America’s Graham-Leach-Bliley Act (the GLBA) mandates that financial services entities that access, use or share financial information must provide their customers with written privacy notices that explain their information sharing policies and practices. Broken into three sections, the GLBA requires financial institutions to:
- inform their clients how they use private information and sensitive data;
- provide an option that lets customers opt-out of data-sharing practices, and
- maintain a specific data security plan that protects the privacy of their customers.
If your New Jersey company needs to comply with the law, you can use this convenient GLBA compliance checklist when looking for IT support to attain and maintain your GLBA compliance standards.
Protections Against Financial Fraud
Introduced as the “Financial Services Modernization Act of 1999,” the GLBA specifically addresses the selling by banks and financial institutions of “nonpublic personal information” (NPPI), the data that includes social security numbers, account and branch identification, credit and banking histories, and other sensitive financial information. In the 1990’s, a series of mergers driven by the “modernization” of the nation’s financial service industry revealed that the newly digitized and merged financial companies held vast quantities of private consumer data and that gaps in the laws gave them an unfettered opportunity to sell that information. The legislature devised the GLBA to limit that opportunity by requiring stronger data security protections, and by giving consumers more visibility into how their banks used their financial data.
By dividing the rule into three separate sections, the federal law now regulates the three instances of consumer data management, all of which combine into a comprehensive data privacy whole.
The Financial Privacy Rule
In 2009, the Federal Trade Commission (FTC) amended the law to require certain “financial institutions” to provide privacy notices detailing their privacy protection policies to their customers on an annual basis. The amendment expanded the list of institutions governed by the regulation and included an array of financial services enterprises beyond just traditional banks: mortgage companies, finance companies, auto dealers, check cashers and short-term lenders, wire-transferors, collections agencies, credit counselors, and even real estate settlement services. In essence, any entity that is “significantly engaged” in providing financial services is subject to the rule.
To assist these companies in their compliance efforts, the FTC developed a “model privacy form” that, when used by the institution, provides a “safe harbor” for compliance. Its design makes it easy for consumers to compare and contrast the activities of several entities as they look for one whose privacy protections match their preferences. Use of the form is voluntary although entities that prefer to create their own would do well if they copied its structure and content as carefully as possible.
The Safeguards Rule
The Safeguards Rule mandates that each institution must maintain a specific level of security controls around consumer data that it collects, uses, transmits, or stores. Contained in a written security plan, the security practices must match the entity’s size and complexity, be tailored to cover its specific activities and protect the integrity and security of their customer’s financial information.
While designed to be flexible, the Safeguards Rule does have mandatory elements:
- One or more workers must be designated to coordinate the program.
- Risk assessments must cover each separate element of the company’s operations to determine both the relative risks of each and the sufficiency of the safeguards put in place to defend them. This provision also mandates oversight of mobile devices and employee activities that may inadvertently or intentionally compromise consumer data.
- The plan must be monitored and tested regularly.
- Companies can hire third-party vendors to develop and maintain the security plan so long as the entity oversees their efforts to safeguard customer information.
- The plan must be flexible to change as corporate or industry conditions demand and in response to security system testing and monitoring.
The Safeguards Rule also breaks into three categories, each of which relates to a particularly important aspect of information security:
Employee management and training
Well-trained employees are often the cause of both security successes and failures. Workers should be appropriately vetted before hire and should receive training on both the need for security and the security procedures themselves. Internal controls that limit access to consumer data can prevent inappropriate exposure to unauthorized personnel, and leadership should thoroughly review the information of every worker who might obtain authorization to access the data.
The plan must provide security practices that cover all elements of the digital systems, including processing, storage, retrieval and transmission. Storage facilities must be secured from inadvertent access and protected from both human and natural invasions (floods, fire, etc.). Digital protections should protect the data when it is in use or in transition. Disposing of customer data must comply with the FTC’s Disposal Rule.
The Pretexting Provisions
The GLBA prohibits collecting consumer data under “false pretenses.” In the case of financial institutions, that means:
- they can’t pose as anything other than a financial services company;
- they can’t gain consumer information by promising false opportunities (sweepstakes winnings, for example), and
- they can’t use stolen, forged or counterfeit documents to obtain consumer financial data.
The rule does permit law enforcement, however, from using those tactics when investigating a crime or a victim.
The GLBA provides the government with comprehensive oversight of any company that performs “financial services” for consumers. Our managed IT services can help you if your company offers such services and you want help to implement the requirements laid out in this GLBA compliance checklist.