The Gramm-Leach-Bliley Act (GLBA) has been around since 1999, but it doesn't just affect financial services, it also requires higher education to comply.
Just like other regulations pertaining to protecting the privacy of individuals, the fines behind the Gramm–Leach–Bliley Act (GLBA) pack a strong punch for each single violation:
- $100K for organizations
- $10K for individuals
- Up to five years of prison time for individuals
In 2019, Equifax was forced to pay customers and states across the U.S. approximately $575 million for violating GLBA and the FTC Act. This followed a data breach of the Equifax database consisting of 200 million Americans.
The GLBA, enacted in 1999, was a way to modernize the financial industry. Before 1999, the Glass-Steagall Act was in place since the financial crisis in 1929. Due to the onset of the Great Depression, commercial banks were no longer allowed to offer other financial services, such as investment and insurance services, as a form of risk mitigation and protection from any market volatility in the future. The GLBA re-opened the ability for banks to provide these services again; however, with the caveat that banks and the companies they merge with (stockbrokers and insurance companies mostly) would be responsible for the data protection of their client’s data.
One crucial aspect of the GLBA is consumer privacy. This was one of the first laws in the U.S. that forced financial firms to institute and “opt-out” option for customers who wanted to limit the sharing of their personal information.
A Way to Build Customer Loyalty
GBLA, which is administered by the Federal Trade Commission, also created data privacy regulations that commercial banks, investment firms, and insurance companies must adhere to. Financial institutions in all three sectors must explain how they share and protect the private information of their customers. They must also communicate how they share sensitive data and inform customers of their right to opt-out.
Another key aspect of GBLA is the definition of a <financial institution>. In 2016, the U.S. Department of Education determined that colleges and universities are considered financial institutions subject to GBLA. Just this past February, the Department issued an announcement regarding its enforcement of cybersecurity requirements for higher-education institutions under GLBA.
Any organization that does not comply, like Equifax, will feel the wrath of GLBA. But taking another perspective, compliance with GLBA puts banks, security firms, insurance companies, and higher-ed institutions at a lower risk of the reputational damage that’s caused by unauthorized access to, or loss of, private customer or student data. Because GLBA compliance protects customer privacy, it can thus serve as a way to build trust with customers and students—if compliance is properly promoted.
When customers see proof that their bank, financial advisor, insurance agency or college is taking protective measures to guard their data, they are more likely to continue doing business. And they are more likely to expand the services they tap into and to refer more of their friends.
Assess 3rd Parties and 4th Parties Too
In addition to deploying the necessary technologies to ensure the confidentiality and security of personal customer information—names, Social Security numbers, credit scores, income histories, account numbers, phone numbers, addresses—GLBA requires financial services companies to document their security plan. This includes policies and processes to safeguard customer data.
As part of this plan, firms need to assess customer data risks and evaluate their security controls to protect against those risks. Also, consider the security postures of any third-party service providers that play a role in processing or storing customer data handled by a financial services firm. Contracts should include the right to assess third-party security postures and require strong security postures as a condition for doing business.
In some cases, a fourth-party might even come into play. This is the case, for example, when a bank relies on a cloud hosting provider (third party) who, in turn, relies on an external vendor (fourth party) to monitor database security. The bank needs to know both parties are providing sufficient security controls.
More Restrictions Coming
Sometime this year, the FTC is expected to announce changes to GBLA pertaining in particular to taking additional steps to ensure third-party and fourth-party affiliates and service providers safeguard customer information. Financial institutions will also have to take additional steps to ensure they encrypt all customer data, use multifactor authentication to access that data, and implement further access controls to prevent unauthorized users from accessing customer information.
With every financial institution in the U.S. governed by the FTC, paying close attention to GBLA is a vital task for banks, investment firms, and insurance companies. To take on the challenge, it’s important to assign sufficient internal resources, including designating employees exclusively to coordinating the security program and to regularly monitor and test the program.
This will be particularly important as your business changes. The program will need to adjust as new technologies are deployed, existing technology systems expand, and as new requirements of GBLA emerge.