In 1999, the United States Congress passed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, with numerous, substantial requirements to protect consumers’ financial privacy.
The GLBA directed the Federal Trade Commission (FTC) and six other federal agencies to implement regulations requiring organizations in the financial industry to provide financial privacy notices to their customers.
The FTC proposed the regulations in 2000 and issued them in their final form that May. The GLBA took effect later that year, and required full compliance from financial service firms in 2001.
Today the GLBA is a cornerstone of cybersecurity and consumer privacy in the financial sector. The FTC, federal banking agencies, other federal regulatory authorities, and state insurance oversight agencies enforce the GLBA.
Key Sections of the GLBA
Financial Privacy Rule
The GLBA mandates that any business offering financial services or products — such as financial or investment advice, loans, or insurance — provide every customer with a financial privacy notice. This must happen when the consumer relationship is established, and every subsequent year.
In those privacy notices, financial institutions must explain their information-sharing practices to customers. That means financial institutions have to tell consumers what sensitive information the firms are collecting about them, where the firms are sharing that information, and how the firms are using and protecting customers’ Non-public Personal Information (NPI).
Financial firms are also required to tell customers that they have the right to opt out of those information-sharing practices. Firms must also safeguard the private financial information of consumers.
In addition, the GLBA restricts when a financial institution is allowed to disclose a consumer’s private information to non-affiliated third-party organizations. Plus, any organization that receives consumers’ NPI from a financial institution can be limited in how it reuses and reshares that information.
The GLBA requires financial institutions to develop written information security plans describing the processes and procedures to protect consumers’ NPI. In addition, the financial institutions have to create comprehensive risk analyses for each department that handles customers’ NPI.
Firms must also develop, monitor, and test programs to safeguard customer information. They are required to update these safeguards if they change how they collect, store, or use customer information. Firms must also assure that business partners and third-party service providers secure customers’ NPI, too.
Pretexting is when a person attempts to access consumers’ NPI under false pretenses. For example, an unauthorized user might impersonate an authority figure such as a law enforcement agent or potential employer, to get customer information via mail, phone, email, or phishing.
The GLBA requires financial institutions to develop procedures to prevent pretexting (including training their employees) as part of their information security plans.
The GLBA Compliance Checklist
Each section of the GBLA contains its own compliance requirements. They can be summarized as follows:
Perform a Risk Assessment
Risk assessment is a process for identifying and cataloging potential threats to your company’s ability to conduct business. Financial firms should assess the risks they face to comply with the GLBA’s many provisions: identify possible threats, and consider what might happen if one of those threats strikes.
Draft a Cybersecurity Plan
A cybersecurity plan is a strategy that you develop and implement for your firm to secure its confidential information. That plan should govern who can access confidential data (including NPI), how access is granted, and how the firm will handle situations that might jeopardize the confidentiality, integrity, and availability of your data.
To comply with GLBA rules, financial firms must draft a plan to deal with external threats such as cybercriminals and hackers.
Defend Against Insider Threats
In addition to external threats against your business, you must also police against insider threats, such as employees deliberately or accidentally compromising your cybersecurity. Insider threats can often be the biggest risk of causing a data breach.
Your defense against insider threats should begin during the hiring process, where you can screen out applicants who might be high security risks. You can also draft contracts that hold employees accountable for following security policies and procedures. Finally, provide regular written updates and mandatory employee training to reinforce security policies and keep all staff members up to date on any new threats.
Internal Controls and Incident Response Plan
Risks are mitigated by your physical, technical, and managerial control structure — and quite often, a risk assessment will reveal the need to strengthen existing controls or invest in new ones. Bringing your internal controls “up to code” (that is, they’re sufficiently strong for the risks you face) is a crucial part of compliance.
GLBA compliance should also include a clear incident response plan. This is to demonstrate that all precautions are in place to identify, contain, and mitigate a disaster.
GLBA-Compliant Service Providers
Financial institutions should assure that their service providers comply with the GBLA. Any vendor that helps your firm to interact with customers, or that has access to your confidential data and critical IT systems, should be required by contract to achieve GBLA compliance, including all the law’s required safeguards.
This also means that your firm should perform due diligence on its vendors, to assure that all service providers have adequate controls in place.
The California Consumer Privacy Act (CCPA), established to protect the privacy and data of California residents, provides an exemption for personal information covered by the GLBA.
The California legislature, which passed the CCPA in 2018, realized that conflicts might arise between the CCPA and the GBLA. They subsequently enacted several CCPA exemptions, including one for the GBLA. The CCPA itself went into effect in 2020.
As a result of that exemption, the CCPA does not cover personal information that California businesses collect, process, sell, or disclose in accordance with the GLBA.
That said, the CCPA exemption doesn’t entirely remove financial institutions from the scope of the law. The CCPA still covers information collected by financial institutions that does not fall within the GLBA.
ZenGRC Is Designed to Help Secure Financial Data
Workflow tagging in ZenGRC allows you to delegate GLBA compliance tasks and to track their progress and completion. It also helps you prioritize duties so that your security staff knows how to schedule their actions.
Using ZenGRC’s single-source-of-information platform, you can speed up internal and external stakeholder communications while also providing the relevant paperwork, lowering the number of follow-up requests from external auditors.
ZenGRC compares your CCPA efforts to the requirements of more than a dozen other regulatory frameworks, such as the GDPR, HIPAA, FedRAMP, and NIST, to help you minimize time-consuming overlap.
Contact us for a demo for more information on how ZenGRC can help guide your organization to confidence in infosec, compliance, and financial data.