What is the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act (GLBA, GLB Act, or the Financial Services Modernization Act of 1999) is a United States federal law requiring financial institutions to explain how they share and protect their customers' non-public personal information (NPI).

The GLBA also repealed part of the Glass-Steagall Act of 1993 and the Bank Holding Company Act of 1956 (BHCA), removing barriers for banking, securities, and insurance companies to act as any combination of an investment bank, commercial bank, and an insurance company.

What is the Purpose of the Gramm-Leach-Bliley Act (GLBA)?

The primary concern of GLBA is to ensure the confidentiality of customers' personally identifiable information (PII) and financial information by following specific privacy and security standards:

• Privacy standards: Customers must be notified of information-sharing practices and provided a way to opt-out of unnecessary sharing, see U.S.C Title 15 (a) of Sec. 6801
• Security standards: Have an information security policy designed to ensure the confidentiality, integrity, and availability of customer records and information; protect customer records from anticipated cyber attacks, cyber threats, and other attack vectors; and protect against unauthorized access to or use of customer records or information that could result in harm or inconvenience to the customer, e.g., data breaches and data leaks, see U.S.C Title 15 (b) of Sec. 6801

The GLBA gives the following entities the ability to implement further regulations to ensure appropriate privacy provisions and security.:

• Consumer Financial Protection Bureau (CFPB)
• The Securities Exchange Commission (SEC)
• The Commodity Futures Trading Commission (CFTC)
• The Federal Trade Commission (FTC)
• Federal banking agencies
• Federal regulatory agencies
• State insurance oversight agencies

State law can require greater compliance, but not less than what is otherwise required by the GLBA.

Who Does the GLBA Regulate?

The GLBA applies to financial institutions and businesses offering financial products and services to individuals like loans, financial advice, investment advice, or insurance, as well as limited obligations on certain third parties who receive non-public personal information (NPI) from GLBA-regulated financial institutions.

Examples of financial institutions include:

• Non-bank mortgage lenders
• Real estate appraisers
• Loan brokers
• Some financial or investment advisers
• Debt collectors
• Tax return preparers
• Courier services
• Banks
• Real estate settlement service providers

What is Non-Public Personal Information (NPI)?

Non-public personal information (NPI) is all personally identifiable information (PII) and financial information that is:

• Provided by the customer to the financial institution
• Resulting from any transactions with the customer or any service provided to the customer
• Otherwise obtained by the financial institution

Information that is publicly available, or information that the financial institution has a reasonable basis to believe is public, is not considered non-public personal information (NPI). That said, information that is generally public but has been made private (e.g., having an unlisted phone number) must be treated as non-public.

Examples of non-public personal information (NPI) include:

• An individual's income, social security number, marital status, amount of savings or investments, payment history, loan or deposit balance, credit or debit card purchases, account numbers, or consumer reports
• The fact the individual has an account with a particular financial institution
• Any list, description, or grouping of customers that is derived using a combination of nonpublic personal information (NPI) and publicly available information
• Any information the financial institution has obtained over the customer relationship or collected through cookies

What are the Benefits of GLBA Compliance?

GLBA compliance is a requirement for most financial institutions in the United States. It also lowers the risk of penalties and reputational damage caused by data breaches and leaks. With the average cost of a data breach reaching $4.35 million globally, it’s more important than ever to proactively prevent data breaches.

GLBA compliance can also help organizations comply with the European Union's General Data Protection Regulation (GDPR), which became enforceable on May 25th, 2018. GDPR provides provisions on data collection, rights to access, rights to erasure, right to restriction of processing, and right to data portability.

These data privacy and security requirements, alongside the FTC's Privacy of Consumer Financial Information Rule (Privacy Rule), provide consumer protection benefits like:

• Private or sensitive information is secured against unauthorized access
• Customers being notified of private information sharing between financial institutions and third parties and having the ability to opt-out if desired
• User and employee activity being tracked, including any attempts to access sensitive data or protected records

These benefits improve the reputation of your organization and increase customer trust, leading to greater customer loyalty, lower churn, higher lifetime value, and fewer regulatory fines.

The multinational nature of banking and the possible implementation of corresponding regulation in some US states means financial institutions must take privacy and customer data protection laws seriously.

What are the Major Rules of the Gramm-Leach-Bliley Act (GLBA)?

There are three major rules of the GLBA, designed to work together to govern the collection, disclosure, and protection of customers' non-public personal information (NPI), namely:

• The Financial Privacy Rule: Restricts the sharing of non-public personal information (NPI) about an individual and requires financial institutions to provide each consumer with a privacy notice at the start of the customer relationship and annually after that.
• The Safeguards Rule: Requires financial institutions to develop an information security plan that describes how the company is prepared for and plans to continue to protect customers' and former customers' non-public personal information (NPI).
• Pretexting Protection: Pretexting or social engineering occurs when someone tries to gain access to non-public personal information without the authority to do so. This may entail requesting private information by impersonating the account holder by phone, mail, or by phishing or spear phishing. GLBA encourages organizations to implement safeguards against pretexting.

