Achieving GLBA Compliance
The GLBA is comprised of three components, the Privacy Rule, The Safeguards Rule, and the Pretexting Rule. Institutions need to meet the requirements of all three to be compliant. GLBA audits are conducted annually.
Safeguards Rule
The GLBA Safeguards Rule requires institutions to have an information security program in place that protects consumer data. An updated version of the rule takes effect in June 2023. The latest version of the rule is comprised of the following nine elements that organizations need to meet.
Element 1: Requires institutions to designate a qualified individual responsible for overseeing and implementing the information security program.
Element 2: Conduct a risk assessment that identifies internal and external risks to customer data security, confidentiality, and integrity.
Element 3: Design and implement security controls to address the risks identified in the assessment.
Element 4: Regularly test and monitor the effectiveness of your controls.
Element 5: Provide employees with security training that reflects your organization’s safeguard controls.
Element 6: Monitor potential risks from third-party vendors.
Element 7: Keep your information security program current. Update security controls based on the results of assessments, monitoring, penetration and vulnerability assessments, and the emergence of new threats.
Element 8: Establish an incident response plan.
Element 9: Your organization’s Qualified Individual must provide a report (in writing) to the Board of Directors or a senior officer at least once a year detailing the status of the information security program.
Financial Privacy Rule
The GLBA Financial Privacy Rule places requirements on how institutions may collect and handle consumers’ nonpublic personal information (NPI). NPI is defined as:
- Any information an individual provides to get a financial product or service (name, address, income, Social Security number, etc.)
- Any financial information from a transaction involving financial products or services (account numbers, payment history, loan or deposit balances, credit or debit card purchases, etc)
- Any information about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report)
Information that is publicly available through federal, state, and local government records is not considered NPI. Data that is distributed through media such as phonebooks, newspapers, and websites accessible to the general public is also exempt.
Privacy Notices
Institutions must provide consumers with a privacy notice that is "clear and conspicuous," whether it is on paper or on a website. The notice must be easy to read and designed to gain the reader’s or visitor’s attention. An online notice should be placed on a page that consumers use often, or it should be linked directly from a transactions page.
Your privacy notices must include all the following information that is applicable to your organization:
- Categories of info collected
- Categories of info disclosed
- Categories of third parties to whom you disclose the information
- If your institution discloses NPI to nonaffiliated third parties
- Your organization’s security measures to protect NPI
Opt-out Rights
Institutions that share NPI with nonaffiliated third parties must give consumers an "opt-out notice" that clearly and conspicuously describes their right to opt out of the information being shared. An opt-out notice must be delivered with a privacy notice, and it can be included in the privacy notice.
The notice must describe a "reasonable means" for opting out. A toll-free telephone number or a detachable form with a check-off box and mailing information qualify as “reasonable means” for opting out. Requiring a written letter is not considered “reasonable means.” Institutions must give consumers a sufficient amount of time to opt out before disclosing their NPI to these nonaffiliated third parties.
Pretexting Rule
Pretexting is a type of social engineering where the bad actor uses a story to try to trick a victim into giving up personal information (a phishing attack is an example of pretexting). The GLBA requires institutions to have policies and procedures in place to detect social engineering scams. Examples of pretexting security measures include requiring customers to provide large amounts of information in order to access their accounts and requiring employees to complete in-depth training on recognizing social engineering attempts.
GLBA Alignment with Other Security and Privacy Frameworks
There is alignment with the GLBA’s Safeguard and Privacy Rules with other security and privacy standards like NIST CSF, ISO 27001, SOC 2, and GDPR. While GLBA compliance does not equal compliance with any of these other frameworks, there are overlapping aspects with each. The policies, procedures, and controls your organization implements to achieve GLBA compliance can provide a jumpstart in your efforts to comply with additional frameworks.
Risks of GLBA Noncompliance
Failure to comply with the GLBA can be severe, with penalties as large as $100,000 per violation for institutions. Officers and directors could face a $10,000 fine along with up to five years in prison.
Multiple federal and state agencies have authority to enforce GLBA regulations, most notably the Federal Trade Commission (FTC). The Consumer Financial Protection Bureau (CFPB), the Federal Reserve Board, the FDIC, the Office of Thrift Supervision, and the Office of the Comptroller of the Currency also have some degree of enforcement authority.
How We Can Help
At CompliancePoint, we have a wealth of industry experience and knowledge to design, implement, and manage information security and privacy programs that will keep your organization GLBA-compliant. We can help during every step of the GLBA journey by providing risk assessments, penetration testing, vulnerability scanning, privacy assessments, Virtual CISO services, Virtual Privacy services, and more.
