According to statistics, financial institutions have faced a staggering 2,260 data breaches since 2018, impacting more than 232 million records.
The financial industry is one of the most impacted industries in the world when it comes to cybersecurity incidents and data breaches. The type of data that financial institutions manage involves confidential information, such as an individual’s bank account number, credit card number, etc. Concerned authorities have developed numerous regulations and industry standards to protect this highly sensitive data. One such regulation that financial institutions must adhere to is the Gramm-Leach-Bliley Act (GLBA).
The GLBA has covered the customers’ financial data under the definition of Non-Public Personal Information (NPI) and established various data privacy and security provisions to safeguard its confidentiality, availability, accessibility, and integrity.
Read on to learn more about what the GLBA’s Non-Public Personal Information definition covers and some of the privacy and security measures the act stipulates.
Formerly known as the Financial Modernization Act of 1999, the Gramm-Leach-Bliley Act (GLBA) was established to govern financial institutions or services. The law mandates that financial institutions clarify their procedures and practices for collecting, processing, and sharing customer data, commonly called non-public personal information (NPI). Organizations must inform customers about their information-sharing practices, their right to “opt-out” if they do not want to share their information with any third party, and the security measures in place to protect customer data.
The law is structured into three categories, offering organizations a comprehensive framework to understand the provisions better and implement them efficiently. The Financial Privacy Rules demand the need for transparency and provide the right to opt-out to customers. The Safeguards Rule requires organizations to establish and implement information security programs, while the Pretexting Provisions recommends employee training and security measures to prevent threats like social engineering or phishing.
To ensure compliance, organizations must clearly understand what type of data is required to be safeguarded. Therefore, learning more about the GLBA’s non-public personal information definition and the types of information it covers is essential.
A "consumer" is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes or that person's legal representative. The term "consumer" does not apply to commercial clients like sole proprietorships.
"Customers" are a subclass of consumers who have a continuing relationship with a financial institution. It's the nature of the relationship - not how long it lasts - that defines whether a person is a customer or a consumer.
NPI is defined under the law as generally personally identifiable financial information that is not publicly available and that:
Moreover, NPI includes “lists, descriptions, or grouping of consumers (and publicly available information pertaining to them)” created using NPI.
NPI does not include information that a financial institution or covered entity has a reasonable basis to believe is lawfully made "publicly available." A covered entity must determine whether:
Here are some of the common examples of non-public personal information:
Given that financial institutions deal with a high volume of such highly sensitive data, it is paramount for organizations to set up robust privacy and security controls to enable data protection and ensure compliance. To achieve that objective, financial organizations must gain a complete understanding of the Financial Privacy Rules, Safeguards Rule, and Pretexting provisions as provided under the GLBA and implement them.
Let’s take a quick look at some of the most important provisions outlined across these three categories.
In the case of a ‘consumer,’ the only time a financial institution must give a consumer a privacy notice is if the financial institution wants to share the consumer’s NPI with a nonaffiliated third party. In that case, the financial institution must provide the consumer with a privacy notice with information about how to opt out from information sharing before the financial institution shares any information. If the consumer does not exercise the opt-out right, the financial institution is free to share the consumer’s NPI with nonaffiliated third parties.
In the case of a customer, as they have an ongoing relationship with a financial institution, the financial institutions must provide an initial privacy notice at the start of the customer relationship and subsequently provide annual privacy notices. The privacy notice shall inform how organizations collect, disclose, and safeguard NPI. The notice must be presented in a clear and conspicuous manner and should include the following details:
If the financial institution shares customers’ NPI with any non-affiliated third parties, it should inform the customers about their right to opt-out. The opt-out notice can be presented either separately or as part of a comprehensive privacy notice, and it should be accessible to customers at least thirty (30) days before the sharing of their NPI.
In the case of an isolated consumer transaction, organizations may require that consumers make their opt-out decision before finalizing the transaction. Consumers and customers possessing the right to opt-out are free to exercise this right at any time. Upon receiving an opt-out request from existing consumers or customers, prompt compliance must be ensured, taking action as soon as reasonably possible.
There are instances where NPI may be shared without explicit consumer/customer permission. For example, NPI may be shared if the NPI is provided to a third party to perform services for the financial institution. In that case, the financial institution must inform the consumer about the information-sharing arrangement and that there is a confidentiality agreement protecting the information between the financial institution and the nonaffiliated third party.
The law stipulates that there must be a written security plan which complements the size and complexity of the covered entity’s business as well as the nature and scope of its activities, and the sensitivity of the customer information it handles. Covered entities are provided flexibility to implement safeguards appropriate to their own circumstances, but each company must:
As part of the security program, the organization must conduct comprehensive risk assessments to identify and mitigate risks to ensure the confidentiality, integrity, and availability of the data. Organizations must evaluate their security program sporadically. Periodic evaluations of the risk assessment and security program enable organizations to identify and mitigate emerging threats.
In financial institutions, the efficacy of security programs relies heavily on employees who play a key role in implementing regulations. To enhance the security program's effectiveness, employees should undergo training programs and refreshers to identify potential risks. Training initiatives should cover recognizing and responding to fraud or identity theft scams, including guarding against pretext attacks. Additionally, staff responsible for computer systems and networks should receive adequate training in computer security. Proper training on the secure disposal of customer information is also essential.
The law further mandates financial institutions to monitor service providers regularly, also called vendors. Service providers should be evaluated based on the risks they present. Similarly, organizations should ensure that service providers maintain adequate security measures for data protection.
Covered entities are required to prepare a written incident response plan designed to respond to and recover promptly from any security event materially affecting the confidentiality, integrity, or availability of customer information. This incident response plan shall include:
Maintaining and ensuring GLBA compliance is critical for any financial institution that manages NPI.
Safeguard your customers’ NPI and meet compliance with Data Security Posture Management (DSPM), an integration of Securiti Data Command Center. Our DSPM solution enables organizations to discover cloud-native and shadow data assets via more than 200 data connectors, classify sensitive data across the environment, enhance security posture, enhance access controls to sensitive data, automate privacy functions, and protect the complete lifecycle of data.
Interested in learning more? Schedule a demo.
