Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

GLBA Non-Public Personal Information – Explained

Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Senior Data Privacy Consultant at Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

According to statistics, financial institutions have faced a staggering 2,260 data breaches since 2018, impacting more than 232 million records.

The financial industry is one of the most impacted industries in the world when it comes to cybersecurity incidents and data breaches. The type of data that financial institutions manage involves confidential information, such as an individual’s bank account number, credit card number, etc. Concerned authorities have developed numerous regulations and industry standards to protect this highly sensitive data. One such regulation that financial institutions must adhere to is the Gramm-Leach-Bliley Act (GLBA).

The GLBA has covered the customers’ financial data under the definition of Non-Public Personal Information (NPI) and established various data privacy and security provisions to safeguard its confidentiality, availability, accessibility, and integrity.

Read on to learn more about what the GLBA’s Non-Public Personal Information definition covers and some of the privacy and security measures the act stipulates.

Quick Overview of the Gramm-Leach-Bliley Act

Formerly known as the Financial Modernization Act of 1999, the Gramm-Leach-Bliley Act (GLBA) was established to govern financial institutions or services. The law mandates that financial institutions clarify their procedures and practices for collecting, processing, and sharing customer data, commonly called non-public personal information (NPI). Organizations must inform customers about their information-sharing practices, their right to “opt-out” if they do not want to share their information with any third party, and the security measures in place to protect customer data.

The law is structured into three categories, offering organizations a comprehensive framework to understand the provisions better and implement them efficiently. The Financial Privacy Rules demand the need for transparency and provide the right to opt-out to customers. The Safeguards Rule requires organizations to establish and implement information security programs, while the Pretexting Provisions recommends employee training and security measures to prevent threats like social engineering or phishing.

To ensure compliance, organizations must clearly understand what type of data is required to be safeguarded. Therefore, learning more about the GLBA’s non-public personal information definition and the types of information it covers is essential.

Who is Protected Under GLBA?

Consumers

A "consumer" is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes or that person's legal representative. The term "consumer" does not apply to commercial clients like sole proprietorships.

Customers

"Customers" are a subclass of consumers who have a continuing relationship with a financial institution. It's the nature of the relationship - not how long it lasts - that defines whether a person is a customer or a consumer.

Definition of Non-Public Personal Information (NPI) Under GLBA

NPI is defined under the law as generally personally identifiable financial information that is not publicly available and that:

  • a consumer provides to a financial institution to obtain a financial product or service from the institution;
  • results from a transaction between the consumer and the institution involving a financial product or service; or
  • a financial institution otherwise obtains a consumer in connection with providing a financial product or service.

Moreover, NPI includes “lists, descriptions, or grouping of consumers (and publicly available information pertaining to them)” created using NPI.

NPI does not include information that a financial institution or covered entity has a reasonable basis to believe is lawfully made "publicly available." A covered entity must determine whether:

  • The information is generally made lawfully available to the public, and
  • The individual can stop the information from being made public and has not done so themselves.

Here are some of the common examples of non-public personal information:

  • Names
  • Phone numbers
  • Addresses
  • Social Security Numbers
  • Credit and Income Histories
  • Credit and Bank Account Numbers

Privacy & Security Measures to Protect NPI

Given that financial institutions deal with a high volume of such highly sensitive data, it is paramount for organizations to set up robust privacy and security controls to enable data protection and ensure compliance. To achieve that objective, financial organizations must gain a complete understanding of the Financial Privacy Rules, Safeguards Rule, and Pretexting provisions as provided under the GLBA and implement them.

Let’s take a quick look at some of the most important provisions outlined across these three categories.

Privacy Notice

In the case of a ‘consumer,’ the only time a financial institution must give a consumer a privacy notice is if the financial institution wants to share the consumer’s NPI with a nonaffiliated third party. In that case, the financial institution must provide the consumer with a privacy notice with information about how to opt out from information sharing before the financial institution shares any information. If the consumer does not exercise the opt-out right, the financial institution is free to share the consumer’s NPI with nonaffiliated third parties.

In the case of a customer, as they have an ongoing relationship with a financial institution, the financial institutions must provide an initial privacy notice at the start of the customer relationship and subsequently provide annual privacy notices. The privacy notice shall inform how organizations collect, disclose, and safeguard NPI. The notice must be presented in a clear and conspicuous manner and should include the following details:

  • The categories of persons to whom the information is or may be shared with.
  • The financial institution’s policies and practices for sharing information about customers who cease to be their customers.
  • The type(s) of NPI that the financial institution collects.
  • How the institution protects the confidentiality and security of NPI.
  • An explanation of the opt-out right and methods for opting.
  • Any other information required under section 603(d)(2)(A) of the Fair Credit Reporting Act (FCRA).

Information Sharing

If the financial institution shares customers’ NPI with any non-affiliated third parties, it should inform the customers about their right to opt-out. The opt-out notice can be presented either separately or as part of a comprehensive privacy notice, and it should be accessible to customers at least thirty (30) days before the sharing of their NPI.

In the case of an isolated consumer transaction, organizations may require that consumers make their opt-out decision before finalizing the transaction. Consumers and customers possessing the right to opt-out are free to exercise this right at any time. Upon receiving an opt-out request from existing consumers or customers, prompt compliance must be ensured, taking action as soon as reasonably possible.

