The Gramm-Leach-Bliley Act (GLBA), passed in 1999, outlines regulations related to financial data protection that must be followed by financial institutions.
The proper name of the act is:
An act to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers, and for other purposes.
Where it had previously been limited by federal law, the GLBA now allows financial professionals to offer services in banking, investment, and insurance, while holding these professionals to certain ethics and standards related to personal and financial data.
Not only did the GLBA allow consumers to work with only one financial institution or specialist for their financial needs, it gave financial institutions more flexibility to practice in multiple areas of finance simultaneously.
However, to protect the privacy of customers’ personal and financial information, the GLBA highlights two key rules regarding ethical data practices.
To protect customers’ nonpublic personal information (NPI), such as income, credit, loan history, bank and credit account numbers, and social security numbers, the GLBA mandates several measures related to the ethical use of data by finance professionals.
The Safeguard Rule details the policies, procedures, employee management and training, and security measures financial institutions need in order to protect their customers’ personal data.
While it offers some specifics regarding types of safeguards and security tools, it is up to the organization to determine what protections are necessary to implement across all nodes and users in the corporate network.
To document their safeguarding methods, the GLBA instructs financial institutions to develop a written information security plan. This plan should include the steps they take to protect private financial information from security breaches, unauthorized internal access or use, and unauthorized distribution outside the organization.
Finance companies should include in their information security plan:
The Privacy Rule requires companies to inform their customers of how their personal data can be used with an option to opt out of instances in which their personal data could be distributed. Financial practitioners are required to provide this information via a privacy notice and an opt-out notice as soon as the relationship begins.
The privacy notice should include what data is being collected, where it could be shared and how it could be used, and the protections the organization uses to keep the data safe. The opt-out notice usually accompanies this document.
The GLBA requires that both documents be distributed to all customers and that customers should be notified and given the chance to opt out if any changes are made to the privacy notice.
The final text of the 145-page long act, along with extensive supporting information and subcommittee findings, is available at the U.S. Government Printing Office’s website.