The GLBA, also known as the Financial Services Modernisation Act of 1999, is a United States federal law that prevents any financial institution from acting as a monolith of investment banking, commercial banking and insurance providers. The Act requires financial institutions to be transparent around the use of customers’ non-public personal information (NPI) by obliging them to explain how they share and protect this data, as well as giving their customers the option to opt out of information sharing with third parties.
Main components of the GLBA
Financial Privacy Rule: Any organisation that identifies as a financial institution or receives customer NPI from a financial institution must inform the customer at the beginning of a transaction, and then annually, how their NPI is being stored and used, usually through a privacy notice with the right to opt-out of sharing with third parties. The NPI can range from data that the customer provides, such as personally identifiable information (e.g., name, date of birth, social security number, transaction data e.g., bank account information) or information acquired by the financial institution (e.g., credit checks or existing accounts).
Safeguards Rule: Organisations that fall under the remit of the GLBA must possess the capability to protect customer NPI. The rule obliges organisations to institute an information security plan to explain the “technical, administrative, and physical safeguards” that protect the collection, distribution, processing, storage, and handling of NPI. In addition, organisations must protect the confidentiality, integrity and availability of current and former customers’ NPI through measures such as continuous and regular testing and monitoring of vulnerabilities, employee training, third-party risk assessments and management, and appropriate software controls.
Pretexting provision: This provision is to prevent unauthorised access to NPI through scams, phishing, spear phishing, or social engineering. This provision obliges organisations to implement measures such as detection and prevention to safeguard customers.
What are the benefits of GLBA?
- Prevents the loss of customers’ non-public personal information by mitigating the risks of data breaches and cyber security attacks.
- Customers have greater control over the privacy of their information due to increased transparency and can opt out of sharing their information between the financial institution and third parties.
- Minimising third parties and vendor security risk, as service providers are obliged to conduct security risk assessments, and financial institutions are encouraged to conduct relevant due diligence, such as transacting with appropriately accredited vendors.
- Increased tracking of any employee access to customer information.
- Synergy with the General Data Protection Regulation (GDPR) in the EU means that multinational companies are focused on customer privacy uniformly.
What are the penalties for non-compliance?
There is a $100,000 fine per violation by a financial institution, a $10,000 penalty per violation by an individual, and up to 5 years in prison for individuals.