The Gramm-Leach-Bliley Act
Requirements
Who is subject to GLBA?
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, applies to financial institutions in the United States, which are companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.
Under GLBA, the term "financial institution" includes:
Banks, Non-bank Mortgage Lenders, and Credit Unions: These are traditional financial institutions that most people think of. They're included under GLBA because they provide financial products or services like loans, financial or investment advice, or insurance.
Securities Firms: These firms provide investment advice, underwrite securities, and act as intermediaries in securities trades.
Insurance Companies: These companies offer insurance products to consumers.
Finance Companies: These companies often provide credit to consumers or businesses, and they may also provide other financial services.
In addition to these types of companies, the Federal Trade Commission (FTC) has specified that "financial institutions" also include many other types of businesses, such as:
- Payday lenders
- Check cashers
- Professional tax preparers
- Courier services
- Credit counseling or repair services
- Investment advisory services
- Real estate settlement services
Furthermore, the GLBA applies not only to these financial institutions but also to other companies that receive personal financial information from these institutions. The GLBA's privacy protections cover any individual who obtains a financial product or service from a financial institution for personal, family, or household reasons.
As always, consult with a legal or compliance professional to understand the specific implications for any given business or situation.
Does GLBA have data residency requirements?
GLBA itself does not explicitly state data residency requirements—that is, it does not specify where the data of a financial institution must be physically stored. However, GLBA does require financial institutions to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records or information.
In order to fulfill these requirements, financial institutions need to have appropriate safeguards in place, regardless of where the data is stored. These safeguards might include:
- Access controls on personal information systems, including controls to authenticate and grant access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
- Background checks for employees with responsibilities for or access to customer information.
- Response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
- A risk assessment process to identify and assess risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguards for controlling these risks.
- Regular tests of key controls, systems, and procedures of the information security program to validate that they control the risks and achieve the desired results.
- Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.
While GLBA does not explicitly require data to be stored in any specific location, other federal or state laws or industry regulations might impose data residency or sovereignty requirements. Therefore, financial institutions should consult with a legal professional or a compliance expert to ensure that they are complying with all applicable laws and regulations related to data storage and privacy.
What data is covered by GLBA?
The Gramm-Leach-Bliley Act applies to "nonpublic personal information" (NPI) about consumers.
NPI is personally identifiable data that a customer provides to a financial institution, results from a transaction with the customer or any service performed for the customer, or is otherwise obtained by the financial institution. NPI includes but is not limited to:
Information a consumer provides to get a financial product or service (for instance, name, address, income, Social Security number, or other information on an application).
Information about a consumer resulting from any transaction involving a financial product or service between a financial institution and a consumer (for example, account balance, payment history, or credit or debit card purchase information).
Information a financial institution obtains about a consumer in connection with providing a financial product or service (such as information from court records or from a consumer report).
However, NPI does not include publicly available information, as defined by the regulations promulgated under GLBA. In other words, information is not NPI when it is lawfully made available to the general public from federal, state, or local government records, widely distributed media, or disclosures to the general public required to be made by federal, state, or local law.
The GLBA requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. This includes securing and disposing of NPI properly.
What rights does the user (data subject) have under GLBA?
Under the Gramm-Leach-Bliley Act, consumers have certain rights pertaining to their nonpublic personal information (NPI) held by financial institutions. These rights are primarily related to privacy notices and the ability to opt out of certain types of information sharing:
Right to Receive Privacy Notices: Financial institutions are required to provide clear and conspicuous privacy notices to their customers. These notices should explain what NPI the institution collects, where this information is shared, how the institution protects this information, and how individuals can opt out of certain types of sharing.
Right to Opt-Out: Consumers have the right to opt out of certain types of sharing of their NPI. Specifically, they can prevent a financial institution from sharing their NPI with non-affiliated third parties (subject to certain exceptions). The privacy notice should explain how a consumer can go about exercising this right to opt out.
Right to Limit Data Sharing Among Affiliates: Financial institutions can share information about their transactions and experiences with their affiliates. However, consumers can opt out of their affiliates' marketing, and they can also limit sharing of information about their creditworthiness between the financial institution and its affiliates.
Please note that unlike some other data privacy regulations, the GLBA does not provide consumers with a right to access their data, a right to request deletion of their data, or a right to correct inaccuracies in their data.
Furthermore, the GLBA itself does not provide a private right of action. This means that consumers generally cannot sue financial institutions for violations of the GLBA. However, enforcement is carried out by various federal agencies and states.
As always, for the most accurate information, consult with a qualified legal professional or a compliance expert.
How should data be stored according to GLBA?
The Gramm-Leach-Bliley Act (GLBA) does not explicitly dictate how data should be stored. However, it does require financial institutions to ensure the security and confidentiality of customer records and information, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
These requirements are embodied in what is commonly known as the GLBA Safeguards Rule, which requires financial institutions to develop a written information security plan describing their program to protect customer information. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.
A key part of these requirements includes taking appropriate measures to secure both physical and digital data. Here are a few general measures that align with these requirements:
Access Controls: Implementing procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision.
Data Encryption: Encrypting electronic customer information, including while in transit or at rest.
Security System: Using strong and up-to-date security systems to protect against unauthorized access or intrusion.
Monitoring: Regularly testing and monitoring the key controls, systems, and procedures of the information security program.
Risk Management: Identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, and assessing the sufficiency of any safeguards in place to control these risks.
Vendor Management: Taking steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information and requiring service providers by contract to implement and maintain such safeguards.
Response Program: Developing a response program to handle incidents of unauthorized access to customer information systems.
Remember that compliance with GLBA is not just about the proper storage of data but also involves conducting a risk analysis, training staff, implementing a security program, and more.
As always, financial institutions should consult with a legal professional or a compliance expert to ensure they are complying with all applicable laws and regulations related to data storage and privacy.
How does SlashID help with GLBA?
SlashID's data residency and encryption posture help companies comply with:
- Data Encryption requirements