There are instances where NPI may be shared without explicit consumer/customer permission. For example, NPI may be shared if the NPI is provided to a third party to perform services for the financial institution. In that case, the financial institution must inform the consumer about the information-sharing arrangement and that there is a confidentiality agreement protecting the information between the financial institution and the nonaffiliated third party.

Security Measures

The law stipulates that there must be a written security plan which complements the size and complexity of the covered entity’s business as well as the nature and scope of its activities, and the sensitivity of the customer information it handles. Covered entities are provided flexibility to implement safeguards appropriate to their own circumstances, but each company must:

  • ​​Designate one or more employees to coordinate its information security program.
  • Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.
  • Design and implement a safeguards program and regularly monitor and test it.
  • Select service providers that can maintain appropriate safeguards, ensure your contract requires them to maintain safeguards, and oversee their handling of customer information.
  • Evaluate and adjust the program in light of relevant circumstances, including changes in the organization’s business or operations or the results of security testing and monitoring.

Risk Assessment

As part of the security program, the organization must conduct comprehensive risk assessments to identify and mitigate risks to ensure the confidentiality, integrity, and availability of the data. Organizations must evaluate their security program sporadically. Periodic evaluations of the risk assessment and security program enable organizations to identify and mitigate emerging threats.

Staff Training

In financial institutions, the efficacy of security programs relies heavily on employees who play a key role in implementing regulations. To enhance the security program's effectiveness, employees should undergo training programs and refreshers to identify potential risks. Training initiatives should cover recognizing and responding to fraud or identity theft scams, including guarding against pretext attacks. Additionally, staff responsible for computer systems and networks should receive adequate training in computer security. Proper training on the secure disposal of customer information is also essential.

Monitoring Third Parties

The law further mandates financial institutions to monitor service providers regularly, also called vendors. Service providers should be evaluated based on the risks they present. Similarly, organizations should ensure that service providers maintain adequate security measures for data protection.

Security Incident Response Plan

Covered entities are required to prepare a written incident response plan designed to respond to and recover promptly from any security event materially affecting the confidentiality, integrity, or availability of customer information. This incident response plan shall include:

  • The goals of the incident response plan;–
  • The internal processes for responding to a security event;–
  • The definition of clear roles, responsibilities, and levels of decision-making authority;
  •  External and internal communications and information sharing;
  • Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;–
  • Documentation and reporting regarding security events and related incident response activities; and
  • The evaluation and revision as necessary of the incident response plan following a security event.

Protect Customer NPI with Securiti Data Security Posture Management

Maintaining and ensuring GLBA compliance is critical for any financial institution that manages NPI.

Safeguard your customers’ NPI and meet compliance with Data Security Posture Management (DSPM), an integration of Securiti Data Command Center. Our DSPM solution enables organizations to discover cloud-native and shadow data assets via more than 200 data connectors, classify sensitive data across the environment, enhance security posture, enhance access controls to sensitive data, automate privacy functions, and protect the complete lifecycle of data.

Interested in learning more? Schedule a demo.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 14:21

AI Governance Is Much More than Technology Risk Mitigation

AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View
Spotlight 21:30

Companies Cannot Grow If CISOs Don’t Allow Experimentation

Watch Now View
Spotlight 2:48

Unlocking Gen AI For Enterprise With Rehan Jalil

Rehan Jalil
Watch Now View

Latest

The ROI of Safe Enterprise AI View More

The ROI of Safe Enterprise AI: A Business Leader’s Guide

The fundamental truth of today’s competitive landscape is that businesses harnessing data through AI will outperform those that don’t. Especially with 90% of enterprise...

View More

Accelerating Safe Enterprise AI: Securiti’s Gencore AI with Databricks and Anthropic Claude

Securiti AI collaborates with the largest firms in the world who are racing to adopt and deploy safe generative AI systems, leveraging their own...

New Draft Amendments to China Cybersecurity Law View More

New Draft Amendments to China Cybersecurity Law

Gain insights into the new draft amendments to the China Cybersecurity Law (CSL). Learn more about legal responsibilities, noncompliance penalties, the significance of the...

View More

What are Data Security Controls & Its Types

Learn what are data security controls, the types of data security controls, best practices for implementing them, and how Securiti can help.

View More

Top 10 Privacy Milestones That Defined 2024

Discover the top 10 privacy milestones that defined 2024. Learn how privacy evolved in 2024, including key legislations enacted, data breaches, and AI milestones.

View More

2025 Privacy Law Updates: Key Developments You Need to Know

Download the whitepaper to discover privacy law updates in 2025 and the key developments you need to know. Learn how Securiti helps ensure swift...

Comparison of RoPA Field Requirements Across Jurisdictions View More

Comparison of RoPA Field Requirements Across Jurisdictions

Download the infographic to compare Records of Processing Activities (RoPA) field requirements across jurisdictions. Learn its importance, penalties, and how to navigate RoPA.

Navigating Kenya’s Data Protection Act View More

Navigating Kenya’s Data Protection Act: What Organizations Need To Know

Download the infographic to discover key details about navigating Kenya’s Data Protection Act and simplify your compliance journey.

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New