1. GLBA Financial Privacy Rule

The GLBA Financial Privacy Rule restricts the sharing of non-public personal information (NPI) and requires customers to be given a privacy notice at the start of the customer relationship and every year after that.

The notice outlines what information is collected, where it is shared, how it is used, and how it is protected and highlights the customer's right to opt out of information sharing with non-affiliated third parties under the provisions of the Fair Credit Reporting Act.

If the financial institution's privacy policy changes, customers be notified for acceptance of changes. Whenever the privacy notice is re-established, the consumer has the choice to opt out again.

When customers agree to have their information shared with unaffiliated parties, the unaffiliated parties must handle the information following the original privacy notice agreement.

In short, the Financial Privacy Rule provides a privacy agreement between the financial institution and the customer regarding the protection of their non-public personal information (NPI).

An important thing to understand is that sharing with affiliates (any company controlling, controlled by, or under common control) is not subject to the right to opt out, but customers must be informed by the privacy notice.

Unaffiliated parties excluded from the right to opt out include consumer reporting agencies, third-party vendors who provide marketing services for the financial institution, and participants in private label credit card programs where participants are identified to the customer when they enter the program.

2. GLBA Safeguards Rule

The Safeguards Rule requires financial institutions to develop, implement and maintain a comprehensive information security plan that outlines administrative, technical, and physical safeguards appropriate for the organization's size and complexity, and financial activities. Safeguards should:

• Ensure the confidentiality, integrity, and availability of current and former customers' nonpublic personal information (NPI)
• Protect against common cyber attacks, cyber threats, and attack vectors
• Protect against data breaches, data leaks, and unauthorized access to or use of nonpublic personal information (NPI)
• Apply to any record containing nonpublic personal information (NPI), whether paper, electronic or other forms

The information security plan must include the following:

• Designation of at least one employee who is responsible for the information security program and its safeguards
• Identify foreseeable internal risks, third-party risks, and fourth-party risks to the security, confidentiality, integrity, and availability of nonpublic personal information (NPI) that could result in the disclosure, misuse, alteration, destruction, or other theft
• Perform a thorough cybersecurity risk assessment that assesses the sufficiency of the current safeguards in place to mitigate first, third and fourth-party risk
• Implementation of safeguards to protect against foreseeable risks
• Regular testing of current controls, systems, and procedures
• Evaluation and adjustment of the program based on testing and monitoring, changes in business operations or arrangements, and any other events of material impact, such as how sensitive or personal data is collected, stored, or used

In summary, the Safeguards Rule forces financial institutions to take a closer look at their information security, data security, network security, and cybersecurity to understand the cybersecurity risk of their current controls, systems, and procedures.

To prevent non-public personal information (NPI) data leaks, invest in a cybersecurity product to automatically scan for leaked credentials and data exposures.

3. GLBA Pretexting Provision

Pretexting, or social engineering, refers to when scammers attempt to gain access to customer information under false pretenses.  This could result from impersonating a customer via phone, email, or through email spoofing phishing or spear phishing campaigns.

The GLBA Pretexting Provision Rule requires organizations to implement safeguards against social engineering. For example, a financial institution may employ social engineering awareness training as part of its overall information security program to reduce the risk that employees will compromise consumer privacy.

More importantly, the Pretexting Rule allows social engineering scams to be prosecuted under the full extent of the law.

Other privacy protection controls may include OPSEC and waste management.

Read more about common social engineering defense mechanisms.

What are the Vendor Risk Management (VRM) Requirements of GLBA?

Under GLBA, financial institutions who disclose non-public personal information (NPI) to a third-party vendor or service provider must enter into a contractual agreement prohibiting the disclosure or use of sensitive information other than to carry out the purposes for which the institution disclosed such information, such as for marketing purposes.

This means that financial institutions are required to oversee service providers by:

• Taking reasonable steps to select and retain service providers who are capable of maintaining appropriate safeguards for customer information
• Contractually requiring service providers to implement and maintain safeguards

Avoid vendors without SOC 2 assurance and consider investing in a cybersecurity tool that can automate vendor risk management by monitoring your vendors' security performance instantly and assigning them a security rating - initiatives stemming from a specialized sector of third-party cybersecurity known as Vendor Risk Management. This will allow your vendor risk team to remediate the most at-risk vendors first to meet the GLBA requirements.

These tools can provide vendor risk assessment questionnaire templates and help your organization develop a robust third-party risk assessment framework based on GLBA compliance and other frameworks like ISO 27001 and the NIST Cybersecurity Framework.

What are the Penalties for GLBA Non-Compliance?

Non-compliance penalties include:

• $100,000 fine for each violation by financial institutions
• $10,000 fine for each violation for individuals
• Up to 5 years in prison for individuals

How UpGuard Can Help With GLBA Compliance

UpGuard helps businesses maintain GLBA compliance by identifying and addressing specific security vulnerabilities impacting the regulation. UpGuard offers a customizable questionnaire builder that can be adapted to GLBA compliance standards.

UpGuard also empowers businesses to track third-party compliance against popular regulations by mapping risk assessment responses to security controls. This identifies any compliance gaps, placing third parties at a heightened risk of regulatory fines and data breaches.