What is the Gramm-Leach-Bliley Act
The Financial Modernization Act of 1999, commonly known as the Gramm-Leach-Bliley Act (GLBA) is a federal law that controls the ways financial institutions deal with the private information of individuals. It requires covered institutions to take several affirmative steps to prevent the unauthorized collection, use, and disclosure of certain consumer data.
Under GLBA, financial institutions must ensure the confidentiality and safety of their consumers’ data. Any personal information that isn’t public, including social security numbers, contact information, employment data, credit history, account numbers, even academic performance, is protected.
Who is Regulated by the Gramm-Leach-Bliley Act
While GLBA doesn’t apply to all companies, its scope is broader than many realize. GLBA uses the term “financial institution” to describe the entities subject to compliance. While all companies commonly regarded as financial institutions are subject to GLBA, many that wouldn’t obviously fall into that category are also covered. Financial institutions are defined as any business offering financial products or services. These products and services include loans, financial advice, insurance, accounting services, and ATM operations. Per the U.S. Federal Trade Commission, GLBA applies to “all businesses, regardless of size, that are ‘significantly engaged’ in providing financial products or services.”
The Safeguards Rule applies to financial institutions that collect consumer information and those that receive such information from other financial institutions. It requires financial institutions to design, implement, and maintain safeguards to protect customer information. Those safeguards must include a written “information security program,” featuring “administrative, technical, and physical safeguards.” In crafting its program, financial institutions should, among other things:
- Designate a person of authority to be ultimately accountable within the organization for ensuring compliance;
- Conduct a detailed risk assessment of its entire consumer information system;
- Implement both technical protections and measures to guard against nontechnical attacks, such as impersonation or identity theft;
- Restrict access to physical locations where customer data is kept;
- Encrypt electronically stored and transmitted data;
- Implement network and host intrusion detection systems; and
- Protect against destruction, loss, or damage of information with system backup and business resumption systems.
The Safeguards Rule also requires financial institutions provide breach notifications when consumers’ non-public data is compromised. Failure to provide adequate notification to affected consumers can result in civil liability. Complying with GLBA won’t necessarily suffice to avoid liability, but it could prove the linchpin of a broader defense strategy.
Financial institutions should consult Federal Trade Commission (FTC) guidance for Safeguards Rule compliance regarding their information security programs. They should also keep in mind that safeguards should be tailored to be appropriate to each financial institution’s circumstances and the unique risks associated with their operation. Employees’ access to customer data from home or transmission of such date out of financial institutions’ networks pose risks over and above typical collection and storage. Financial institutions’ obligations will differ depending on their resources, volume of consumers’ information they collect, and the manners they use and store it.
Financial Privacy Rule
The Financial Privacy Rule (FPR) governs the collection and disclosure of consumers’ personal financial information and imposes restrictions on the sharing of personally identifiable information with third parties.
GLBA distinguishes “customers,” who have an ongoing relationship with a financial institution, from “consumers,” which is a broader category of persons. The FPR requires financial institutions to provide a detailed privacy notice at the time of establishing a “customer relationship,” and annually thereafter. The privacy notice must explain what data the financial institution collects, and how gets used, shared, and protected. The privacy notice must also provide instructions for customers to direct the financial institution not to share their data with third parties.
While there are exceptions to the FPR’s privacy notice requirements, financial institutions must be cautious. If a financial institution doesn’t want to provide the notice, it should clearly document its qualification for one of the FPR’s few exceptions.
GLBA’s pretexting rules aim to stop collection of consumer information through “pretexting,” which occurs when someone tries to access personal, non-public information without proper authority. This may involve someone impersonating a customer to request private information by phone or email, phishing scams, or phony websites. GLBA makes it a federal crime to obtain or disclose (or attempt to) customer information of a financial institution by false pretenses or deception. To comply with GLBA’s pretexting rules, financial institutions should provide employees and others with access to consumer data training to recognize such attempts.
Financial institutions can face civil fines of up to $100,000 per GLBA violation. Officers and directors can also face personal liability up to $10,000 per violation. In cases involving intentional violations, financial institutions and their owners and directors can face the criminal prosecution in federal court, which could result in criminal fines or even jailtime.
The GLBA is a framework upon which companies must build custom-tailored data security programs. Financial institutions must document their compliance efforts on an ongoing basis. This is essential for effectively evaluating compliance and for demonstrating compliance to the FTC or other authorities.
Do you believe your business is regulated by the Gramm-Leach-Bliley Act? Compliance can be facilitated by the advice of experienced legal counsel. Please feel free to reach out to attorneys Justin Furry or Christopher Baiamonte at the Wladis Law Firm at (315) 445-1700 with questions regarding anything in this article.
Christopher J. Baiamonte
Mr. Baiamonte concentrates his practice primarily on civil litigation. He counsels individual, corporate, and municipal clients on resolving disputes ranging from environmental liability to shareholders rights to creditor–debtor suits. He also works with clients to navigate various state and federal regulations relating to areas such as environmental protection, employment, and civil rights.