Financial institutions, services providers and their affiliates constantly deal with customers’ personal and sensitive information. Yet many in the industry may not be aware of the legal requirements for handling or storing this information. How should they collect and handle sensitive information? The easy answer is “carefully.” However, there also are specific and technical requirements imposed by federal and state laws that need to be followed.
The Gramm-Leach-Bliley Act (GLBA) requires U.S. financial institutions, services providers and their affiliates – companies, regardless of size, that offer consumers financial products or services like loans, financial or investment advice, or insurance – to provide clear notice of their information sharing practices and to provide safeguards for that information. These companies can include many companies not traditionally considered to be financial institutions such as, not necessarily limited to:
- Non-bank mortgage lenders/brokers
- Financial or investment advisers
- Debt collectors
- Professional tax preparers
- Real estate settlement service providers and appraisers
- Check cashing businesses
- Payday lenders
- Personal property or
- Retailers that issue branded credit cards
- Courier services
The primary data protection implications of the GLBA are outlined its Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Privacy of Consumer Financial Information Rule (Privacy Rule), created under the GLBA to drive implementation of GLBA requirements. The GLBA is enforced by the FTC, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies.
There are 3 major elements to the GLBA that are designed to protect consumers’ nonpublic personal information from disclosure: The Financial Privacy Rule, The Safeguards Rule, and Pretexting Protection.
The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information. This rule applies to companies, regardless of industry type, who receive such information. It protects nonpublic personal information (NPI), which is defined as financial information collected by a financial institution in connection with providing a financial product or service.
The Safeguards Rule requires companies to take steps to protect their customers’ information. The law requires financial firms to create a written information security plan that outlines their strategy for protecting customer/consumer information. The company must implement reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. The security measures will be commensurate with the size of the company, the scope of the activities, the sensitivity of the information in question, and the risk of data loss.
Elements of the Safeguards Rule:
- Assign an individual who will be responsible for developing, implementing, and maintaining the information security program
- Perform a risk assessment to identify foreseeable internal/external security risks to the information
- Design an information security program that mitigates the risks identified in the risk assessment activity and continually monitor and assess the effectiveness of the program
- Perform regular employee data security training
- Analyze and modify the security program as needed based on the regular assessment of the effectiveness of the security program
Pretexting, also known as social engineering, is a method by which someone pretends to be someone else in order to extract sensitive information from unsuspecting victims. GLBA encourages organizations to implement robust employee training programs to combat pretexting. The reason behind this rule is that frequently bad actors— while pretending to be a legitimate customer of a financial institution—will contact the organization to get more information about the customer they’re pretending to be.
Penalty for non-compliance
GLBA calls for severe civil and criminal penalties for noncompliance, including fines and imprisonment. If a financial institution violates GLBA:
- The institution will be subject to a civil penalty of not more than $100,000 for each violation
- Officers and directors of the institution will be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation
- The institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both
Maintaining compliance with regulations like GLBA is never done. Even after the auditors leave, you must continuously monitor and maintain your controls to satisfy the stringent requirements of regulations and security frameworks. A key challenge in all of this is keeping your security monitoring capabilities up to date to detect the latest threats and adapt to changes in your network and infrastructure.
Join Advent Services to learn best practices for maintaining compliance:
- Practical steps to implement continuous monitoring
- Ongoing asset discovery & vulnerability scanning
- Automated log collection, analysis, & event correlation
- Integrating real-time threat intelligence
- How the right solutions simplify and automate continuous security monitoring
No matter which Advent security solution you choose, our Cybersecurity specialists will apply proven processes and common controls frameworks to identify potential vulnerabilities. At the completion of any engagement, you will receive a detailed report combined with a comprehensive consultation to ensure your key staff members understand:
- Your current compliance posture.
- Recommended steps for improving compliance.
- Additional considerations that may require attention in the future.
Protection and security of customer data is our first and foremost priority. Advent offers premier services, ranging from the Security Risk Assessment through final implementation of safeguard measures for our clients.
Not only do we offer best-in-class insight, identification of gaps leading to cyber attack, and remediation guidance – Advent excels in delivery, premier speed and accuracy implementation of critical protection measures. Our best -practice expertise includes:
- Cybersecurity Risk Management
- GLBA Compliance
- Risk Assessments t
- Security Audits
- Physical, Administrative, & Technical Assessment
- Penetration Testing
- Documentation of Risk Factors and Mitigation Plans
- Identification of Ideal Solutions and Negotiation with Vendors: balancing cost and security for our clients
- Implementation of Endpoint, Network, and Server Security
- Ongoing Unified Threat Management
- Security Awareness Training
- Ongoing Compliance & Security Monitoring
- Security Information and Event Management
- Device Security (Apple, Windows, Mobile devices)
- Security Policies & Procedures
- Security Controls Implementation & Assessments
- Incident Response
- Security Information and Event Management
- Vulnerability Assessments
- Intrusion Detection & Behavioral Monitoring