What companies need to know about proposed changes to the Gramm-Leach-Bliley Act

Introduction: What is the Gramm-Leach-Bliley Act (GLBA)?

Also called the Financial Modernization Act of 1999, GLBA governs the way in which financial institutions must prevent the disclosure of consumer nonpublic personal information (NPI). The regulation outlines its requirements in three rules:

  • The Financial Privacy Rule (“Privacy Rule”): Requires information-sharing practices disclosures
  • The Safeguards Rule: Requires implementation of security programs to protect data
  • Pretexting Protection: Prohibits obtaining private information under false pretenses

Additionally, GLBA requires that financial institutions provide a way for consumers to opt out of data sharing.

Who must comply with GLBA?

GLBA applies to organizations classified as “financial institutions.” The regulation defines a financial institution as any business engaging in activities that are “financial in nature” or incidental to financial activities. Specifically, these types of organizations include:

  • Banks
  • Credit unions
  • Investment companies
  • Security brokers and dealer
  • Insurance underwriters and agents
  • Finance companies
  • Mortgage brokers
  • Travel agencies

However, GLBA’s reach has expanded over the years as more types of organizations manage consumer personally identifiable information (PII). For example, colleges and universities collect student information for financial aid and payroll purposes. Additionally, healthcare providers collect PII for billing purposes which creates an overlap between GLBA and the Health Insurance Portability and Accountability Act (HIPAA).

What are the potential fines for non-compliance?

Although an older regulation, GLBA could be considered a trailblazer when it comes to stringent penalties. Organizations that fail to comply with GLBA risk facing significant fines and penalties:

  • Civil penalties against the organization up to $100,000 per violation
  • Personal liability civil penalties against officers and directors up to $10,000 per violation
  • Fines against officers, directors and the institution under Title 18 of the United States Code
  • Imprisonment for up to five years

With consumers adopting new technologies, companies find themselves in the GLBA spotlight. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Karen Walsh. Read the original post at: