What is the Gramm Leach Bliley Act? (2023)

What is the Gramm Leach Bliley Act?

The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the way financial institutions treat individuals' private information. The law consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which requires financial institutions to implement security programs to protect such information; and the Pretexting Provisions, which prohibit the practice of spoofing or gaining access to private information under false pretenses. The law also requires that financial institutions provide customers with written privacy notices that explain their information-sharing practices.

The GLBA repealed large portions of the Glass-Steagall Banking Act of 1933 and the Bank Holding Company Act of 1956. He changed the rules to allow banks, brokerage houses and insurance companies to merge. This created a new structural framework through which a bank holding company could acquire full-service investment banks and insurance companies, while the latter types of companies could set up holding companies to acquire banks. As a result of the GLBA, the Federal Reserve was given expanded supervisory powers to regulate these new types of financial structures.

What is the purpose of GLBA?

The standards established by GLBA complement the data security requirements imposed by the Federal Deposit Insurance Corporation (FDIC). The purpose of the GLB Act is to ensure that financial institutions and their affiliates respect the confidentiality of personal data (PII) from customer records in paper, electronic or other form. The law obliges affected companies to comply with strict data security guidelines.

According to the law, financial institutions are obliged to respect the privacy of their customers and to protect their sensitive personal data securely from unauthorized access.

GLBA compliance requires companies to develop privacy practices and policies that detail how they collect, sell, share, and otherwise reuse consumer information. Consumers must also have the ability to choose what information, if any, a business may disclose or retain for future use.

A related requirement regulates data storage and backup as part of comprehensive written informationsecurity policy. This objective addresses protection against "anticipated threats or dangers" to data that could cause "significant harm or inconvenience" to consumers.

GLBA's PII policies apply to all non-public personally identifiable information, which is defined as information that a customer may provide to facilitate a transaction or that is otherwise obtained by the institution.

Data covered by GLBA

GLBA compliance is designed to reduce the likelihood that an organization will suffer a data breach and face the consequences, including significant financial and legal penalties and damage to reputation. GLBA has become a top priority forChief Information Security Officersand other IT professionals tasked with managing corporate data.

Best practices have emerged, also internallyrisk assessments, regularly testing internal controls and ensuring third-party compliance by business partners and service providers. Practical benefits of regulatory requirements include an increased ability to identify, troubleshoot, and locate critical datadark data, improve consolidation and improve data classification.

Data that falls under the requirements of the GLBA include:

• The address;
• bank account and financial data;
• biometric and related data;
• dates of birth;
• Car dealer;
• credit history (including ownership records or purchase history);
• level of education and school achievements;
• employment data;
• conclusions from other data;
• Internet and other electronic information;
• geolocation data;
• names;
• personal income;
• social security data; and
• tax information.

Organizations regulated by GLBA

The passage of GLBA coincided with the advent of internet technologies for conducting business, which in turn created vast amounts of new data and new ways of accessing data. The law broadened the definition of entities classified as financial institutions.

GLBA regulates any institution that is significantly involved in financial activities. Even organizations that do not disclose non-public personal information are encouraged by GLBA to develop a policy to protect information from potential future threats.

In addition to banks, brokerage firms and insurers, GLBA applies to companies that process loans or otherwise take credit risks. Any organization that falls within the scope of GLBA must comply with its regulations, although individual states have the power to enact stricter data protection regulations, as is the case in California and Virginia.

Professions and businesses subject to the provisions of the GLBA include:

• Accountant
• ATM operators
• Car Rentals
• courier services
• credit bureaus
• credit unions
• debt collector
• financial advisory firms
• hedge funds
• non-bank mortgage lenders
• payday lenders
• real estate appraiser
• real estate companies
• retailers
• stockbroker
• tax consultant
• universities

How GLBA compliance works

GLBA is divided into three main sections, each of which defines a subset of rules governing compliance. The three sections include the following:

Financial Privacy Rule

This rule, often calledPrivacy Rule, establishes requirements for how organizations may collect and disclose private financial information. An organization must provide a “clear and conspicuous” reference to its privacy policy at the outset of a customer relationship. Thereafter, customers must receive annual termination for the duration of the relationship unless the organization meets certain criteria.

