The Gramm-Leach-Bliley Act (GLBA) was enacted on November 12, 1999. The GLBA repealed a portion of the Glass-Steagall Act of 1993, which prohibited any one institution from acting as any combination of an investment bank, commercial bank and insurance company. The act also repealed the prohibitions “against simultaneous service by any officer, director or employee of a securities firm as on officer, director or employee of any member bank.”
A company’s obligations under the GLB Act are contingent on whether the company has customers or consumers
A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for family, personal or household reasons. A customer is a consumer that has a continuing relationship with a financial institution. For example, a person that hires a broker for a personal loan or a mortgage company is considered a customer of the broker or lender, while a customer that utilizes a check cashing service is a consumer of that service.
The Federal Trade Commission has authority to enforce the law for “financial institutions” not covered by other authorities, such as the Securities and Exchange Commission, Commodity Futures Trading Commission, state insurance authorities and federal banking agencies. For example, tax preparers, debt collectors, providers of real estate settlement services, non-bank mortgage lenders, loan brokers, and financial/investment advisors fall under FTC jurisdiction for enforcement of the GLB Act. There are 3 major elements to the GLB Act that are designed to protect consumers’ nonpublic personal information from disclosure: The Financial Privacy Rule, The Safeguards Rule, and Pretexting Protection.
The Safeguards Rule requires all financial institutions to conduct a thorough risk assessment of its security measures and design, implement and maintain a comprehensive information security program to protect customer information in all areas of operation. This rule not only applies to financial institutions that collect information from their own customers, but also financial and other intuitions that receive customer information from other financial intuitions. Under the Safeguards Rule, companies are required to:Designate one or more employees to coordinate safeguards.
Identify and assess risks to NPA in each relevant area of company operations and evaluate the effectiveness of current safeguards.
Design and implement information safeguards to control risk and regularly test and monitor the effectiveness of the information security program’s key controls, systems and procedures.
Select appropriate service providers and contract them to implement safeguards.
Evaluate and adjust the program according to relevant circumstances, including changes in business operations, arrangements or the results of testing and monitoring the safeguards.
Again, similar to HIPAA, the requirements are designed to be flexible to allow implementation of the appropriate safeguards.When a company adopts safeguards, the Safeguard Rule requires it to consider all areas of operation, including the three areas particularly important to information security: employee management and training, information systems and managing system attacks and failures. We have added a PDF to the Compliance section of our resources page that includes the recommended practices for each of the three areas.
Pretexting occurs when someone tries to access personal, non-public information without the proper authority to do so, such as impersonating an account holder to request private information by phone, email, mail. Phishing and phony websites used to collect data are also an example of pretexting. The GLB Act makes it illegal for any person to obtain or attempt to obtain, to attempt to disclose or cause to disclose, customer information of a financial institution by false pretenses or deception. To meet the GLB Act’s standards in this regard, programs should be put in place to educate employees to recognize social engineering and phishing scams.
Our blog series on Compliance continues next week with a look at the Sarbanes-Oxley Act, which set new and enhanced standards for all public accounting and management firms and public company boards.
References: Bill Summary & Status 106th Congress (1999-2000) S.900 CRS Summary - Thomas (Library of Congress).C. Landis Plummer. n.d. Federal Register . https://www.federalregister.gov/articles/2001/08/07/01-19338/standards-for-safeguarding-customer-information.n.d. U.S. Securities and Exchange Commission . https://www.sec.gov/divisions/marketreg/tmcompliance/modelprivacyform-secg.htm.