The Basics of Gramm–Leach–Bliley Act (GLBA) Worth Knowing
July 10, 2020
The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that regulates the companies designated as “financial institutions” on how they handle their customer’s nonpublic personal information or NPI. GLBA mandates financial institutions to ensure the security, confidentiality, and integrity of their customer’s NPI including names, addresses, phone numbers, bank statement, social security number, credit history, etc. It also obligates financial institutions to notify the customers about their information-sharing practices and inform customers of their right to “opt-out” if they don't wish their information to be shared with third-party affiliates. The Federal Trade Commission (FTC) enforces compliance with GLBA.
GLBA is also known as -
Failure to comply with GLBA can lead to significant penalties and even imprisonment, as discussed in a later section of this article.
Key objective of GLBA is to ensure the confidentiality of customers' financial information and Personally Identifiable Information (PII) through the implementation of proper privacy and security standards, as follows:
1. Privacy Standards
According to GLBA Privacy standards, organizations must notify their customers about their information-sharing practices. The customers must be provided with a means to opt-out of unnecessary sharing, if needed.
2. Security Standards
The security standards of GLBA seek:
Along with Financial Privacy Rule and protection against social engineering or pretexting (Pretexting Provision), GLBA also lays down an explicit compliance component called the Safeguards Rule. The Safeguards Rule obligates financial institutions to develop and implement detailed information security plans to protect the Nonpublic Public Information (NPI) of customers.
All companies or entities designated as a “financial institution” as per the law fall under the ambit of GLBA. As per FTC guidance, “the Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services.” These businesses may include
The GLBA applies to any company providing financial products and services like those mentioned above irrespective of the size of their business.
It is important to note here that as per 16 CFR § 682.3 - Proper disposal of consumer information, “all persons subject to the GLBA and the FTC “Safeguards Rule” must properly dispose of nonpublic personal information (NPI) by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
As per FTC, NPI is any "personally identifiable financial information" that a financial institution collects about an individual with regard to providing a financial product or service, unless that information is otherwise "publicly available."
The scope of NPI includes—
Nonpublic Personal Information (NPI) commonly includes the following details of a customer:
In most cases, publicly available information is not considered as NPI.
GLBA compliance is a part of the Federal Trade Commission (FTC). According to the GLBA, the three main components that a company needs to meet are:
1. The Financial Privacy Rule
The first component of the GLBA compliance checklist is the Financial Privacy Rule. The main purpose of the Financial Privacy Rule is to provide an agreement between financial institutions and their customers regarding the protection of their Non-Personal Information (NPI).
According to the Financial Policy Rule, a business should provide suitable notices of its privacy norms and policies to consumers. Consumers are defined as those individuals who are using the product or services of the business. The notice should include details regarding:
The Financial Policy Rule provides details pertaining to the collection and disclosure of private financial information to regulate the sharing of Non-Personal Information (NPI) of your customers with external agencies. It also requires businesses to provide the customers the choice to opt-in or out of having their NPI (Non-Personal Information) disclosed to non-affiliated third parties.
2. The Safeguards Rule
According to the Safeguards Rule, financial institutions must develop, implement, and maintain a detailed information security plan that explains how the business is protecting customers' and previous customers' nonpublic personal information (NPI). The ‘Safeguards Rule’ should provide details regarding the measures adopted towards building up an NPI protection plan for better cybersecurity including:
3. The Pretexting Provisions
The Pretexting Provisions rule supports financial institutions to build up protection against the problem of social engineering or pretexting. This usually happens when a fraud person impersonates the account holder by telephone, mail, or often by phishing or spear-phishing and tries to get unauthorized or fraudulent access to personal information. The most popular compliances for Pretexting Provisions include:
GLBA non-compliance penalties can be quite serious for financial institutions. They include both monetary fines as well as imprisonment. The GLBA non-compliance penalties include:
GLBA non-compliance also means a damage to the organization’s reputation. In the past, companies such as PayPal and Venmo had also faced GLBA non-compliance issues and had to reach settlements with the FTC.
Following are some of the key items that can help attain compliance with GLBA regulations especially the Safeguards Rule that mandates a documented information security plan to protect customer information:
A significant provision of GLBA is anchored on safeguarding the nonpublic personal information of customer through implementation of an information security plan. The Safeguards Rule identifies three key areas for ensuring information safety and thereby compliance, which include Employee Management and Training, Information Systems, and Detecting and Managing System Failures. Of these areas, Information Systems deals with collection and storage of NPI, i.e. what information is being collected, how it is stored and whether there is a business need to collect the information.
Data erasure technology can help businesses meet the compliance needs concerning this Information Systems provision in the Safeguards Rule of GLBA. Software tools such as BitRaser can overwrite (i.e. erase) all the unwanted or redundant NPI stored on hard drives & SSDs of computers and servers to safeguard the data from breach or unwanted exposure. By wiping clean the data storage media along with offering tamperproof certificate and reports of erasure, BitRaser can guarantee compliance with GLBA.
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|