The Graham-Leach-Bliley Act (GLBA), also known as the ‘Financial Modernization Act,’ is a United States law that was passed to ensure that financial institutions obtain consent from their data subjects before sharing their non-public personal information (NPI).
Before collecting information about an individual, financial institutions must explain to their customers how they plan to use and share their information. They must also implement the necessary procedural and technical safeguards to protect NPI and to protect their customers from identity fraud.
To reflect this, GLBA is broken into three sections, which include: The Privacy Rule, The Safeguard Rule, and The Pretexting Rule. The GLBA compliance checklist below covers the key points for each rule.
1. Checklist for The GLBA Privacy Rule
The GLBA Privacy Rule exists to ensure that financial institutions inform their customers about how they will use and share their data.
- Establish a set of privacy policies that are clear and concise. The policies should including information about what data is collected, why it is collected, who the data will be shared with, and under what conditions.
- Before collecting any personal information, you must ensure that your customers have read the privacy notices and agreed to the conditions.
- Ensure that you have an automated process for notifying customers when their personal data is shared with another financial institution or third party for the purpose of completing a transaction.
- Ensure that your customers have the opportunity to opt out of having their private data shared with non-affiliated third parties. NOTE: Financial institutions must process opt-outs within 30 days.
- Periodically review your policies (at least annually) to ensure that they are still relevant.
- All customers and relevant stakeholders must be informed of any changes to your privacy policies.
2. Checklist for The GLBA Safeguard Rule
The GLBA Safeguard Rule is designed to ensure that financial institutions adequately protect all sensitive data from unauthorized access, disclosure, and loss.
- Appoint one or more security officers to develop and maintain your information security program.
- Carry out a risk assessment to determine what data is at risk, the impact of unauthorized disclosure, and the effectiveness of the current security controls you have in place to mitigate these risks.
- Ensure that all third parties have the necessary safeguards in place to protect the information they are entrusted with. They will need to sign some form of contract – similar to a HIPAA Business Associate Agreement (BAA).
- Have an incident response plan (IRP) in place to ensure that you are able to recover from security incidents in a timely, efficient and effective manner.
- Periodically review and test your information security program, as well as your incident response plan.
- Ensure that all employees receive regular security awareness training to ensure that they understand how to safeguard NPI, and are aware of the consequences of failing to comply with GLBA.
- Ensure that you know exactly what sensitive data you store, and where it is located. A dedicated data classification solution will scan your repositories for any data covered by GLBA, and classify the data accordingly.
- Remove any ROT (Redundant, Obsolete, and Trivial) data to streamline the effectiveness of your security controls and auditing practices.
- Ensure that all sensitive data is encrypted, both at rest and in transit
- Enforce “least privilege” access to ensure that employees and other relevant stakeholders are only granted access to the data they need to perform their role.
- Any changes made to privileged accounts must be monitored for suspicious activity, and the relevant IT staff should be informed about the changes in real-time.
- Anytime sensitive data is accessed, copied, moved, or removed, the relevant IT staff should be informed about the changes in real-time. They should be able to review a detailed log of all changes via centralized control.
3. Checklist for The GLBA Pretexting Rule
The purpose of The Pretexting Rule is to protect customers from identity fraud. Pretexting is a social engineering technique where the attacker tries to trick an unsuspecting employee (through some form of pretext) into handing over non-public personal information.
- Ensure that you have mechanisms in place to identify social engineering techniques used to gain unauthorized access to sensitive data.
- Ensure that all employees have been trained to verify the validity of the sender/caller, and be aware of the various techniques that attackers will use in order to initiate a conversation and extract NPI.
- Use the latest spam protection/email filtering technologies which use AI and Natural Language Processing (NLP) to identify words and phrases that are common in pretexting. Such technologies can also detect anomalies in email traffic, as well identify cousin domains and display name spoofing.
- Carry out mock phishing attacks on your employees. Not only will this help your employees remain vigilant in identifying suspicious emails, but it will also help your security team identify holes in your security posture.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your PII and help meet GLBA compliance, schedule a demo with one of our engineers or start your free trial today.