The Gramm-Leach Bliley Act (GLBA) or the Financial Services Modernization Act as it’s also known, has played a massive role in changing how financial institutions manage sensitive information.
What is the GLBA?
The GLBA was a US law passed in 1999 that regulated how financial institutions must protect sensitive consumer information. At the time, the GLBA was created to repeal the Glass-Steagall Act of 1933, which prohibited commercial banks from offering additional financial services like insurance.
Once the act was passed, personal data such as names, addresses, and credit history would have to be kept private. Organizations become responsible for implementing measures to maintain the privacy of customer data.
Under the law financial institutions had an obligation to notify customers how their non-public personal information (NPI) is shared, what data they collect, and who they share this data with. In addition, customers would also have the right to choose whether they want their NPI to be shared.
Beyond these external obligations, financial institutions are also required to implement internal safeguards to protect consumer data from falling into the wrong hands. Safeguards include “prevention and response measures for attacks, intrusions, and other systems failures.”
Generally, these measures are cybersecurity best practices like firewalls and encryption alongside specific tools like network intrusion detection systems. Creating a custom security plan is also required to detail the steps an organization will take to secure their customers’ information. For example, disposing of paper documents via shredding to prevent fraud.
Combating fraud is one of the core aims of the GLBA. The GLBA clearly states that institutions must have robust protections in place to prevent pretexting, a form of fraud where an unauthorized individual uses forged or stolen documents to gain access to personal information (we will look at these protections in more detail).
Why is the GLBA Important?
The GLBA is important not only because it set data handling standards but because it increased consumer rights. The act made it law that customers can access their NPI whenever they want increasing transparency between everyday consumers and financial institutions.
Customers could find out exactly how their data is used and who that data is shared with. The growth in transparency empowered consumers to choose how their data is handled and to opt-out of sharing information with third parties.
The law was also important because it confronted issues like fraud and pretexting head-on. The GLBA made it illegal for someone to try to gain access to protected data by imitating another individual or by deception. Likewise the spotlight on pretexting helped force financial institutions to take greater steps to protect personal data.
While fraud has always been a challenge in the finance industry the GLBA highlighted challenges and put forward a modernized approach for addressing these threats. Today that means fewer consumers falling victim to fraudsters.
Who Does the GLBA Apply to?
The GLBA applies to financial institutions and any companies that offer financial products or services to consumers. In other words, a company that offers a financial product like a loan or insurance is subject to the requirements and needs to protect customer data from unauthorized access.
In practice, that means that any company that offers financial advice or tax advice is subject to GLBA restrictions. Even organizations that aren’t considered as financial institutions can fall under this umbrella. The rules are so expansive that even a retail business that issues a credit card will have to comply!
What are the Penalties for Non-Compliance?
The penalties for non-compliance with the GLBA are unforgiving. Penalties range from fines to five years imprisonment. A financial institution can be fined $100,000 for each violation. If that wasn’t enough, officers and directors can also be fined up to $10,000 for each violation. The gravity of the penalties for non-compliance can have devastating financial and legal consequences.
These measures are strictly enforced. Just recently, Venmo and PayPal Inc. were alleged to have violated customer protection laws and had to reach a settlement with the Federal Trade Commission.
Beyond the legal penalties, non-compliance can significantly damage a financial institution’s reputation. Companies that share data without permission and don’t take data protection seriously will inevitably lose existing as well as potential customers.
GLBA Compliance Checklist
The GLBA is broken down into three sections. Each of these includes different requirements you must adhere to. These three sections are as follows:
- The Privacy Rule
- The Safeguards Rule
- The Pretexting Provisions
The Privacy Rule
The Privacy Rule states that you must notify customers about your privacy policies and protect the confidentiality of their data. A privacy notice must be shared with the customer the moment the relationship is established or the policy is changed.
The privacy notice must explain to the customer what information is collected, how that information is shared, who it is shared with, and how you’re protecting that information. The notice should also offer them the opportunity to opt-in or opt-out of sharing their personal data with third parties.
Furthermore, any time you plan to disclose a customer’s NPI you must also issue them with a privacy notice. It is necessary to issue annual privacy notices to make sure customers are kept updated on how you’re handling their data. Trying to maintain transparency between the customer and the institution is paramount here.
