Understand the Gramm-Leach-Bliley Act
When it comes to data protection acts, the Gramm-Leach-Bliley Act is one of the more important ones to understand. Also known as the Financial Modernization Act of 1999, it is a United States federal law that requires financial institutions to document and explain how they protect the personal data of their consumers. In order to be compliance with the Gramm-Leach-Bliley Act, they have to explain to their customers how their data is being shared and used. They also have to provide a way for customers to opt out if they don’t want their sensitive personal data shared to third-party providers. Financial institutions should also apply specific protections for their customer’s personal data based on a written information security plan created by the institution.
The main implications of GLBA compliance is outlined by the Safeguards Rule. The Privacy of Consumer Financial Information Rule provides additional requirements. GLBA compliance is enforced by the FTC, along with federal banking agencies, other federal regulatory authorities, and state insurance oversight agencies.
Gramm-Leach-Bliley Act Benefits
GLBA compliance provides several benefits for a financial institution. First, it lowers the risk of penalties or damage to their reputation due to unauthorized sharing of their customer’s private data. Other benefits include:
- Customer’s private information should be secured from unauthorized access.
- Activities of users should be tracked, which includes accessing protected records and data.
- All sharing of private information should be shared to customers, whether it is with other financial institutions or third-party providers. An opt-out option should also be present.
Compliance with the Gramm-Leach-Bliley Act protects the consumers, which leads to reliability with the financial institution. They gain a certain assurance that they can trust the financial institution with their data and will continue to patronize their services.
How Gramm-Leach-Bliley Act Compliance Works
The Gramm-Leach-Bliley Act focuses on the security for Non-public Personal Information, or NPI, which includes social security numbers, bank account numbers, credit history, phone numbers, physical addresses, names, and any other personal data received by the financial institution from the customer. Financial institutions are required to create an information security plan according to the Safeguard Rules, which describe how the data is protected. It must be tailored to the financial institution’s size, complexity, and operations, along with the type of sensitive information that they get from customers. Financial institutions must meet the following criteria:
- At least one employee should be designated to coordinate information security systems.
- They must assess and identify any risk to customer information within all relevant areas of the institution’s operation and evaluate the efficiency of the safeguard protocols for each risk.
- They should use service providers with the ability to maintain proper safeguards and ensure that the contract states that they will maintain these safeguards, as well as oversee how they handle customer data.
- They must design safeguard protocols and programs and regularly monitor their efficiency.
- They must evaluate and make adjustments to the safeguard protocols based on recent events, such as changes to the business’s operations. or based on tests.
To achieve compliance with the Gramm-Leach-Bliley Act, financial institutions should pay close attention to employee management, training, security management, and information systems.
Penalties for Gramm-Leach-Bliley Act Non-compliance
If non-compliance to the Gramm-Leach-Bliley Act is proven, financial institutions could face business — and in some cases, even life-altering — penalties. This includes that:
- Financial institutions are fined $100,000 for each violation.
- Individuals responsible for non-compliance are fined $100,000 for each violation.
- Individuals responsible for non-compliance can be jailed for up to five years.
Non-compliance Examples
There have been several examples of non-compliance of the Gramm-Leach-Bliley Act since it was enacted.
Paypal (as Venmo)
They allegedly violated the Gramm-Leach-Bliley Act and the Federal Trade Act, and according to a source:
“The FTC also asserts that the privacy practices it alleges violate the GLBA and its Privacy Rule, and that the security failures it alleges violate the GLBA and the Safeguarding Rule.”
Mortgage Companies
Early in its enactment, the FTC used the Gramm-Leach-Bliley Act against numerous mortgage companies for several violations.
Gramm-Leach-Bliley Act Best Practices
The main focus of the Gramm-Leach-Bliley Act is to strengthen data protection. With that, the primary focus of financial institutions should be to create proper safeguards and programs to protect the private data that they manage. It is critical for any financial institution to maintain Gramm-Leach-Bliley Act compliance, as violations can be detrimental to their operations as a whole.