The Gramm-Leach-Bliley Act (GLBA, GLB Act or the Financial Services Modernization Act of 1999) is a United States federal law requiring financial institutions to explain how they share and protect their customers' nonpublic personal information (NPI).
The GLBA also repealed part of the Glass-Steagall Act of 1993 and the Bank Holding Company Act of 1956 (BHCA), removing barriers for banking, securities and insurance companies to act as any combination of an investment bank, commercial bank and insurance company.
What is the purpose of the Gramm-Leach-Bliley Act?
The primary concern of GLBA is to ensure the confidentiality of customers' personally identifiable information (PII) and financial information by following certain privacy and security standards:
- Privacy standards: Customers must be notified of information sharing practices and provided with a way to opt-out of unnecessary sharing, see U.S.C Title 15 (a) of Sec. 6801
- Security standards: Have an information security policy designed to ensure the confidentiality, integrity and availability of customer records and information; protect customer records from anticipated cyber attacks, cyber threats and other attack vectors; and protect against unauthorized access to or use of customer records or information that could result in harm or inconvenience to the customer, e.g. data breaches and data leaks, see U.S.C Title 15 (b) of Sec. 6801
The GLBA was gives the Consumer Financial Protection Bureau (CFPB), the Securities Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Federal Trade Commission (FTC), federal banking agencies, federal regulatory agencies and state insurance oversight agencies, the ability implement further regulations to ensure appropriate privacy provisions and security regulations. That said, state law can require greater compliance, but not less than what is otherwise required by the GLBA.
Who is regulated by GLBA?
The GLBA applies to financial institutions, any business offering financial products and services to individuals like loans, financial advice, investment advice or insurance. As well as limited obligations on certain third-parties who receive nonpublic personal information (NPI) from GLBA regulated financial institutions.
Examples of financial institutions include:
- Non-bank mortgage lenders
- Real estate appraisers
- Loan brokers
- Some financial or investment advisers
- Debt collectors
- Tax return preparers
- Real estate settlement service providers
As GLBA is focused on customer data, financial institutions who only provide services to other businesses are not covered by GLBA. Nor is an individual who uses an ATM or cashes a check because there is no ongoing customer relationship.
What is nonpublic personal information (NPI)?
Nonpublic personal information (NPI) is all personally identifiable information (PII) and financial information that is:
- Provided by the customer to the financial institution
- Resulting from any transactions with the customer or any service provided to the customer
- Otherwise obtained by the financial institution
Information that is publicly available, or information that the financial institution has a reasonable basis to believe is, is not nonpublic personal information (NPI). That said, information that is generally public but has been made private (e.g. having an unlisted phone number), must be treated as nonpublic.
Examples of nonpublic personal information (NPI) include:
- An individual's income, social security number, marital status, amount of savings or investments, payment history, loan or deposit balance, credit or debit card purchases, account numbers or consumer reports
- The fact the individual has an account with a particular financial institution
- Any list, description or grouping of customers that is derived using a combination of nonpublic personal information (NPI) and publicly available information
- Any information the financial institution has obtained over the customer relationship or collected through cookies
What are the benefits of GLBA compliance?
GLBA compliance is a requirement for the majority of financial institutions in the United States. It also lowers the risk of penalties and reputational damage caused by data breaches and data leaks. With the average cost of a data breach reaching $3.92 million globally, it pays to prevent data breaches.
GLBA compliance can also help with compliance with the European Union's General Data Protection Regulation (GDPR), which became enforceable in 25 May, 2018. GDPR povides provisions on data collection, rights to access, rights to erasure, right to restriction of processing and right to data portability.
These additional privacy and security requirements, alongside the FTC's Privacy of Consumer Financial Information Rule (Privacy Rule) provide consumer protection benefits like:
- Private or sensitive information being secured against unauthorized access
- Customers being notified of private information sharing between financial institutions and third-parties, and having the ability to opt out if desired
- User and employee activity being tracked including any attempts to access sensitive information or protected records
These benefits improve the reputation of your organization and increase customer trust, leading to greater customer loyalty, lower churne, higher lifetime value and less regulatory fines.
The multinational nature of banking and possible implementation of corresponding regulation in some US states means financial institutions need to take privacy and data protection laws seriously.
What are the major components of the Gramm-Leach-Bliley Act?
There are three major components of the GLBA, designed to work together to govern the collection, disclosure and protection of customers' nonpublic personal information (NPI), namely:
- The Financial Privacy Rule: Restricts the sharing of nonpublic personal information (NPI) about an individual and requires financial institutions to provide each consumer with a privacy notice at the start of the customer relationship and annually thereafter.
