Gramm–Leach–Bliley Act (GLBA)

---

Gramm–Leach–Bliley Act (GLBA) aims to protect personally identifiable information (PII) and financial data belonging to customers of financial institutions.

• Est. 1999
• applies to the collection, use, disclosure and safeguarding of nonpublic Personal Information
• Personally identifiable information (PII) is any data that can identify a specific person.

Scope

• defines financial institution as a business that is significantly engaged in offering financial services
  • significantly engaged is determined by two factors:
    • the formality of offering financial services
    • the frequency of offering financial services
  • includes:
    • banks
    • savings and loans
    • credit unions
    • insurance companies
    • securities firms
    • some retailers and automobile dealers that collect and share personal information about consumers to whom they extend or arrange credit
    • businesses that use financial data to collect debts from customers

Requirements

• must secure every pertinent record against unauthorized access
• track people’s access to these records
• notify customers when you share their information
• must have a documented information security act in place + and overarching information security program to handle security for the organization
• mandates the disclosure of an institution’s information collection and information sharing practices
• establishes requirements for providing privacy notices and opt-outs to consumers

GLBA Privacy Rule

GLBA Privacy Rule requires financial institutions to safeguard a consumer’s “nonpublic personal information” (NPI).

• intended to protect consumer privacy by:
  • better informing consumers about how their financial information is being used
  • regulating the use of consumer financial information by financial institutions
• FI must share privacy notice with customer when they first begin business relationship
  • must provide updated privacy notices annually afterwards
• privacy notice must describe:
  • privacy policies
  • how customer information is collected, used, and shared
  • reference to information security safeguards in place to protect customer data
• customers must be informed about third-party information sharing
  • but don’t need consent
• recognizes a legal difference between customer and consumer
  • customer
    • has an ongoing regular relationship with a financial institution
    • e.g., account holder at bank
    • FI must provide full privacy notices to customers
  • consumer
    • conduct isolated transactions
    • e.g., cashing a check at bank, visiting bank website
    • FI only needs to provide a summary privacy notice with instructions to access full notice

GLBA Safeguards Rule

GLBA Safeguards Rule provides a framework for financial institutions’ obligations for protecting information security.

• requires FI to
  • implement information security program to protect customer information
  • attempt to anticipate threats and risks of unauthorized information access or disclosure
  • implement appropriate risk-based controls against these threats and risks
  • must designate personnel to manage:
    • information security program
    • ongoing assessment of risks and controls
    • assessment of third-party partners to meet the FI’s infosec program
• emphasizes 3 categories of controls:
  • workforce training
  • securing of information systems
  • ongoing monitoring of information systems for problems
• also focuses on data loss and exposure controls

Resources

• The Gramm-Leach-Bliley Act 
• FTC: The Gramm-Leach-Bliley-Act 
• How to Comply with the Privacy of Consumer Financial Information Rule of Gramm-Leach-Bliley Act