The Privacy Policy describes what data is collected, how it is used and shared, who has access to it, and the policies and procedures in place to protect it. As required by theFair Credit Reporting Act, customers must be informed annually of the privacy policy, including the right to opt-out of sharing information with unaffiliated third-party companies. If a customer consents to the sharing of information, the organization must comply with the terms of the original privacy statement.

protection rule

As the name suggests, steps to ensure information security are at the heart of the GLBA protection rule. The Federal Trade Commission (FTC) enacted this rule in 2002 and continues to enforce it. The rule directs organizations to use administrative, physical, and technical safeguards as safeguards againstcyber attacks,E-Mail-Spoofing,PhishingSchemes and similar cybersecurity risks.

The rule also requires that an organization designate at least one person to be responsible for all aspects of the information security plan, including development and periodic testing. Dataencryptionand key management are recommended as best practices but are not FTC requirements according to the security rule.

pretense rule

This rule is intended to prevent employees or business partners from collecting customer information under false pretenses, such asSocial DevelopmentTechniques. Although the GLBA has no specific requirements related to pretext, prevention typically involves building employee training to avoid pretext scenarios in the written information security document.

Who enforces the GLBA requirements?

State and federal bank authorities have different powers to enforce GLBA regulations. The FTC can take action in federal district courts against organizations that violate privacy laws. Section 5 of the GLBA gives the FTC authority to review privacy policies to ensure they are being developed and applied fairly.

Enforcement of the protection rule remains with the FTC, although theDodd-Frank-Act2010 New rulemaking powers delegated to the Office of Consumer Financial Protection (CFPB). Other federal agencies that have a role in GLBA enforcement include the Federal Reserve Board, the FDIC, the Office of Thrift Supervision, and the Office of the Comptroller of the Currency. Responsibility for regulating insurance providers rests with individual states.

To avoid compliance errors, a company may choose to hire independent consulting firms. These companies conduct a GLBA audit to assess an organization's informationsecurity situationand develop strategies to keep up with changing legal regulations.

Penalties for GLBA non-compliance

Failure to comply with the GLBA can have serious financial and personal consequences for managers and employees. A financial institution faces a fine of up to $100,000 for each violation. Its officers and directors can be fined up to $10,000, imprisoned for up to five years, or both. Businesses also face increased exposure and a loss of customer trust.

Increased awareness of security risks is one of the benefits companies can derive from GLBA compliance, especially as hackers develop more sophisticated tools to break into computer systems. Aside from improved brand reputation, a company can gain new insights from existing data and improve its data management capabilities.

Recent GLBA cases brought forward by the FTC include:

• Ascension data and analytics.In 2020, the Arlington, Texas-based company agreed to an undisclosed financial settlement after it was discovered that a vendor, OpticsML, had stored customers' financial information in plain text on insecure cloud storage.
• PayPal.The onlinepayment processoragreed to pay the state of Texas $175,000 in 2018 to resolve GLBA and Federal Trade Act violations that compromised the data security and privacy of customers using its peer-to-peer Venmo application.
• TaxSlayer.For several months in 2015, hackers were able to access almost 9,000 customer records from the Augusta, Georgia, online tax advisor. As part of the settlement with the FTC, the company is prohibited from violating the GLBA Privacy Rule and Security Rule for 20 years and is required to have its compliance assessed by a third party every two years for 10 years.

Criticisms, problems and GLBA revisions

Critics of the GLBA have claimed that the measure's enforcement violated the regulatory capabilities of the Health Insurance Portability and Accountability Act (HIPAA) and privacy laws as enacted in California. The GLBA gives individuals the responsibility to notify companies when they object to data collection. The limited opt-out rights allow for greater data sharing between larger companies, which is the opposite of what was intended, critics said.