The Safeguards Rule
The Safeguards Rule outlines what measures you need to take to keep NPI secure. One of the most important elements of this rule is that financial institutions must develop a detailed written security plan that outlines how customer data will be protected. A generic security plan won’t do, so institutions need to run a risk assessment to find specific vulnerabilities.
The security plan itself needs to contain a number of components:
- Designate one or more employees to coordinate an information security program.
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks.
- Design and implement a safeguards program, and regularly monitor/test it.
- Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information.
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
These measures are intended to be applied on a case by case basis. The most important thing is to implement safeguards that are in accordance with your own circumstances. It is essential to apply general best practices like data encryption to protect customer data in transit.
It is critical to note that financial institutions are also responsible for ensuring that any third-party service providers implement the necessary procedures to protect customer data. If you work with a company that doesn’t have adequate protection in place then you could be vulnerable to non-compliance.
Finally, you must report data breaches to the customer ASAP. There are many software products with incident response features that can help you to detect data breaches and respond.
The Pretexting Provisions
The Pretexting Provisions are a list of steps that organizations need to take to stop pretexting or social engineering. Pretexting is essentially a form of fraud where an individual impersonates another person to gain access to private information.
To prevent fraud, financial institutions are expected to implement safeguards such as employee training to prevent unauthorized access to NPI. Employee training is one of the top weapons you can use against pretexting. Educating an employee on the signs of pretexting enables them to raise the alarm if there is suspicious activity.
There is some crossover between the Safeguards Rule and Pretexting Provisions in that organizations must create a cybersecurity plan and monitor account activity to help detect fraud. The key is to be aware of pretexting and to implement measures to minimize the risk of impersonation and fraud.
GLBA Compliance Reports
Compliance reports have a critical role to play in demonstrating data protection. To protect your data you need to have a system that offers dashboards and reporting so that you can detect threats to customer data and act accordingly. If you don’t have the necessary visibility you won’t be able to identify threats and protect NPI before it’s compromised.
Many software platforms have reporting features designed with GLBA compliance in mind. In this section we’re going to look at some solutions you can use to create compliance reports:
- SolarWinds Security Event Manager (FREE TRIAL) This on-premises package provides log management that includes a reporting module that is tailored to GLBA. Runs on Windows Server.
- ManageEngine ADAudit Plus (FREE TRIAL) A package for user activity tracking that has GLBA reporting built in and will also help you to protect sensitive data. Available for Windows Server, AWS, and Azure.
SolarWinds Security Event Manager (FREE TRIAL)
SolarWinds Security Event Manager is a log management tool that can collect and analyze real-time log data to detect cyber attacks. It has anomaly detection and automated threat remediation so that the moment something suspicious has been spotted the program will start to find a solution.
Key Features:
- Log collection
- SIEM
- Auditing features
- GLBA reporting
- Intrusion detection
Why do we recommend it?
SolarWinds Security Event Manager is a package of security tools that include a log manager, a SIEM, user activity tracking, and file integrity monitoring. The log management service in the package provides compliance auditioning features and the platform also implements compliance reporting. This is an on-premises software package.
There are 300-built in compliance reports designed specifically to comply with GLBA, PCI DSS, SOX, NERC CIP, and HIPAA regulatory requirements. You can even build custom reports if you need to watch out for specific threats. These reports can be scheduled and exported to make sure that they always reach the necessary employees in time.
Who is it recommended for?
This is a solution for large organizations. It is able to pull in log messages from all around the business, including operating systems, software packages, networks, and services. Centralized log management forms the basis of all of the functions of the package. This adapts to the specific standard with which you need to comply.
Pros:
- Built with enterprise in mind, can monitor Windows, Linux, Unix, and Mac operating systems
- Supports 300+ compliance reports covering nearly all regulatory standards
- Over 700 pre-configured alerts, correlation rules, and detection templates provide instant insights upon install
- Allows sysadmin to easily build custom reports and schedule compliance scans
Cons:
- Feature dense – requires time to fully explore all features
If you require a tool to help you find threats to NPI then SolarWinds Security Event Manager is a tool worth examining. SolarWinds Security Event Manager starts at a price of $4,665 (£3,540). There is also a 30-day free trial.
