GLBA Explained: What the Graham-Leach-Bailey Act Means for Data Protection and IT Security (2023)

GLBA Meanings and Definitions

The Graham-Leach-Bailey Act (GLBA) is a law enacted in 1999 that allows financial services firms to offer business and investment banking, which had been prohibited since the Great Depression. Perhaps what the public is most familiar with about GLBA is the debate over whether it helps.Causes of the 2008 subprime mortgage crisisBut it is better known among IT professionals for the data security and privacy regulations it imposes on various businesses and organizations, including those outside of the banking industry. While many of these rules represent IT best practice, the legal risk of non-compliance is high, and those who fail to comply face substantial fines and possibly imprisonment.

GLBA compliance requirements

At first glance it may seem strange that financial services law would have such a profound impact on IT and data security. But the drafters of the law rightly foresaw that by deregulating existing banking, they would open the door to the creation of huge, sprawling companies that offer a range of services from checking accounts to high-end investments, and that would Can obtain massive customer information. The law incorporates aspects of data security and privacy to allay concerns that this information could be misused or exploited.

Thanks to the GLBA, however, it's not just Citibank around the world that is under the scrutiny of regulators. The law applies to any company that:clear commitment"When providing financial products or services to consumers. List of companiesbelongs to this titleWide range including collection agencies, real estate appraisers, and even car dealershipscollege, maintain scholarship accounts for students and manage student loans.

When it comes to data security and privacy compliance requirements under GLBA, there are three main rule sets, each calledruleIn regulatory terms - what IT needs to worry about is this:financial privacy rules,dieconservation rules,ThenPretend to rule.

GLBA Privacy Policy

thisFinancial Privacy Rules(usually just abbreviated asPrivacy Policy)relatively easy. Financial institutions must provide customers with written information about what information is collected about them, how it is used, where and with whom it is shared, and how it is protected. Under the old Fair Credit Reporting Act, privacy policies also require institutions to provide consumers with the ability to opt out of financial institutions sharing their information with independent third parties.

Such a privacy statement must be published at the outset of the client's relationship with the institution and at least annually thereafter; if the privacy policy changes, an updated version of the information must be published. The wording of the notice can be fairly standard, and the SEC actually doesProvide sample shape。

GLBA Consumers and Clients.In its data protection rules, the GLBA distinguishes between different types of persons who interact with companies. A is a person who buys a financial product or service from the companyconsumer,but consumers who maintain an enduring relationship with the agencycustomer.All customers are consumers, but not all consumers are customers; customers are those with a longer-lasting, more intimate relationship with an establishment.

For example, if you have checking and savings accounts with Bank A, you are a customer of Bank A; if you do not have an account with Bank B, but you use a conveniently located ATM to withdraw cash from Bank A's account, Bank B considers you a customer. As another example, if you apply for a loan from Bank C, but do not yet have a relationship with that bank, you are still only considered a consumer; you only become a customer when the loan is approved and you receive your money.

As expected, the data protection requirements for customers are more stringent. For example, consumers who are not clients are entitled to data protection and opt-out notices only if the institution specifically plans to disclose those consumers’ data to third parties; clients have these rights once they establish a client relationship.

GLBA Conservation Rules

thisprotection rulesAll agencies covered by the GLBA are required to use administrative, technical, and physical means to protect the confidentiality, integrity, and security of all nonpublic personal information held by the agency. This is obviously a very broad undertaking, but the good news is that it's also clearly a set of best practices that any organization storing personal data should follow; it's also broadly similar to regulations imposed by governments on other industries such as healthcare, So companies that are subject to multiple regulations don't have to duplicate work.

thisDigital Guardian Blogsets out in detail some specific steps companies covered by the GLBA should take to establish order and ensure compliance with the rule. you need to:

• Designate staff to coordinate the information security program
• Identify customer information risks across the organization and assess the effectiveness of current protections
• Design, implement, monitor and test overall protection plans
• Select a service provider that can meet GLBA requirements and include this in your contract with them
• Continuously evaluate your plan as the situation and threat landscape change

The requirements of assurance rules are often related to outcomes rather than to the specific information security technologies needed to achieve those outcomes. For example, no specific informationGLBA password requirements;Instead, GLBA-approved institutions are expected to follow modern best practices for verifying access to personal data, which in practice includes appropriate password systems.

