What You Need to Know About the Gramm-Leach-Bliley Act
What do you need to know about the Gramm-Leach-Bliley Act (GLBA)?
Also known as the Financial Modernization Act of 1999, it legislates U.S. financial institutions to protect consumers’ names, addresses, bank and credit card account numbers, and other personal information, when providing financial products or services for personal, family or household use.
Many businesses are deemed ‘financial institutions’, notably banks, credit unions, insurance companies, and securities firms; also debt collectors, real estate appraisers, check cashing businesses and mortgage brokers. Some retailers and automobile dealers that extend or arrange credit or issue credit cards are also on the list.
The Federal Trade Commission administers the Gramm-Leach-Bliley Act, and compliance is mandatory.
There are severe penalties for non-compliance: imprisonment for up to 5 years, steep fines or both. A financial institution can be fined up to $100,000 for each violation; officers and directors can be fined up to $10,000 for each violation.
Here’s a quick look at the three basic parts of the GLBA.
Financial companies must explain their information sharing practices to all customers – the kinds of information they collect and what types of businesses or companies they may share the information with. But they must also provide an opportunity for customers to opt out of this disclosure. It is the customers’ right to decide if they don’t want their information given to certain third parties.
Pretexting is when someone obtains personal information through false pretenses (for example, they use forged or stolen documents to obtain it). The Gramm-Leach-Bliley Act encourages financial institutions to implement safeguards to protect against pretexting.
Financial institutions must put safeguards in place that protect customers’ personal financial information. Since the GLBA applies to all information, whether in paper, electronic or other forms, safeguards would include firewalls and encryption software for electronic devices.
The financial institution must also have rules and procedures for securely destroying information. Disposal practices should be ‘reasonable and appropriate’ such as using document shredding so that private information cannot be read or reconstructed.
Here is a checklist of safeguards that financial institutions need to be aware of:
Develop a written information security policy.
Identify risks to customer data, and test and monitor safeguards. A security audit is recommended.
Train employees on best practices in secure document management and destruction, both in and out of the workplace.
Implement a document management policy that limits access to customer information, and tracks private information from generation and storage to destruction.
Select service providers that maintain safeguards and provide secure document shredding services. For example, outsource document destruction to a reliable provider with a secure chain of custody. For paper documents, the shredding company should provide locked containers, secure removal of documents, and on-site or off-site document shredding. There should be a range of shred sizes options available, and a certificate of destruction provided after every shred.
Securely dispose of electronic data as well. Speak to the document shredding company about hard drive destruction services.
Learn more about the Gramm-Leach-Bliley Act and other privacy laws and legislation that your company needs to be aware of.