The Gramm-Leach-Bliley Act (GLBA, or more specifically the Financial Services Modernization Act) compels financial institutions to secure and provide transparency of nonpublic personal information (NPI).
This data can include bank and tax records, address history, credit reports, stock transactions, investments, and much, much more—even metadata (data that describes other data and relationships therein/thereto). GLBA also defines what parties are subject to governance, as well as what types of transactions constitute data use and access.
Prior to the digital information age (the invention of mainframe computers, mid-1960s) and after the US’ Great Depression (early-1930s), the Bank Holding Company Act (BHCA) and the Glass–Steagall Act (GSA) sought to prevent another national economic meltdown by placing guardrails on certain types of financial institutions. However, the savings and loan crisis in the 1980s seemed to underscore the need for revisions that reflected changes in modern financial principles and technologies. At that point, Congress began investigating a replacement for BHCA and GSA.
In 1999, GLBA passed into law, repealing the GSA and helping modernize regulations for the US financial industry. The modernization act of 1999 advanced the state of policies and protections for personal information.
There are three main provisions in the 1999 law that relate to privacy and data protection:
- The Financial Privacy Rule: requires financial institutions to disclose their privacy policies and practices to customers and enable opt-out.
- The Safeguards Rule: financial institutions must protect customers' data from unauthorized access, use, or disclosure.
- The Pretexting Rule: financial institutions and their agents must not obtain customers' data by false or fraudulent means.
2021 introduces the first major revision to GLBA with the updated FTC Safeguards Rule (in effect as of June 9, 2023). This revision provides a comprehensive guide to the do’s and don’ts of GLBA compliance, including financial data security, confidentiality, and integrity based on your business’s risks and threats.
As with other industry governance standards, GLBA requirements consist of a number of domains specific to data security processes and implementation, such as access control, destruction, incident management, personnel, and documentation. Complying with these directives involves defining an information security management plan for your organization, determining issues such as risk tolerance, conducting scheduled reviews, building secure infrastructure, and enacting internal controls for identifying, classifying, and protecting customer information.