It's also worth noting that from a GLBA perspective, part of protecting data is owning itBusiness Continuity and Disaster RecoveryPlans are in place in case there is a catastrophic breach or data loss that affects customers.

GLBA Excuse Rule

A third important data protection aspect of the GLBA isPretend to rule。Excuseis the formSocial developmentAttackers try to convince victims to give up valuable information or access to services or systems. A distinguishing feature of this type of attack is that the scammers make up stories - orExcuse– To deceive the victim. For example, someone who has some information about you, such as your address or social security number, could call your bank and try to get them to provide more information or even access your account.

GLBA has a major impact on trickery in many ways. First, it is expressly illegal to use fraudulent means to obtain victim information held by a regulated financial institution. Before the GLBA, such fraud could only be prosecuted under other fraudulent or false pretenses laws, which didn't always closely match the specific techniques of the attackers.

However, from the perspective of information security professionals, the more important aspect of the pretext rule is that it requires financial services institutions themselves to adopt it.Take Proactive Steps to Prevent Ruse. This will take the form of strict requirements that people must provide proof that they are entitled to the information they want to access, and training staff to recognize and act againstPhishingand other forms of pretense.

GLBA Compliance Checklist

As these descriptions should make clear, preparing for GLBA is a major undertaking, but one that largely overlaps with the necessary cybersecurity measures any institution should take. Institute of Information SecurityDescribes the ten top-level stepsYour information security or IT organization needs to do the following to be GLBA compliant:

1. Familiarize yourself with these regulations and how they apply to you
2. Conduct a risk assessment (more on that later)
3. Ensure effective controls are in place to reduce risk
4. Protect Yourself From Insider Threats
5. Make sure your service provider is GLBA compliant
6. Confirm that you comply with the requirements of data protection legislation
7. Update your disaster recovery and business continuity plans
8. Prepare a written Information Security Plan (WISP) - GLBA requires this formal document
9. Reporting to the Board: GLBA requires those responsible for Inforsec to submit an annual report on GLBA compliance to the organization's Board of Directors
10. Check, Modify, Improve

GLBA Risk Assessment

Risk assessment is an important partThreat Modeling ProcessMany information security teams do this as a matter of course. However, if you're looking for a risk assessment specific to federal cybersecurity regulations like GLBA, look no further than the Federal Financial Institutions Examining Council (FFIEC). look at herCyber ​​Security Assessment ToolThis can help you identify specific areas where your organization may not be GLBA compliant.

GLBA-Audit

When people talk about the GLBA review, they mention two different processes. When organizations feel they are not up to the task of assessing their own readiness and compliance, or they want an honest external assessment, they can hire a third-party organization to assess their compliance. Such audits can provide valuable feedback, but remember that this is essentially a second opinion from a private company, not a stamp of approval from the U.S. federal government. Deep Odyssey is a company that provides these services,say so in their disclaimer: "Completion of a GLBA audit does not ensure GLBA compliance." Organizations are responsible for implementing compliance recommendations at their own discretion. "

Government agencies, on the other hand, can and do incorporate GLBA compliance standards into their audits of institutions covered by the law. For example, large educational institutionsNow their GLBA compliance is being verifiedThey must submit the audit results to the Department of Education as part of their annual state compliance audit.

GLBA enforcement

We hope our description of the GLBA's broad sphere of influence makes clear why the Department of Education is involved in enforcing financial services law. In fact, GLBA enforcement is carried out by a number of government agencies, including the Federal Trade Commission, the federal banking agency, the Consumer Financial Protection Bureau, and state insurance regulators, against any defaulting companies that may fall within their jurisdiction. FTC is one of the main enforcement agencies; it has gapsRecent agreement with PayPalFor example, breaching the company's Venmo service.

GLBA penalties

The consequences of non-compliance with GLBA can be severe:

• Organizations that violate the law can be fined up to $100,000 per violation.
• The heads of these agencies, usually corporate directors or board members, can be personally fined up to $10,000 per violation
• These individuals can also be sentenced to up to 5 years in prison

our suggestion? Make sure you're compliant now - it protects you and your customers.

Please enter a valid email address