GLBA (Gramm-Leach-Bliley Act)

The Gramm-Leach-Bliley Act of 1999 and California Senate Bill 1386 have serious implications for organizations that collect the personal information of their customers. Personal data is defined broadly to include combinations of first name (or first initial), last name, and any identifying numbers whether they’re Social Security, credit card, or bank account-related. Financial and educational institutions face the most work to comply with these regulations.

Regulatory Breakdown

The Financial Services Modernization Act of 1999, better known as Gramm-Leach-Bliley (GLBA), includes provisions to protect consumers’ personal financial information held by financial institutions. Although this act pertained specifically to removing restrictions regulated upon financial institutions relating to mergers and information sharing section 501 included in the bill dictates security standards that are required. The legislation is intended to ensure financial institutions protect sensitive customer information that may be accessible to hackers through web-enabled environments, including Internet connectivity and hosting arrangements. While this legislation modernizes the US financial landscape, it also contains significant privacy and security elements for individuals, including the:

  • Notification of usage between institutions that are collected on the behalf of consumers. This privacy provision includes what information the institution collects about its customers, with whom it shares the information, and how it protects or safeguards the information.

  • Adoption of a detailed security policy that identifies and assesses the risks that may threaten customer information. This security policy must address corporate procedures and guidelines that are fully implemented and integrated by the organization.

  • Opt-out rights for any sharing of personal information with non-affiliated 3rd party companies.

  • Implementation of significant security safeguards

IT Security Governance

  • Provide a privacy notice at all online application points

  • Adopt across the organization adequate policies and procedures to protect customer data as specified under GLBA

  • Engage regular 3 rd party risk assessments for social engineering, systems and logical safeguards across organization.

  • Provide assurance that all partners and other third parties are adequately secure and adhere to accepted security standards.

  • Protect against any anticipated threats or hazards to the security or integrity of customer records

  • Protect against unauthorized access to or use of these records or information that could result in substantial harm or inconvenience to a customer.