Some economists blamed the GLBA for contributing to the 2008 financial recession. They argued that the repeal of the Glass-Steagall Act opened the doors for banks to speculative investing with short-term hedge funds and other high-yield, high-risk financial instruments.

Other financial experts claimed that the GLBA played only a marginal role in the economic crisis. They pointed to a spate of subprime mortgages owned by Fannie Mae and Freddie Mac that Congress has mandated to buy to create affordable housing in low-income neighborhoods.

The CFPB revised the GLBA in 2018 to exempt some companies from the obligation to provide customers with annual privacy notices under certain conditions. In general, financial institutions are exempt in two ways: if they restrict the sharing of information and do not trigger a customer opt-out requirement, or if there are no changes to the privacy policy previously provided to the customer. The CFPB said the revision is consistent with GLBA amendments approved by Congress.

GLBA and GDPR

GLBA and the European General Data Protection Regulation (GDPR) have different goals, but both define data security and consumer protection. While the GLBA sets data protection rules for financial institutions, the GDPR covers all organizations that process an individual's personal data in the course of conducting business.

Like GLBA, GDPR encourages companies to be more transparent about how they collect and handle sensitive information. This includes personally identifiable information about individuals and any metadata that can be used to identify or characterize them.

In 2021, the General Assembly of the Commonwealth of Virginia passed the Virginia Data Protection Act, becoming the second state to enact regulations that strengthen consumer protections. Virginia law reflects many provisions of the California Privacy Rights Act (CPRA). CPRA is an enhanced version of theCalifornia Consumer Privacy Act, which guarantees individuals the right to know all personal data that a company may collect. CPRA gives Californians and others broad powers to receive, delete, and limit the use of personal information. Any organization doing business in California may be subject to CPRA rules.

Illinois, New York, Oregon, Texas and Washington are updating existing security laws, and the National Association of Insurance Commissioners has developed a model law that allows states to develop laws that protect personal information consistently.

History of the GLB

The Gramm-Leach-Bliley Act is named for the lawmakers who sponsored it: Sen. Phil Gramm (R-Texas), Rep. Jim Leach (R-Iowa), and Rep. Thomas Bliley (R-Va.). The US Senate passed GLBA in May 1999 by a vote of 54 to 44. The US House of Representatives approved a version of the law in July 1999 by a vote of 343 to 86. A revised version of the bill passed both houses on November 4, 1999 - by a vote of 90 to 8 in the Senate and 362 to 57 in the House of Representatives; President Bill Clinton signed GLBA into law on November 12.

GLBA emerged during a wave of government business regulation in the late 1990s. Congress passed HIPAA in 1996 and theSarbanes-OxleyPublic Enterprise Accounting Reform and Investor Protection Law of 2002.

Federal agencies had relaxed some Glass-Steagall bans in the years leading up to the GLBA. These moves helped pave the way for commercial banks and investment firms to merge and sell integrated financial services. However, this development renewed privacy concerns that had been smoldering for several years.

The EU Data Protection Directive, a 1995 European law that imposed stricter requirements on US companies, was emblematic of this concern. Any US company offering products or services to EU citizens must provide them with the same level of data protection as is imposed by data sharing in their home countries. The European Union approved the GDPR in 2016 to replace the Data Directive; The GDPR came into force in 2018.

In 1999, the year GLBA became law, the U.S. Bancorp, based in Minneapolis, Minnesota, is being sued by the state of Minnesota for sharing confidential customer information with a telemarketing company that allegedly charged their accounts without permission. In 1999, Charter Pacific Bank of Agoura Hills, California was involved in a porn scam after selling a California-based company access to a database of credit card accounts. According to the FTC, the company used fictitious names and fake merchant accounts to charge unsuspecting customers over $40 million for access to porn websites. The FTC won a $37.5 million judgment against the company's owners. Selling access to the credit card database was not illegal, allowing the bank to avoid financial penalties.

Learn more about how to comply with a range of new consumer privacy laws and regulationsEffects on IT and security processes.