According to statistics, financial institutions have faced a staggering 2,260 data breaches since 2018, impacting more than 232 million records.
The financial industry is one of the most impacted industries in the world when it comes to cybersecurity incidents and data breaches. The type of data that financial institutions manage involves confidential information, such as an individual’s bank account number, credit card number, etc. Concerned authorities have developed numerous regulations and industry standards to protect this highly sensitive data. One such regulation that financial institutions must adhere to is the Gramm-Leach-Bliley Act (GLBA).
The GLBA has covered the customers’ financial data under the definition of Non-Public Personal Information (NPI) and established various data privacy and security provisions to safeguard its confidentiality, availability, accessibility, and integrity.
Read on to learn more about what the GLBA’s Non-Public Personal Information definition covers and some of the privacy and security measures the act stipulates.
Quick Overview of the Gramm-Leach-Bliley Act
Formerly known as the Financial Modernization Act of 1999, the Gramm-Leach-Bliley Act (GLBA) was established to govern financial institutions or services. The law mandates that financial institutions clarify their procedures and practices for collecting, processing, and sharing customer data, commonly called non-public personal information (NPI). Organizations must inform customers about their information-sharing practices, their right to “opt-out” if they do not want to share their information with any third party, and the security measures in place to protect customer data.
The law is structured into three categories, offering organizations a comprehensive framework to understand the provisions better and implement them efficiently. The Financial Privacy Rules demand the need for transparency and provide the right to opt-out to customers. The Safeguards Rule requires organizations to establish and implement information security programs, while the Pretexting Provisions recommends employee training and security measures to prevent threats like social engineering or phishing.
To ensure compliance, organizations must clearly understand what type of data is required to be safeguarded. Therefore, learning more about the GLBA’s non-public personal information definition and the types of information it covers is essential.
Who is Protected Under GLBA?
Consumers
A "consumer" is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes or that person's legal representative. The term "consumer" does not apply to commercial clients like sole proprietorships.
Customers
"Customers" are a subclass of consumers who have a continuing relationship with a financial institution. It's the nature of the relationship - not how long it lasts - that defines whether a person is a customer or a consumer.
NPI is defined under the law as generally personally identifiable financial information that is not publicly available and that:
- a consumer provides to a financial institution to obtain a financial product or service from the institution;
- results from a transaction between the consumer and the institution involving a financial product or service; or
- a financial institution otherwise obtains a consumer in connection with providing a financial product or service.
Moreover, NPI includes “lists, descriptions, or grouping of consumers (and publicly available information pertaining to them)” created using NPI.
NPI does not include information that a financial institution or covered entity has a reasonable basis to believe is lawfully made "publicly available." A covered entity must determine whether:
- The information is generally made lawfully available to the public, and
- The individual can stop the information from being made public and has not done so themselves.
Here are some of the common examples of non-public personal information:
- Names
- Phone numbers
- Addresses
- Social Security Numbers
- Credit and Income Histories
- Credit and Bank Account Numbers
Privacy & Security Measures to Protect NPI
Given that financial institutions deal with a high volume of such highly sensitive data, it is paramount for organizations to set up robust privacy and security controls to enable data protection and ensure compliance. To achieve that objective, financial organizations must gain a complete understanding of the Financial Privacy Rules, Safeguards Rule, and Pretexting provisions as provided under the GLBA and implement them.
Let’s take a quick look at some of the most important provisions outlined across these three categories.
Privacy Notice
In the case of a ‘consumer,’ the only time a financial institution must give a consumer a privacy notice is if the financial institution wants to share the consumer’s NPI with a nonaffiliated third party. In that case, the financial institution must provide the consumer with a privacy notice with information about how to opt out from information sharing before the financial institution shares any information. If the consumer does not exercise the opt-out right, the financial institution is free to share the consumer’s NPI with nonaffiliated third parties.
In the case of a customer, as they have an ongoing relationship with a financial institution, the financial institutions must provide an initial privacy notice at the start of the customer relationship and subsequently provide annual privacy notices. The privacy notice shall inform how organizations collect, disclose, and safeguard NPI. The notice must be presented in a clear and conspicuous manner and should include the following details:
- The categories of persons to whom the information is or may be shared with.
