The GLBA is one of many data privacy laws that protect customer information. Find out what it is and how to reach compliance.
The GLBA, or Gramm-Leach-Bliley Act (or the Financial Services Modernization Act of 1999), primarily affects financial institutions, which must provide privacy notices to customers, protect customer information via physical and electronic means, and restrict what personal customer information they share with third-parties. Like the European Union’s General Data Protection Regulation (GDPR), it’s another privacy law that requires companies and other organizations to explain how they protect, share, and use the private information of customers.
But what is considered a “financial institution”?
Financial institutions are basically any company that provides financial products or services such as banks, investment banks, securities firms, insurance companies, non-bank mortgage lenders, real estate appraisers, loan brokers, financial or investment advisers, debt collectors, tax return preparers, and real estate settlement service providers. Accountants, professional tax preparers, and courier services must also comply with the GLBA. Another institution that has to comply with the GLBA is higher education, since colleges and universities collect and share financial information from students.
If your organization has to comply with the GLBA, there are several things that you have to do to meet compliance.
The first big hurdle is to provide a privacy notice to costumers (before you start any business with them) that details what kind of personal information you will gather, how it will be used, and how it will be protected from unauthorized access, malicious outsider use, or leaks. Customers also need to know how they can opt out of sharing their information with third parties, and how they may not opt out of sharing information with certain parties (such as marketing companies used by your financial institution or law enforcement).
The other major compliance requirement is the implementation of privacy security protocols. You must provide descriptions of the policies to customers, in writing, which detail how departments intend to protect customer data, as well as how they will conduct regular risk analysis, monitoring, and testing of any practices and protocols meant for data protection.
Like many other data privacy laws, companies that adhere to the GLBA must protect the personally identifiable information of customers, including credit card and bank card numbers, credit and income histories, Social Security numbers, addresses, names, phone numbers, and any other personal data that the financial institution collects.
Failure to comply could result in civil penalties up to $100,000 for each violation, fines up to $10,000 for individual officers and directors of an institution, or even imprisonment for up to five years.
But there are many ways to keep personally identifiable customer information safe, so you and your company won’t have to worry about the GLBA that much. Besides firewalls, consistent updates to software and devices, and stringent employee training, one of the most effective ways to make sure digital private data never gets compromised while it is stored or processed in business applications and systems, is to leverage a modern data protection platform like the eperi Gateway.
The eperi Gateway can render any sensitive customer data unreadable, offers effective key management that puts you in sole control of the encryption keys, a single-point of control, and out-of-the-box operationality with many database platforms and Cloud services like Salesforce and Microsoft Office 365.