- The Safeguards Rule: Requires financial institutions to develop an information security plan that describes how the company is prepared for and plans to continue to protect customers' and former customers' nonpublic personal information (NPI).
- Pretexting Protection: Pretexting or social engineering occurs when someone tries to gain access to nonpublic personal information without authority to do so. This may entail requesting private information by impersonating the account holder by phone, by mail or by phishing or spear phishing. GLBA encourages organizations to implement safeguards against pretexting.
What is the GLBA Financial Privacy Rule?
The GLBA Financial Privacy Rule restricts the sharing of nonpublic personal information (NPI) and requires customers to be given a privacy notice at the start of the customer relationship and annually thereafter.
The notice outlines what information is collected, where the information is shared, how the information is used and how it is protected, as well as highlight the customer's right to opt out of information sharing with nonaffiliated third parties pursuant to the provisions of the Fair Credit Reporting Act.
When customers agree to have their information shared with unaffiliated parties, the unaffiliated parties must handle the information in accordance with the original privacy notice agreement.
In short, the Financial Privacy Rule provides a privacy agreement between the financial institution and the customer pertaining to the protection of their nonpublic personal information (NPI).
An important thing to understand that sharing with affiliates (any company controlling, controlled by or under common control) is not subject to the right to opt-out but customers must be informed by the privacy notice.
Unaffiliated parties who are excluded from the right to opt-out include consumer reporting agencies, third-party vendors whose sole purpose is to perform marketing for the financial institution and participants in private label credit card programs where participants are identified to the customer when they enter the program.
What is the GLBA Safeguards Rule?
The Safeguards Rule requires financial institutions to develop, implement and maintain a comprehensive information security plan that outlines administrative, technical and physical safeguards that are appropriate for the size and complexity of the organization and its financial activities. Safeguards should:
- Insure the confidentiality, integrity and availability of current and former customers' nonpublic personal information (NPI)
- Protect against common cyber attacks, cyber threats and attack vectors
- Protect against data breaches, data leaks and unauthorized access to or use of nonpublic personal information (NPI)
- Apply to any record containing nonpublic personal information (NPI) whether paper, electronic or other form
The information security plan must include:
- Designation of at least one employee who is responsible for the information security program and its safeguards
- Identify foreseeable internal risks, third-party risks and fourth-party risks to the security, confidentiality, integrity and availability of nonpublic personal information (NPI) that could result in disclosure, misuse, alteration, destruction or other theft
- Perform a thorough cybersecurity risk assessment that assesses the sufficiency of the current safeguards in place to mitigate first, third and fourth-party risk
- Implementation of safeguards to protect against foreseeable risks
- Regular testing of current controls, systems and procedures
- Evaluation and adjustment of the program based on testing and monitoring, changes in business operations or arrangements and any other events of material impact such as how sensitive data is collected, stored or used
In summary, the Safeguards Rule forces financial institutions to take a closer look at their information security, data security, network security and cybersecurity to develop an understanding of the cybersecurity risk of their current controls, systems and procedures.
To prevent nonpublic personal information (NPI) data leaks, invest in a cybersecurity product to automatically scan for leaked credentials and data exposures.
What is the GLBA Pretexting Protection?
Pretexting, or social engineering, refers to when an individual attempts to gain access to customer information under false pretenses.
GLBA Pretexting Protection encourages organizations to implement safeguards against social engineering.
For example, a financial institution may employ social engineering awareness training as part of its overall information security program to reduce the risk that employees will damage consumer privacy as the result of a social engineering attacks.
Other privacy protections controls may include OPSEC and waste management.
What are the vendor risk management requirements of GLBA?
Under GLBA, financial institutions who disclose nonpublic personal information (NPI) to a third-party vendor or service provider must enter into a contractual agreement prohibiting the disclosure or use of the sensitive information other than to carry out the purposes for which the institution disclosed the information, e.g. marketing.
This means that financial institutions are required to oversee service providers by:
- Taking reasonable steps to select and retain service providers who are capable of maintaining appropriate safeguards for customer information
- Contractually requiring service providers to implement and maintain safeguards
Avoid vendors without SOC 2 assurance and consider investing in a cybersecurity tool that can automate vendor risk management by monitoring your vendors' security performance instantly, assigning them a security rating. This will allow your vendor risk team to remediate the most at-risk vendors first.
These tools can provide vendor risk assessment questionnaire templates and help your organization develop a robust third-party risk assessment framework based on GLBA compliance and other frameworks like ISO 27001 and the NIST Cybersecurity Framework.
What are the penalties for GLBA non-compliance?
Non-compliance penalties include:
- $100,000 fine for each violation for financial institutions
- $10,000 fine for each violation for individuals
- Up to 5 years in prison for individuals
How UpGuard can help with GLBA compliance
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.