- The financial institution’s policies and practices for sharing information about customers who cease to be their customers.
- The type(s) of NPI that the financial institution collects.
- How the institution protects the confidentiality and security of NPI.
- An explanation of the opt-out right and methods for opting.
- Any other information required under section 603(d)(2)(A) of the Fair Credit Reporting Act (FCRA).
If the financial institution shares customers’ NPI with any non-affiliated third parties, it should inform the customers about their right to opt-out. The opt-out notice can be presented either separately or as part of a comprehensive privacy notice, and it should be accessible to customers at least thirty (30) days before the sharing of their NPI.
In the case of an isolated consumer transaction, organizations may require that consumers make their opt-out decision before finalizing the transaction. Consumers and customers possessing the right to opt-out are free to exercise this right at any time. Upon receiving an opt-out request from existing consumers or customers, prompt compliance must be ensured, taking action as soon as reasonably possible.
There are instances where NPI may be shared without explicit consumer/customer permission. For example, NPI may be shared if the NPI is provided to a third party to perform services for the financial institution. In that case, the financial institution must inform the consumer about the information-sharing arrangement and that there is a confidentiality agreement protecting the information between the financial institution and the nonaffiliated third party.
Security Measures
The law stipulates that there must be a written security plan which complements the size and complexity of the covered entity’s business as well as the nature and scope of its activities, and the sensitivity of the customer information it handles. Covered entities are provided flexibility to implement safeguards appropriate to their own circumstances, but each company must:
- Designate one or more employees to coordinate its information security program.
- Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.
- Design and implement a safeguards program and regularly monitor and test it.
- Select service providers that can maintain appropriate safeguards, ensure your contract requires them to maintain safeguards, and oversee their handling of customer information.
- Evaluate and adjust the program in light of relevant circumstances, including changes in the organization’s business or operations or the results of security testing and monitoring.
Risk Assessment
As part of the security program, the organization must conduct comprehensive risk assessments to identify and mitigate risks to ensure the confidentiality, integrity, and availability of the data. Organizations must evaluate their security program sporadically. Periodic evaluations of the risk assessment and security program enable organizations to identify and mitigate emerging threats.
Staff Training
In financial institutions, the efficacy of security programs relies heavily on employees who play a key role in implementing regulations. To enhance the security program's effectiveness, employees should undergo training programs and refreshers to identify potential risks. Training initiatives should cover recognizing and responding to fraud or identity theft scams, including guarding against pretext attacks. Additionally, staff responsible for computer systems and networks should receive adequate training in computer security. Proper training on the secure disposal of customer information is also essential.
Monitoring Third Parties
The law further mandates financial institutions to monitor service providers regularly, also called vendors. Service providers should be evaluated based on the risks they present. Similarly, organizations should ensure that service providers maintain adequate security measures for data protection.
Security Incident Response Plan
Covered entities are required to prepare a written incident response plan designed to respond to and recover promptly from any security event materially affecting the confidentiality, integrity, or availability of customer information. This incident response plan shall include:
- The goals of the incident response plan;
- The internal processes for responding to a security event;
- The definition of clear roles, responsibilities, and levels of decision-making authority;
- External and internal communications and information sharing;
- Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
- Documentation and reporting regarding security events and related incident response activities; and
- The evaluation and revision as necessary of the incident response plan following a security event.
Protect Customer NPI with Securiti Data Security Posture Management
Maintaining and ensuring GLBA compliance is critical for any financial institution that manages NPI.
Safeguard your customers’ NPI and meet compliance with Data Security Posture Management (DSPM), an integration of Securiti Data Command Center. Our DSPM solution enables organizations to discover cloud-native and shadow data assets via more than 200 data connectors, classify sensitive data across the environment, enhance security posture, enhance access controls to sensitive data, automate privacy functions, and protect the complete lifecycle of data.
Interested in learning more? Schedule a demo.