The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that regulates the companies designated as "financial institutions" on how they handle their customer's nonpublic personal information or NPI. GLBA mandates financial institutions to ensure the security, confidentiality, and integrity of their customer's NPI including names, addresses, phone numbers, bank statements, social security numbers, credit history, etc. It also obligates financial institutions to notify customers about their information-sharing practices and inform customers of their right to "opt out" if they don't wish their information to be shared with third-party affiliates. The Federal Trade Commission (FTC) enforces compliance with GLBA.
GLBA is also known as -
- Financial Services Modernization Act of 1999
- Federal Home Loan Bank System Modernization Act of 1999
- Program for Investment in Micro-entrepreneurs Act of 1999
Failure to comply with GLBA can lead to significant penalties and even imprisonment, as discussed in a later section of this article.
Key Objectives of the Gramm-Leach-Bliley Act
The key objective of GLBA is to ensure the confidentiality of customers' financial information and Personally Identifiable Information (PII) through the implementation of proper privacy and security standards, as follows:
1. Privacy Standards
According to GLBA Privacy standards, organizations must notify their customers about their information-sharing practices. The customers must be provided with a means to opt out of unnecessary sharing if needed.
2. Security Standards
The security standards of GLBA seek:
- To ensure that the confidentiality and integrity of private records and data are maintained
- To safeguard customer information from potential cyber threats and attacks
- To protect consumer data and information from unauthorized access that may cause damage or problems to the customer.
Along with Financial Privacy Rule and protection against social engineering or pretexting (Pretexting Provision), GLBA also lays down an explicit compliance component called the Safeguards Rule. The Safeguards Rule obligates financial institutions to develop and implement detailed information security plans to protect the Nonpublic Public Information (NPI) of customers.
Who Must Comply with GLBA?
All companies or entities designated as a "financial institution" as per the law fall under the ambit of GLBA. As per FTC guidance, "the Rule applies to all businesses, regardless of size, that are "significantly engaged" in providing financial products or services." These businesses may include
- Insurance services
- Investment guidance
- Financial advisors
- Check-cashing business
- Credit card facilities
- Payday lenders
- Loans like student, personal, or business loans
- Mortgage brokers
- Nonbank lenders
- Debt collection
- Personal property or real estate appraisers
- Online money transfer
- Professional tax preparers
- Courier services, etc.
The GLBA applies to any company providing financial products and services like those mentioned above irrespective of the size of their business.
It is important to note here that as per 16 CFR § 682.3 - Proper disposal of consumer information, "all persons subject to the GLBA and the FTC "Safeguards Rule" must properly dispose of nonpublic personal information (NPI) by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."
What is Nonpublic Personal Information (NPI)?
As per FTC, NPI is any "personally identifiable financial information" that a financial institution collects about an individual with regard to providing a financial product or service, unless that information is otherwise "publicly available."
The scope of NPI includes—
- Any information that a customer shares with a financial institution to get a product or service
- Information that is a result of transactions between the customer and the financial institution or due to a service provided by the financial institution to the customer
- Any information procured by the financial institution by using other means
Nonpublic Personal Information (NPI) commonly includes the following details of a customer:
- Social security number
- Personal income
- Marital status
- Details regarding investments and savings
- Loan details
- Deposit balance
- Biometric data
- Asset Information
- Credit Card History
- Bank account details
In most cases, publicly available information is not considered NPI.
What are the GLBA Compliance Requirements?
GLBA compliance is a part of the Federal Trade Commission (FTC). According to the GLBA, the three main components that a company needs to meet are:
1. The Financial Privacy Rule
The first component of the GLBA compliance checklist is the Financial Privacy Rule. The main purpose of the Financial Privacy Rule is to provide an agreement between financial institutions and their customers regarding the protection of their Non-Personal Information (NPI).
According to the Financial Policy Rule, a business should provide suitable notices of its privacy norms and policies to consumers. Consumers are defined as those individuals who are using the product or services of the business. The notice should include details regarding:
- With whom the information is being shared?
- How will the shared information be used?
- How will private data be protected?
The Financial Policy Rule provides details pertaining to the collection and disclosure of private financial information to regulate the sharing of Non-Personal Information (NPI) of your customers with external agencies. It also requires businesses to provide the customers the choice to opt in or out of having their NPI (Non-Personal Information) disclosed to non-affiliated third parties.
2. The Safeguards Rule
According to the Safeguards Rule, financial institutions must develop, implement, and maintain a detailed information security plan that explains how the business is protecting customers' and previous customers' nonpublic personal information (NPI). The 'Safeguards Rule' should provide details regarding the measures adopted towards building up an NPI protection plan for better cybersecurity including:
- Protection against common attack vectors, cyber threats, and cyber attacks
- Protection from data leaks, data breaches, and unauthorized access for use of nonpublic personal information (NPI).
3. The Pretexting Provisions
The Pretexting Provisions rule supports financial institutions to build up protection against the problem of social engineering or pretexting. This usually happens when a fraud person impersonates the account holder by telephone, mail, or often by phishing or spear-phishing and tries to get unauthorized or fraudulent access to personal information. The most popular compliances for Pretexting Provisions include:
- A comprehensive written plan for scrutinizing account activity
- Conducting staff training exercises to ensure the prevention of providing NPI to fraudulent entities by employees
- Identifying and carrying out Operations Security (OPSEC) processes for risk management
What are Penalties for GLBA Non-Compliance?
GLBA non-compliance penalties can be quite serious for financial institutions. They include both monetary fines as well as imprisonment. The GLBA non-compliance penalties include:
- A fine of up to $100,000 for each violation
- A fine of up to $10,000 for officers and directors of the financial institution
- In case of a serious violation, individuals may be imprisoned for up to 5 years
- Revocation of licenses
GLBA non-compliance also means damage to the organization's reputation. In the past, companies such as PayPal and Venmo had also faced GLBA non-compliance issues and had to reach settlements with the FTC.
GLBA Compliance Checklist
Following are some of the key items that can help attain compliance with GLBA regulations, especially the Safeguards Rule that mandates a documented information security plan to protect customer information:
- Appoint specific people within the organization to coordinate the information security program as per GLBA guidelines
- Determine and evaluate the risks to customer information in pertinent areas of the company's operation
- Design and set up a data safeguard program and routinely monitor and evaluate it
- Partner only with those affiliates that can maintain the required standard checks
- Ensure that the contract compels partners to maintain safeguards for protecting NPI
How Does Data Erasure Help Attain Compliance with GLBA?
A significant provision of GLBA is anchored on safeguarding the nonpublic personal information of customers through the implementation of an information security plan. The Safeguards Rule identifies three key areas for ensuring information safety and thereby compliance, which include Employee Management and Training, Information Systems, and Detecting and Managing System Failures. Of these areas, Information Systems deals with the collection and storage of NPI, i.e. what information is being collected, how it is stored, and whether there is a business need to collect the information.
Data erasure technology can help businesses meet compliance needs concerning this Information Systems provision in the Safeguards Rule of GLBA. Software tools such as BitRaser can overwrite (i.e. erase) all the unwanted or redundant NPI stored on hard drives & SSDs of computers and servers to safeguard the data from breach or unwanted exposure. By wiping clean the data storage media along with offering tamperproof certificates and reports of erasure, BitRaser can guarantee compliance with GLBA.