The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.
3 components in the GLBA
Financial Privacy Rule: A company that is either a “financial institution” or receives “nonpublic personal information (NPI)” regarding consumers from a financial institution must adhere to the privacy rule of the GLBA. This rule covers most personal information (name, date of birth, Social Security number, etc.) as well as transactional data (card, bank account numbers). It also covers private information you may acquire during a transaction (a credit report, for instance). The FTC has a page detailing every aspect of the privacy rule, right here.
Safeguards Rule: This rule ensures that those under the jurisdiction of the GLBA have specific means to protect private information. According to the text of the rule itself, GLBA adherents must have “the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.” Many of these techniques are outlined in the text as well.
Notable requirements include:
- Employee training
- Proper software
- Testing and monitoring of vulnerabilities
Pretexting Provisions: In addition to protecting nonpublic personal information (NPI), organizations that fall under the GLBA must also take measures to detect and prevent as many instances of unauthorized access as possible.
Potential Penalties
Once a GLBA non-compliance allegation is proven, the punishment can have business-altering, and even life-altering, ramifications.
Some non-compliance penalties include:
● Financial institutions found in violation face fines of $100,000 for each violation.
● Individuals in charge found in violation face fines of $10,000 for each violation.
● Individuals found in violation can be put in prison for up to 5 years.