|
What is it?
Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley
Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November
12, 1999), is
an Act
of the United
States Congress which repealed the Glass-Steagall
Act, opening up competition among banks, securities
companies and insurance
companies. The Glass-Steagall Act prohibited a bank from offering investment,
commercial
banking, and insurance
services.
Compliance Enforcement
GLBA compliance is mandatory. Whether a financial institution discloses
nonpublic information or not, there must be a policy in place to protect the
information from foreseeable threats in security and data integrity. Major
components are put into place to govern the collection, disclosure, and protection
of consumers’ nonpublic personal information or personally identifiable
information:
- Financial Privacy Rule (Subtitle A:
Disclosure of Nonpublic Personal Information, codified as 15
U.S.C. § 6801
through 15
U.S.C. § 6809)
The Financial Privacy Rule requires financial institutions to provide
each consumer with a privacy notice at the time the consumer relationship is
established and annually thereafter. The privacy notice must explain the
information collected about the consumer, where that information is shared,
how that information is used, and how that it is protected. The
notice must also identify the consumer’s right to opt-out of the
information being shared with unaffiliated parties per the Fair
Credit Reporting Act. Should the privacy policy change at any point in
time, the consumer must be notified again for acceptance. Each time the
privacy notice is reestablished, the consumer has the right to opt-out
again. The unaffiliated parties receiving the nonpublic information are held
to the acceptance terms of the consumer under the original relationship
agreement. In summary, the financial privacy rule provides for a privacy
policy agreement between the company and the consumer pertaining to the
protection of the consumer’s personal nonpublic information.
- Safeguards Rule (Subtitle A: Disclosure of
Nonpublic Personal Information, codified as 15
U.S.C. § 6801
through 15
U.S.C. § 6809)
The Safeguards Rule requires financial institutions to develop a written
information security plan that describes how the company is prepared for
and planned to continue to protect clients’ nonpublic personal information.
(The Safeguards Rule also applies to information of those no longer
consumers of the financial institution.) The plan must:
- Denote at least one employee to manage the safeguards
- Construct a thorough risk management on each department handling
the nonpublic information
- Develop, monitor, and test a program to secure the information
- Change the safeguards as needed with the changes in how information is
collected, stored, and used
This rule is intended to do what most businesses should already be doing:
protect their clients. The Safeguards Rule forces financial
institutions to take a closer look at how they manage private data and do
a risk analysis on their current processes.
- Pretexting Protection (Subtitle B: Fraudulent
Access to Financial Information, codified as 15
U.S.C. § 6821
through 15
U.S.C. § 6827)
Pretexting (sometimes referred to as "social engineering")
occurs when someone tries to gain access to personal nonpublic information
without proper authority to do so. This may entail requesting private
information while impersonating the account holder, by phone, by mail, by
email, or even by "phishing" (i.e., using a "phony"
website or email to collect data). The GLBA has provisions that require financial institutions to take all precautions necessary to protect and
defend the consumer and associated nonpublic information. Pretexting is
illegal and punishable by law beyond any recognition by the GLBA.
|
