Although the Gramm-Leach-Bliley Act (GLBA) has been in effect for 25 years, changes made just last year make brushing up on GLBA security, transparency, and privacy requirements more relevant than ever.
What is the GLBA?
In 1999, the Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act) mandated that financial institutions be transparent with customers about the ways they shared their information and required that sensitive data be kept safe. The Act breaks down into three parts:
The Financial Privacy Rule
Regulates how private financial information is collected and disclosed.
The Safeguards Rule
Requires financial institutions to have security programs in place to protect sensitive financial data.
Pretexting provisions
Prohibits the use of false pretenses (pretexts) to access private information.
The GLBA also requires financial firms provide customers with written notices of their information-sharing practices. Under the Act, financial institutions and their affiliates are required to develop privacy practices to safeguard personally identifiable information (PII), specifically non-public personal information. This is data provided by the customer during a financial transaction, or data obtained by the financial institution in some way. It includes, but is not limited to:
~ Bank account numbers
~ Credit history
~ Biometrics
~ Address
~ Education level
~ Employment data
~ Geolocation
~ Tax information
And more. Thus, entities under GLBA mandates must detail how they collect, share, sell, and in any other way utilize customer information. Importantly, customers have the right – and must be given the option – to withdraw or otherwise select which private information can (or cannot) be shared.
What Are the Requirements of the GLBA?
Following is a summary of the requirements that financial institutions must adhere to under the Gramm-Leach-Bliley Act:
~ Notify customers of how their data is being used and allow them to opt out: “A financial institution must provide notice of its privacy policies and practices and allow the consumer to opt out of the disclosure of the consumer’s nonpublic personal in-formation to a nonaffiliated third party.” There are outlined exceptions in sections 13,14, and 15.
~ Even if the information is not shared, customers must be notified of privacy policies: “Regardless of whether a financial institution shares non-public personal information, the institution must provide notice of its privacy policies and practices to its customers.”
~ Account numbers cannot be shared for marketing purposes: “A financial institution generally may not disclose consumer account numbers to any nonaffiliated third party for marketing purposes.”
~ Personal information received from other sources is still subject to the same privacy protections and policies: “A financial institution must follow redisclosure and reuse limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.”
Who Enforces the Gramm-Leach-Bliley Act?
The GLBA is primarily enforced by the Federal Trade Commission (FTC), although the authority to create new rules was transferred to the Consumer Financial Protection Bureau (CFPB) by the Dodd-Frank Act in 2010. Other federal and state agencies play a part in enforcing GLBA requirements but to varying degrees. Those organizations include:
~ Federal Deposit Insurance Corporation (FDIC)
~ Office of the Comptroller of the Currency
And the responsibility for regulating insurance providers falls to individual states.
Do You Need to Comply with GLBA?
Even if you didn’t fall under GLBA jurisdiction before, recent updates to the FTC Safeguards Rule may mean you do now.
Officially named the Standards for Safeguarding Customer Information, the Safeguards Rule aims to ensure that businesses “protect the security and confidentiality of those customers’ nonpublic personal information.” In order to keep these protections current, the Rule undergoes updates from time to time, and the most recent round took effect on May 13, 2024.
So, who was initially required to comply with the GLBA Safeguards Rule? “Financial institutions,” which includes (but is not limited to):
1. Mortgage lenders
2. Payday lenders
3. Finance companies
4. Mortgage brokers
5. Account servicers
6. Check cashers
7. Wire transferors
8. Collection agencies
9. Credit counselors (and other financial advisors)
10. Tax preparation firms
11. Non-federally insured credit unions
12. Investment advisors that aren’t required to register with the SEC
Additional guidance on if the Rule applies to your organization is available here
Additionally, the Rule requires non-banking financial institutions to develop and maintain comprehensive security programs to protect sensitive customer data. Those institutions can include motor vehicle dealers, payday lenders, and other organizations involved in financial transactions that are not banks.
The broad definition of those covered under the Gramm-Leach-Bliley Act would simply be “financial institutions,” or “companies that offer consumers financial products or services like loans, financial or investment advice, or insurance,” per the FTC’s GLBA web page.
2023 Updates to GLBA Safeguards Rule
Under the revised rule, financial institutions (both traditional and non-banking – as aforementioned) are required to notify the FTC as soon as possible, and within no more than 30 days of discovering a data breach affecting at least 500 people. The notification must be sent if unencrypted customer information has been attained without the consent of the one to whom the information pertains. The definition of an event that would trigger such a notification is defined in the Rule as:
“An acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless you have reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”
“The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data,” noted Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised.”
