The GLBA is one of many data privacy laws that protect customer information. Find out what it is and how to reach compliance.
The GLBA, or Gramm-Leach-Bliley Act (or the Financial Services Modernization Act of 1999), primarily affects financial institutions, which must provide privacy notices to customers, protect customer information via physical and electronic means, and restrict what personal customer information they share with third-parties. Like the European Union’s General Data Protection Regulation (GDPR), it’s another privacy law that requires companies and other organisations to explain how they protect, share, and use the private information of customers.
But what is considered a “financial institution”?
Financial institutions are basically any company that provides financial products or services such as banks, investment banks, securities firms, insurance companies, non-bank mortgage lenders, real estate appraisers, loan brokers, financial or investment advisers, debt collectors, tax return preparers, and real estate settlement service providers. Accountants, professional tax preparers, and courier services must also comply with the GLBA. Another institution that has to comply with the GLBA is higher education, since colleges and universities collect and share financial information from students.
If your organization has to comply with the GLBA, there are several things that you have to do to meet compliance.
The first big hurdle is to provide a privacy notice to costumers (before you start any business with them) that details what kind of personal information you will gather, how it will be used, and how it will be protected from unauthorised access, malicious outsider use, or leaks. Customers also need to know how they can opt out of sharing their information with third parties, and how they may not opt out of sharing information with certain parties (such as marketing companies used by your financial institution or law enforcement).
The other major compliance requirement is the implementation of privacy security protocols. You must provide descriptions of the policies to customers, in writing, which detail how departments intend to protect customer data, as well as how they will conduct regular risk analysis, monitoring, and testing of any practices and protocols meant for data protection.
Like many other data privacy laws, companies that adhere to the GLBA must protect the personally identifiable information of customers, including credit card and bank card numbers, credit and income histories, Social Security numbers, addresses, names, phone numbers, and any other personal data that the financial institution collects.
Failure to comply could result in civil penalties up to $100,000 for each violation, fines up to $10,000 for individual officers and directors of an institution, or even imprisonment for up to five years.
Definition of Security Events
“an event resulting in unauthorised access to, or disruption or misuse of, an information system or information stored on such information system”
This definition is important because it will encompass unauthorised access alone, with appropriate exclusions, as the threshold. Under the new Safeguards Rule, ransomware or DDOS attacks would considered a cyber event (along with standard data theft, of course) illustrated in the recent Capital One Data Breach, which will then have to be monitored and appropriate actions taken to resolve.
Monitor User Activity
The regulators understand that financial companies will need more than just an audit trail to detect attackers. They’re also proposing to add language that covers policies and procedures
to monitor the activity of authorised users and detect unauthorised access or use of, or tampering with, customer information by such users
In the regulator’s discussion about this point, they say financial organisations should be able to use the technology to “identify inappropriate use of customer information by authorised users”, giving as an example the transfer of large amounts information for which has no legitimate use. By the way, they emphasise that this requirement is separate from an audit trail.
In other words, they are talking about monitoring technology that discovers unusual or abnormal activities from legitimate users.
The FTC regulators are well aware that financial companies have likely implemented controls on access rights. But they decided to add explicit language for access controls in the proposed update:
“would require financial institutions to place access controls on information systems, designed to authenticate users and permit access only to authorised individuals in order to protect customer information from unauthorised acquisition”
Note the language for only permitting access to authorised individuals.
Limits on Data Retention
The regulators want to force companies to eliminate data that no longer has “a business purpose.” Their NPRM proposal would
require financial institutions to develop procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes
This is straight from the NYDFS Cyber Regulation, and similar to GDPR’s requirements to minimise data. However, unlike the GDPR, there’s no requirements for setting explicit time limits or duration. Maybe that will change?
As you can see there are many similarities between GDPR and GLBA. Utilising your strong GDPR strategy program together with your GDPR platform software can ensure you will not have a duplicate of effort striving for compliance in both regulations.
GDPR 24/7 covers the following
- Data Mapping
- Data Classification
- Data Policies
- Vendor management
- Vendor contracts
- Data Risk assessments
- Incident and Risk Register
- Data Policy Management
See how Relentless GDPR 24/7 can help the Fintech industry meet the strict regulations of both regulations.