The main parts to the privacy requirements of the gramm-leach-bliley act are:

The Gramm-Leach-Bliley Act (Public Law 106-102) was signed into law on November 12, 1999 as part of an effort to enhance competition in the financial services industry.  Section 501 of this Act calls for the protection of non-public personal information.  Section 501(a) states, "It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information."  Institutions of higher education are considered financial institutions under this Act due to their role in servicing student loans.  

In 2000, the Federal Trade Commission published a Final Rule entitled Privacy of Consumer Financial Information.  This Rule was published to implement privacy provisions of GLBA .  However, institutions of higher education do not have to conform to this rule due to the fact that the privacy of student information is already protected under the Family Educational Rights and Privacy Act ("FERPA").

In 2001, the Federal Trade Commission published a Final Rule entitled Standards for Safeguarding Customer Information.  This Rule states that financial institutions must "[...] develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue." (16 CFR 314.3)  Within the scope of its role as a financial institution, institutions of higher education are required to conform with this rule.  

While the GLBA has been around for several decades, it is still highly relevant to financial organizations that deal with sensitive client data today. In this guide, we’ll explore everything financial institution leaders need to know about GLBA compliance rules, GLBA requirements, GLBA exceptions, and everything else needed to stay compliant.

Everything You Need to Know About the GLBA :

What is the GLBA? 

The GLBA stands for the Gramm Leach Bliley Act. Many firms have financial information on their clients and share that data with their business partners regularly for a whole host of reasons. The Act was officially passed by the United States Congress at the end of the 20th century to shield the financial privacy of consumers. It was enacted due to the sensitive nature of data held by financial organizations. Companies that act as "financial organizations", or money-focused businesses that offer their customers financial services such as loans, personal finance advice, or various forms of insurance, are required by the GLBA to let their customers know about their data-sharing practices and to shield their clients’ sensitive data.

The legislation places restrictions on when a financial institution may release a customer's nonpublic personal information (NPI) to unaffiliated third parties. Customers must be informed about financial organizations' information-sharing policies, as well as their ability to opt-out if they do not want their information shared with certain nonaffiliated third parties. Furthermore, any company that gets consumer financial information from a financial institution may be limited in its ability to reuse and re-disclose such information.

There are three main components of the GLBA– the financial privacy rule, the safeguards rule, and pretexting provisions.

Financial Privacy Rule

This rule, often known as the Privacy Rule, imposes restrictions on how businesses gather and share private financial data. At the start of a client relationship, a firm must make its privacy policy plain and visible. Customers must then get an annual notification for the length of the partnership unless the company satisfies specific conditions.

The Privacy Rule specifies which data will be collected, how it will be used and shared, who will have access to it, and the rules and procedures that will be utilized to safeguard it. Customers must be advised of the privacy policy once a year, as required by the Fair Credit Reporting Act, including the choice to opt-out of sharing information with unaffiliated third-party companies. When a client chooses to disclose information, the company must follow the terms of the original privacy notice.

Safeguards Rule

The GLBA safeguards rule includes measures to guarantee that information security is a top priority. This regulation was established by the Federal Trade Commission in 2002 and is still in effect. The regulation requires businesses to put in place administrative, physical, and technical precautions to defend against cyber assaults, email spoofing, phishing scams, and other cybersecurity threats.

The guideline also mandates that a company appoint at least one person to be responsible for all components of the information security plan, including creation and testing on a regular basis. Although data encryption and key management are advised as best practices, the Safeguard Rule does not necessitate them.

Pretexting Provisions 

This regulation is intended to prohibit workers or business partners from gathering client information under false pretenses, such as through social engineering. Although the GLBA does not have explicit criteria for pretexting, prevention typically requires including pretexting prevention training within the written information security document.

Who does GLBA apply to? 

The Gramm Leach Bliley Act covers any organizations that are "significantly engaged" in providing financial goods or services to customers, regardless of size. Check cashing firms, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, merchants that issue branded credit cards, professional tax preparers, and courier services are all examples of nontraditional financial organizations. The regulation also applies to organizations that obtain information about clients from other financial organizations. Companies subject to the regulation must take efforts to guarantee that their affiliates and service providers preserve client information in their care, in addition to creating their own safeguards.

How does GLBA Compliance work? 

To comply with the GLBA, financial organizations must inform customers about how they share sensitive data, inform customers about their right to opt-out if they do not want their personal data shared with third parties, and apply specific protections to customers' private data in accordance with a written information security plan created by the institution. It might be beneficial for larger financial organizations to work with a risk and compliance company like Accountable HQ to ensure that the right protocols and processes are in place for GLBA compliance.

Compliance with the GLBA is required. Regardless of whether a financial institution publishes NPI, it must have a policy in place to secure the data from anticipated security and data integrity issues.

Penalties for Violating GLBA

All sanctions for noncompliance with this regulation, which include fines and jail time, are covered under the Gramm Leach Bliley Act. If an organization breaks the GLBA, it will be liable for a number of penalties. Each breach will result in a penalty of up to $100,000 for the institution. For each infraction, the institution's officers and directors could be personally accountable for a penalty of not more than $10,000. Fines under Title 18 of the United States Code or imprisonment for not more than five years, or both, will be imposed on the institution and its officials and directors.

More from the Blog

Risk Management

How to Streamline the Employee Onboarding Process

Compliant Tools

How to Get a BAA with AWS

Data Security

Ways to Backup Data

Maintaining HIPAA Compliance

HIPAA

3 Dental Practices Reach HIPAA Settlements

Data Security

How to Improve Your Data Security and Data Compliance

HIPAA

Medical Marketing & HIPAA

ADA Compliance Tax Credit

Get Started

NameEmail AddressMessage

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.

What are the requirements of the Gramm

What are the two significant parts of the Gramm

What is the main purpose of the Gramm

What aspect of the Gramm