Provisions in the revised Rule require companies to, among other things:
~ “designate a qualified person to oversee their information security program,
~ develop a written risk assessment,
~ limit and monitor who can access sensitive customer information,
~ encrypt all sensitive information,
~ train security personnel,
~ develop an incident response plan,
~ periodically assess the security practices of service providers, and
~ implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information.”
What Section of GLBA Requires the Opt-Out Notice?
Under Section 502 of the Subtitle, financial institutions are prohibited from sharing customers’ nonpublic personal information unless:
1. “The institution satisfies various notice and opt-out requirements,”
2. “The consumer has not elected to opt out of the disclosure.”
Within Section 503, financial institutions will find the requirement to notify customers of their privacy policies and practices. Section 502 is subject to “certain exceptions.”
GLBA in Higher Education
Institutions of higher education, such as universities and colleges, which disburse financial aid to students or receive payments from them, are now included in the list of non-banking financial institutions. This is essentially all of them.
Due to the 2023 changes in the Safeguards Rule, institutions of higher learning are pivoting to meet GLBA-mandated student privacy standards. They are required to:
~ Ensure the security of students’ personal information.
~ Defend against threats to confidential student data.
~ Prevent the unauthorized access or use of information that could, if accessed or used, harm the student in any way.
Now, universities (“institutions and servicers”) must develop, implement, and maintain an adequate security program to meet GLBA requirements for the protection of student information. These must follow FTC regulations to contain size and complexity-appropriate administrative, technical, and physical safeguards, and include 9 FTC-required elements.
How to Perform a GLBA Risk Assessment
The Safeguards Rule requires that a capable and regularly maintained security policy must be put in place to protect consumer data protected under the GLBA. One of the preliminary steps outlined is to assess the risks to customers within each area of business and see how well current security measures are performing. This baselining helps financial institutions know where to bolster to achieve a fully GLBA-compliant infrastructure.
The steps to performing a GLBA risk assessment – and building out a subsequent GLBA-compliant security strategy – include:
Baselining your assets
Do an asset inventory to see what devices you have on your network (IoT, remote laptops, servers), where data might be travelling out or through (APIs, email, CRMs), where data is stored (databases, cloud storage), and how it is being sent (your file transfer protocols).
Identifying threats
What are the common threats these assets could face? What is the most likely to occur? This could be ransomware, web browser-based attacks, insecure file transfer methods, or unsolidified cloud security practices. Vulnerability scans can help with this.
Determining risk
Assign a risk rating to each area and scenario. Penetration testing and red teaming can help vet which threats require immediate action.
Prioritizing which risks to address
You can’t fix everything at once. Which area presents the most likely risk? Plug that gap first.
Implementing security controls to mitigate risk
Patch and bolster weak areas with improved security controls, focusing on your top-priority risk area first. This allows you to focus on bespoke solutions – do you need anti-malware software? Improved email security? SFTP?
Crafting an incident response plan
Even the best laid plans can be compromised sometimes. Your risk-mitigation strategy is not complete without a solid contingency plan – an incident response plan – for emergency situations. This is where automated detection and response tools can come into play, additional help from managed security service providers can bolster resource-strained SOCs, and a capstone red team engagement can make sure it all works as planned.
Continuous monitoring and improvement
In an evolving ecosystem, no security plan is ever “set it and forget it.” Monitor and vet the program regularly (every quarter, every six months) to ensure that misconfigurations don’t slip through, new technologies adhere to your outlined controls, and that your team stays sharp in following your established plan for adhering to GLBA standards.
GLBA: Know Where You Stand with Alert Logic
GLBA compliance is tricky, but Fortra’s Alert Logic is here to help. Our managed security services solutions help organizations in navigating compliance requirements by pinpointing weak spots and swiftly identifying potential gaps. With our automated security controls in place, teams can streamline vulnerability detection and identify malicious and suspicious behavior, ensuring you stay compliant with GLBA regulations. Our solutions include:
~ Threat identification
~ Detection of unauthorized access and changes
~ Virus and malicious code protection
~ Vulnerability management
~ Incident management
~ Change management
Learn more about achieving and maintaining GLBA compliance and other compliance requirements that can be met and maintained with Alert Logic managed security services.
Additional Resources:
Financial Services Compliance Requirements: An Overview | Blog