ManageEngine ADAudit Plus (FREE TRIAL)
ManageEngine ADAudit Plus is a compliance auditing solution that helps companies to comply with GLBA, FISMA, PCI, HIPAA, and SOX regulations. The program allows you to monitor Successful Logon / Logoff, Unsuccessful Logon, RDP Logon, File Access, File Integrity Monitoring, Policy Changes in AD, Changes to Users, Groups & Permissions. Monitoring information like file access allows you to monitor for unauthorized users.
Key Features:
- User account management
- Activity tracking
- File integrity monitoring
- GLBA reporting
Why do we recommend it?
ManageEngine ADAudit Plus is a user bevaior analytics tool. The package relies on Active Directory as a reference source and so it also ensures the security of AD domains. The tool is not primarily an Active Directory management system – ManageEngine produces ADManager Plus for that.
The ManageEngine ADAudit Plus software comes with pre-configured reports for GLBA. There are over 200 report templates which you can generate or schedule for the future. There are also real-time alerts so that you are notified if data has been compromised. Real-time alerts help you to keep an eye on any changes or breaches that could mean you have to notify customers.
Who is it recommended for?
This system relies on Active Directory, so you need to e running Active Directory or Azure AD as your access rights manager. The software runs on Windows Server, Azure, or AWS. you can run the on-premises version with Azure AD and vice versa. An AWS installation connects to your Azure AD or on-premises AD.
Pros:
- Focused heavily on compliance requirements, making it a good option for maintaining industry compliance
- Pre-configured compliance reports allow you to see where you stand in just a few clicks
- Can differentiate between accidentally access verse insider threat using artificial intelligence
- Supports automation and scripting
- Great user interface
Cons:
- Built with numerous enterprise features – not the best option for smaller networks
There are four versions of ManageEngine ADAudit Plus: Free, Trial, Standard, and Professional. The Free version includes 25 workstations free. The Trial version is free for 30 days. The Standard version costs $595 with 200 plus audit reports. The Professional version starts at $945 and includes additional features like Group Policy Objects settings audit. You can download the 30-day free trial.
GLBA Compliance is Just Good Business
Protecting your customers from persistent cybercriminals and fraudsters is not easy. By taking the time to comply with GLBA requirements you will not only avoid the shame of paying hefty fines but also keep your customers safe. Fraud can have a devastating impact on consumers and by implementing safeguards you can make sure that your customers don’t fall victim to criminals
Going the extra mile to protect the data of your customers also shows that you are committed to maintaining their privacy. Gaining the confidence of customers is as much about showing that they can trust you with their data as it is about any fancy product you can offer them.
GLBA compliance reports will be a vital tool to help you to keep a close eye on your data protection strategy and to deal with vulnerabilities and breaches promptly. Embracing transparency with customers is essential for meeting the terms of GLBA.
Safeguard your reputation by taking a proactive approach to data protection making employees aware of security best practices and threats like pretexting to make sure that you’re never unprepared.
GLBA compliance FAQs:
Which are three key rules of the GLBA?
The Gramm-Leach-Bliley Act is written in three sections and each of these sections constitutes a “rule.” The three key rules of the GLBA are:
- The Financial Privacy Rule Regulates the collection, management, and disclosure of private financial information
- The Safeguards Rule Requires that financial institutions implement security programs to private financial information
- Pretexting Provisions Rule Orders that holders of private financial information should take steps to prevent access to that data through trickery, such as phishing or social engineering
How do I comply with GLBA?
The easiest way to comply with GLBA is to get a data management tool that enforces data governance for GLBA.
What do organizations need to consider to be compliant with GLBA?
There are four types of systems to consider in order to be compliant with GLBA:
- Consent management The Act requires that customers are informed of the service’s information security plan, giving them an option to disapprove.
- Data privacy management This should implement the security plan and control access to private financial information, ensuring that it is only used appropriately.
- Data loss prevention The data stores containing private financial information should be identified and controlled with supervision and blocks over the movement of that sensitive data.
- Activity logging Recording all actions that are linked to the stores of private financial information to create a compliance audit trail