The Gramm-Leach-Billey Act of 2019 (GLBA), is a federal law in the United States of America that has been constructed to improve visibility over how financial organizations share and protect customer information. It is sometimes known as the Financial Modernization Act of 2019.
In short, to be GLBA compliant, financial organizations have to be more transparent with their customers about how they are sharing their sensitive information, ensure that customers know their rights when it comes to opting out, and ensure that appropriate security solutions and policies are employed to protect it.
The GLBA Safeguards Rule outlines the primary data protection requirements, and additional privacy and security requirements are issued by the FTC’s Privacy of Consumer Financial Rule (Privacy Rule). The GLBA is enforced by the FTC, federal banking agencies, state insurance oversight agencies and other federal regulatory authorities.
What are the Benefits of GLBA Compliance?
There are numerous security and privacy related benefits to complying with the GLBA, both to the organization and to the consumer.
Firstly, complying with GLBA ensures that you are taking steps to improve data security from breaches and attacks. From an organizational perspective, this helps to avoid costly fines for non-compliance as well as reputational damage and losses to shareholder/customer confidence that could be even more costly.
One way in which GLBA compliance helps to improve data security is by forcing companies to track the behavior and activities of their users. Most threats to data come from within the organization, where users with administrative access or access to sensitive data abuse their privileges (either purposefully or accidentally). Being able to track user behavior, particularly where it relates to sensitive data, ensures you know when suspicious or unwanted activities take place so that you can react quickly and mitigate the risks of a breach.
From a consumer perspective, there’s a certain amount of trust that comes along with the increased visibility and control they have over how their information is shared with third parties. Customers also gain extra assurance that their sensitive data, which is increasingly valuable, is being actively secured.
Who Does the GLBA Apply to?
The GLBA, as we previously mentioned, applies to financial organizations. That is to say, any business that is offering financial products or services to individuals, such as loans, financial advice or insurance. Third-parties who receive non-public personal information (NPI) from GLBA covered organizations also have to adhere to certain aspects of the compliance.
As GLBA compliance applies on a customer data level, financial organizations that are strictly B2B are not covered. On the same level, customers using ATMs are also not bound due to their being no ongoing relationship between the customer and the organization.
How Does the GLBA Work?
The GLBA is essentially split into three main components, the Financial Privacy Rule, the Safeguards Rule, and Pretexting Protection. These three components have been designed to work together seamlessly to address all aspects of data protection, from collection, handling, storage and disclosure.
The Financial Privacy Rule ensures that financial organizations face restrictions when it comes to sharing protected information. Specifically, financial organizations are required to provide every consumer with a privacy notice at the start of the relationship and every year after that.
The Safeguards Rule, as the name suggests, requires covered entities to implement an information security plan that adequately ensures the protection of sensitive customer data. According to the safeguards rule, financial institutions must do the following:
- Designate an employee or a team that is specifically in charge of co-ordinating the information security plan.
- Be proactive in identifying and addressing risks to covered data. This includes analyzing current risks and implementing adequate safeguards. Any safeguards put in place must also be regularly reviewed and updated. If anything changes within the business or the threat landscape, the information security plan must be updated accordingly.
- Whenever you select security solutions or service providers you need to make sure that those vendors maintain safeguards themselves.
Pretexting (also known as social engineering) occurs when unauthorized access is gained to sensitive information, usually through the manipulation of genuine users by phishing, or by impersonating someone in the business with authority. The GLBA specifically requires organizations to develop safeguards preventing pretexting from occurring.
Penalties of Non-Compliance with GLBA
Non-compliance with GLBA can result in hefty financial penalties and even prison sentences if individuals are involved. Essentially, financial institutions face fines of $100,000 per violation, and individuals face fines of $10,000 per violation. Individuals also face prison sentences of up to 5 years.
Best Practices for GLBA Compliance for Organizations
The primary reason for GLBA compliance is to ensure companies are taking the right steps towards protecting the sensitive data of their customers. To do this, we advise that companies take a data-centric approach to their security.
The first step in a data-centric approach is to determine where customer data is stored. To do this, you’ll need to deploy data classification technology that can locate, tag, and classify sensitive based on the content and its relation to specific compliance mandates.
Once you know where the sensitive data is located, you need to determine who has access to this data and employ proactive monitoring on permission changes. Implement a policy of least privilege where users only have access to the data they need to do their job. There really shouldn’t be many users in your organization that require access to sensitive customer data. Whenever permission changes take place that could lead to users being granted access to sensitive data, you need to be aware and be able to reverse the change if required.
When you know where your sensitive data is and who has access to it, you need to monitor how users are behaving with it. You need to be able to determine what normal user behavior looks like and get alerted when deviations from this norm occur. Any interactions with sensitive data also need to be closely monitored to ensure the security and integrity of the data. For example, if a user copies a file that contains sensitive data, you need to know about it
Finally, you need to make sure that the state of environment is secure. This involves reducing your potential attack surface by identifying and addressing potentially dangerous security states, such as open shares, inactive user accounts, users with passwords that never expire and more.