GLBA provides limited privacy protections against the sale of your private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses. The primary concern of GLBA is to ensure the confidentiality of customers’ personally identifiable information (PII) and financial information by following certain privacy and security standards.
So, there are two type standards in GLBA:
- Privacy Standard: Customers must be notified of information sharing practices and provided with a way to opt-out of unnecessary sharing.
- Security Standard: Having an information security policy designed to ensure the confidentiality, integrity and availability of customer records and information. This policy should able to protect customer records from all types of cyber-attacks.
To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution. In fact, GLBA was created to allow financial industry participants to offer more services. GLBA also known as the Financial Modernization Act of 1999.
GLBA included three simple requirements to protect the personal data of individuals:
- Banks, brokerage companies, and insurance companies must securely store personal financial information.
- They must advise you of their policies on sharing of personal financial information.
- They must give consumers the option to opt-out of some sharing of personal financial information.
Sources:
GLBA Concepts and Definitions
Financial institution: It is any institution (such as banks, securities brokers, insurance underwriters and agents, finance companies, mortgage bankers) the business of which is engaging in activities that are financial in nature or incidental to such financial activities. The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these:
- Non-bank mortgage lenders
- Real estate appraisers
- Loan brokers
- Some financial or investment advisers
- Debt collectors
- Tax return preparers
- Banks
Affiliate of a financial institution: It is any company that controls, is controlled by, or is under common control with the financial institution.
Nonpublic personal information: These information generally is any information that is not publicly available such as Results from a transaction between the consumer and the institution involving a financial product or service.
Nonaffiliated third party: A “nonaffiliated third party” is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the institution’s affiliate.
Opt out Right and the exceptions: Consumers must be given the right to “opt out” of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party unless an exception to that right applies.
Exceptions to opt out right are detailed in sections 13, 14, and 15 of the regulation:
- Section 13: To a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution’s own products or services or those offered jointly by the institution and another financial institution. The exception is permitted only if the financial institution provides an initial notice of these arrangements and by contract prohibits the third party from disclosing or using the information for other than the specified purposes.
- Section 14: As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or under certain other circumstances relating to existing relationships with customers.
- Section 15: For specified other disclosures that a financial institution normally makes to the financial institution’s attorneys, accountants, and auditors (like protect against or prevent actual or potential fraud), or to comply with applicable legal requirements.
Financial service: It includes other things (like a financial institution’s evaluation). For example, a financial service includes a lender’s evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn.
Consumer: A consumer is an individual, or that individual’s legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes.
- Applying for a loan
- Cashing a check with a check-cashing company
Customer relationship: It is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. Examples of establishing a customer relationship:
- Opening a credit card account with a financial institution
- Obtaining a loan from a mortgage lender
- Providing personally identifiable financial information to a broker in order to obtain a mortgage loan
Customer: A customer is a “consumer” who has a “customer relationship” with a financial institution.
Source: fdic.gov and corporate.findlaw.com
The Main Components of GLBA
The Financial Privacy Rule: Restricts the sharing of nonpublic personal information (NPI) about an individual and requires financial institutions to provide each consumer with a privacy notice at the start of the customer relationship and annually thereafter. The notice outlines what information is collected, where the information is shared, how the information is used and how it is protected, as well as highlight the customer’s right to opt out of information sharing with nonaffiliated third parties pursuant to the provisions of the Fair Credit Reporting Act. In other words, the Financial Privacy Rule provides a privacy agreement between the financial institution and the customer pertaining to the protection of their nonpublic personal information (NPI).
The Safeguards Rule: This rule requires financial institutions to develop, implement and maintain a comprehensive information security plan that outlines administrative, technical and physical safeguards that are appropriate for the size and complexity of the organization and its financial activities.
This rule should guarantee the following security issues:
- Insuring CIA (Confidentiality, Integrity and Availability) of current and former customers’ nonpublic personal information (NPI)
- Protecting against common cyber attacks
- Protecting against data breaches, data leaks and unauthorized access to or use of nonpublic personal information (NPI)
- Apply to any record containing nonpublic personal information (NPI) whether paper, electronic or other form
Pretexting Protection: This type of protections occurs when someone tries to gain access to nonpublic personal information without authority to do so. This may entail requesting private information by impersonating the account holder by phone, by mail or by phishing or spear phishing.
Source: fdic.gov and en.wikipedia.org
In connection with GLBA, we suggest that you read the following three useful and relatively complete articles:
- What is the Gramm-Leach-Bliley Act (GLBA)?
- Gramm–Leach–Bliley Act
- What is GLBA Compliance? Understanding the Data Protection Requirements of the Gramm-Leach-Bliley Act in 2019
You can also read GLBA’s full text in this file: Gramm-Leach-Bliley Act (Privacy of Consumer Financial Information)
———————————
Sources: