What is the Gramm-Leach-Bliley Act (GLBA)?

Image

The Gramm-Leach Bliley Act (GLBA or GLB Act), or financial modernization act, is a bi-partisan federal regulation passed in 1999 to modernize the financial industry. It repealed vast swathes of the Glass-Steagall Act of 1933 and the Bank Holding Act of 1956, allowing commercial banks to offer financial services such as investments or insurance. It also controls how financial institutions deal with their customer's private information. 

The Act has three sections: 

• The Financial Privacy Rule – Regulates the collection and disclosure of private financial information.
• The Safeguards Rule – Requires financial institutions to implement security measures to protect private financial information.
• Pretexting Rule – Prohibiting the practice of accessing or pretexting private information under pretenses.

The history of GLBA

GLBA repealed much of the Glass-Steagall Act of 1933, which prevented commercial banks from offering other financial services such as insurance, something the banking sector had sought since at least the early 1980s. It also granted the Federal Reserve greater supervisory authority over these new financial structures and how they handled customers' private information. 

While the Congressional Research Service prepared a report exploring the pros and cons of the Glass-Steagall Act as early as 1987, and some prohibitions were relaxed throughout the 1990s, lawmakers weren't forced to take decisive action until banking giant Citicorp merged with insurance company Travelers Group to form Citigroup in 1998. As the merger went through before Congress passed GLBA, violating both the Glass-Steagall and Bank Holding Act, the Federal Reserve issued Citigroup a two-year waiver in September 1998, effectively making the introduction of GLBA a foregone conclusion. 

Although the Act underwent several revisions, GBLA received bipartisan support, with the Senate and the House voting overwhelmingly in favor of the final bill. President Bill Clinton signed it into law on November 12, 1999. 

What are the main impacts of the GLBA?  

Aside from expanding commercial banks' services, GLBA's lasting impact is ensuring financial institutions and their affiliates comply with stringent data security regulations. The GLB Act forces organizations to protect personally identifiable information (PII) gathered from all forms of customer records. These rules apply to any non-public information, defined as the information a customer may use to facilitate a transaction or otherwise obtained by the organization. 

Acting as a complement to the data security requirements laid out by the Federal Deposit Insurance Corporation (FDIC), GLBA codifies financial institutions' obligation to respect customer privacy and protect sensitive personal information from illegitimate access. GBLA compliance relies on organizations developing privacy practices and policies outlining collecting, sharing, selling, and reusing consumer data. It also ensures that customers can decide what, if any, information a company is allowed to retain or disclose. 

GLBA has also significantly impacted current cybersecurity programs, requiring organizations to address data storage and security as part of a written information security policy and protecting against threats or hazards that could cause harm or inconvenience to consumers.

What data does GLBA cover? 

Achieving GLBA compliance, in theory, reduces the likelihood of an organization suffering a data breach and thus has become a top priority for chief information security officers (CISOs) and other IT professionals who manage corporate data. 

The data that falls under GLBA includes but is not limited to: 

• Addresses 
• Bank account and financial data 
• Employment data 
• Education level and academic performance 
• Names 
• Tax information
• Social security data 
• Birth dates
• Geolocation data 
• Biometric and related data 
• Credit history 
• Inferences drawn from other data 

What organizations does GLBA regulate? 

GLBA requires any organization significantly engaged in financial activities, including those not disclosing non-public information, to develop a policy to protect against future threats. These organizations include banks, brokerage firms, insurers, and any company that processes loans or assumes credit risk. Most FinTech companies are subject to GLBA regulations. 

Businesses and professions regulated by GLBA include but are not limited to: 

• Car rental companies 
• Accountants 
• Credit unions 
• Debt collectors
• Courier services 
• Hedge funds 
• Retailers 
• Credit reporting companies 
• Universities 
• Non-bank mortgage lenders 
• ATM operators

Breaking down GLBA 

We've already established that GLBA has three key sections, but compliance requires a deeper understanding of what they are and how they affect organizations. 

• Financial Privacy Rule – This section regulates how organizations collect and disclose private financial information. It outlines how data is collected, used, and shared, the policies and procedures used to protect it, and who can access it. Organizations must give "clear and conspicuous notice" of their privacy policy at the start of a customer relationship, every time it changes, and annually. Customers must also have the option to opt out of sharing information with unaffiliated third parties. 
• Safeguard Rule – This rule aims to ensure data security, demanding organizations implement administrative, physical, and technical protections to protect against cybersecurity risks such as phishing scams, cyber-attacks, and email spoofs. Data encryption and key management are widely accepted best practices but are not legally required. The Federal Trade Commission (FTC) issued the rule in 2002 and still enforces it today. It also requires organizations to designate an individual accountable for the information security plan, including development and regular testing. 
• Pretexting Rule – This final section prevents company affiliates, including employees and business partners, from collecting data under pretenses, such as phishing scams or other social engineering techniques. 

How to achieve GLBA Compliance 

Organizations should take a ten-step approach to GLBA compliance. 

1. Understand GLBA regulations and how they apply to your business.
2. Conduct a risk assessment.
3. Ensure effective risk mitigation. 
4. Protect against insider threats.
5. Ensure service providers are GLBA compliant. 
6. Notify customers of updated privacy policies.
7. Test and update data recovery and business continuity plans regularly.  
8. Create and maintain a written information security plan. 
9. Report to the board annually.
10. Review, revise, and improve annually or when your business undergoes significant change.

Enforcing GLBA

The FTC is the primary enforcer of GLBA, which can take organizations to federal district court if they fail to comply with the Privacy Rule and audit privacy policies. However, the Consumer Financial Protection Bureau (CFPB) also has rulemaking authority over the Safeguarding Rule as per the Dodd-Frank Act. As with California and Virginia, individual states can enact more stringent regulations on organizations that fall under their jurisdiction. Other agencies that play a role include the Federal Reserve Board, Office of Thrift Supervision, FDIC, and Office of the Comptroller of the Currency. 

The Gramm-Leach-Bliley Act is a federal regulation that expands financial institutions' services and lays out stringent data privacy regulations. Financial institutions that fail to comply with GLBA face fines of up to $100,000 for each violation, and officers and directors could be hit with up to a $10,000 fine, five years imprisonment, or both. Organizations and individuals also face significant reputational damage in the wake of a non-compliance decision. 

To learn more about the main regulations financial services organizations need to comply with and tips to go beyond simple compliance for powerful cybersecurity using security configuration management (SCM) and file integrity monitoring (FIM), you can read our latest guide: https://www.tripwire.com/resources/guides/financial-services-cybersecurity-regulations

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.