What is GLBA compliance?

(Part 7 in our series on IT Compliance Concerns.)
In the earlier posts in our compliance series, we covered SOX, HIPAA, and PCI DSS compliance. Here, we will examine what GLBA compliance is and how it might affect you and your company.

GLBA stands for Gramm-Leach-Bliley Act. This act is also referred to as the Financial Services Modernization Act. The GLBA primarily repealed parts of the Glass-Steagall Act by removing prohibitions against banking, insurance, and securities companies that prevented them from acting as combinations of investment banks, commercial banks, and insurance companies. The GLBA also regulates how financial institutions handle the private information of individuals.

The three sections of the GLBA that cover privacy issues are the financial privacy rule, the safeguards rule, and the pretexting provisions. The financial privacy rule deals with the collection and disclosure of private financial information. The safeguards rule requires financial institutions to implement security provisions to protect private financial information. The pretexting provisions prohibit accessing such information under false pretenses. The GLBA additionally requires financial institutions to provide their customers with privacy notices explaining the information sharing practices of the institution (although this requirement may be modified with recent legislation at the end of 2015).

Which companies are affected by GLBA compliance?
Financial institutions are the companies primarily affected. For example, a retail company would not need to be concerned about complying with GLBA rules, even though they might still have other obligations to protect their customers’ information. According to the University of Cincinnati’s Office of Information Security:

“GLBA covers businesses such as banks, appraisal companies, mortgage brokers, securities firms, insurance companies, credit card issuers, income tax preparers, debt collectors, real estate settlement firms, and other companies that may have self-financing plans… GLBA indicates that any business ‘significantly engaged’ in financial activities is subject to GLBA.”

In addition to this, companies affected by GLBA rules may also require their service providers to also follow them.

What are the penalties for failing to comply with GLBA?
There are severe civil and criminal penalties for noncompliance. These can include both fines and imprisonment. And it is not just the companies that can be penalized. Officers and directors can also face these penalties.

A financial institution violating GLBA rules may face:
●    Civil penalties of not more than $100,000 per violation.
●    Officers and directors of such a financial institution will be subject to, and personally liable for, a civil penalty of not more than $100,000 per violation.
●    Such an institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both.

What does a business need to do to comply with GLBA?
Remember that compliance cannot be handled by your IT department alone. GLBA requires executive management to participate in responsibility for compliance.

Your company will need to keep your information security policies up-to-date, devote resources to continually identify potential risks, follow GLBA provisions for the release of both public and private information, be aware of whether it is necessary to provide annual privacy notifications, monitor the actions of third-party service providers, encrypt data, keep careful track of when it is time to destroy data, and possibly hire a lawyer or consultant to help with complexities.

Coming soon: Part 8 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About GLBA Compliance?”

To learn more about GLBA and related issues:
●    Gramm-Leach-Bliley Act definition.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: What Does Your IT Team Need to Know About SOX Compliance?
●    Part 3: What Does HIPAA Mean?
●    Part 4: What Does Your IT Team Need to Know About HIPAA Compliance?
●    Part 5: Is Your Company PCI Compliant?
●    Part 6: What Does Your IT Team Need to Know About PCI DSS Compliance?