.Schneier’s algorithm (7 passes)
German Standard VSITR (7 passes)
Peter Gutmann (35 passes)
US Army AR 380-19 (3 passes)
North Atlantic Treaty Organization-NATO Standard (7 passes)
US Air Force AFSSI 5020 (3 passes)
Pfitzner algorithm (33 passes)
Canadian RCMP TSSIT OPS-II (4 passes)
British HMG IS5 (3 passes)
Zeroes
Pseudo-random
Pseudo-random & Zeroes (2 passes)
Random Random Zero (6 passes)
British HMG IS5 Baseline standard 
NAVSO P-5239-26 (3 passes) 
NCSG-TG-025 (3 passes)  
5 Customized Algorithms & more

Listening...