Achieving GLBA Compliance for Data Protection

What is the Gramm-Leach-Bliley Act of 1999 (GLBA)?

The Gramm-Leach-Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, requires that organizations protect the privacy of consumer financial information. The GLBA has four components to govern the collection, disclosure, and protection of consumers’ personally identifiable information:

1. Financial Privacy Rule

Under the Financial Privacy Rule, financial institutions or companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance are required under the GLBA to provide a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information.

2. Safeguards Rule

The Safeguards Rule requires financial institutions to have a written information security program in place to protect the privacy and integrity of customer data. The program must include the following:

  • designate one or more employees to coordinate its information security program;
  • identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
  • design and implement a safeguards program, and regularly monitor and test it;
  • select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
  • evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including Employee Management and Training; Information Systems; and Detecting and Managing System Failures.

3. The Red Flags Rule

Critical to GLBA compliance is adherence to the Red Flags Rule which was passed in 2008 and implemented in 2010. The Red Flags Rule requires that a written program to detect, prevent and mitigate identity theft is in place relating to the opening or maintenance of covered accounts. Companies vying to be ahead of meeting Red Flags Rule compliance should begin implementing a robust program that can ascertain and respond to the following:

  • Establishing a training program to identify relevant red flags;
  • Training all personnel on detecting red flags during daily operation;
  • Management should define precise instructions on how to respond to red flags situations; and
  • Consistently review and update the program to meet the changes of methods used for identity theft.

4. Pretexting Protections

Pretexting or social engineering is a way for someone to gain access to unauthorized consumer financial information. The GLBA encourages financial institutions to identify ways in its information security program, required under the Safeguards Rule, to monitor, detect, and prevent pretexting from occurring. Training employees on how to detect social engineering attempts, such as impersonating the account holder through the phone or email, is a way to protect against pretexting.

GLBA Penalties for Non-Compliance

GLBA compliance is mandatory. Financial institutions that fail to meet the GLBA requirements are subject to the following penalties:

  • Up to $100,000 in civil penalties for each violation
  • Officers and directors of the organization will be subject to, and personally liable for, a civil penalty of up to $10,000 for each violation
  • The institution, its officers, and its directors can be subject to both fines and up to five years of imprisonment

Achieve GLBA Compliance with A-LIGN

A-LIGN has the experience to determine if your organization complies with the GLBA requirements and avoid noncompliance penalties. Our GLBA assessment is performed to determine your organization’s ability to comply with the information protection and security standards as defined in the GLBA. A-LIGN will issue a report following the assessment which will include any gaps identified during the assessment, and recommendations to remediate the gaps identified.

For more information regarding the GLBA assessment, contact us or call 1-888-702-5446 to have an experienced assessor answer your questions.