The GLBA, or Gramm-Leach-Blilely Act, was passed in 1999 and provided guidelines around data sharing and data protections that financial institutions were required to follow. While the GLBA did not come with a compliance checklist, it did come with three rules that companies are required to follow, the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions.
GLBA Compliance Checklist for the Privacy Rule
The GLBA privacy rule relates to how a financial institution uses the data of its customers, and its requirements to inform them of what that data is used for. This includes the ability of customers to opt out of certain data sharing practices if they choose to. To ensure compliance with this part of the GLBA, companies should:
Provide Customers with a Clear Privacy Policy and Inform them of any Updates
The policy needs to clearly state the types of information collected, why it’s collected, and what companies or organizations the information is shared with. It’s not enough just to have one, the privacy policy must be readily available and easily accessible for customers.
In addition, you must ensure that customers agree to this privacy policy before collecting any information. Customers should also be made aware of what information is being shared when a transaction is completed. Any update to the policy should also be made clear to customers.
Opt-Out Choice
If your organization shares or sells data to a non-affiliated third party, customers must receive a simple way to opt-out of this data sharing.
Train Employees on the Customer Privacy Policies
Everyone in the organization should be aware of the privacy policy, but this is most important for those who regularly interact with customers or their data. Ignorance of the policy will not hold up in a lawsuit, and education will help your employees stay compliant.
Review the Privacy Policy at Regular Intervals
Data collection, storage, and sharing practices evolve regularly, and it’s good practice to bring your privacy policy in line with these developments.
While less frequent, rules around the GLBA do change, including on June 9, 2023. When these rule changes occur, it’s important to review them and update your privacy policy to stay in line as needed.
GLBA Compliance Checklist for the Safeguard Rule
The Safeguard Rule largely applies to how companies protect their data internally and from external threats. It essentially provides the baseline for your organization’s data security in relation to your customers’ information. Companies should follow these steps, along with their standard data security practices, to ensure compliance to the GLBA Safeguard Rule.
Appoint a Security Officer(s) to Oversee the Program
While many financial organizations already run a robust data security organization, it’s also important to have a qualified individual leading the privacy program for customer data. The officer or team in charge can help develop and implement the security programs needed to stay compliant with the GLBA.
Conduct an Initial Risk Assessment and Periodic Risk Assessment Checks
Included in this risk assessment should be an identification of the type of customer data kept, who it’s shared with, and the processes in place to keep it secure. Once you have this information, you can design a security policy that safeguards it best.
To keep this robust, periodic assessment checks should be done to identify any new gaps in security, or to update the policy if new information is being gathered, or if the way information is being used has changed.
Develop and Implement a Security Policy, with Regular Monitoring and Tests
Using this information, and under the guidance of the security officer, a thorough security program should be designed and implemented. This should be bolstered by regular monitoring of the policy, and rigorous testing to ensure that any holes in the policy are found and fixed before a malicious actor does so.
Institute Data Security and Privacy Agreements with any Third party Vendors
Any outside organization that you authorize to use the data needs to follow the same privacy and security standards you hold in your own company. This can be enshrined in a contractual agreement, and best practices would include regular monitoring of the vendor, as well as due diligence in their selection.
GLBA Compliance Checklist for the Pretexting Rule
The pretexting part of the GLBA regulations largely deals with protecting customers from identity fraud. It sets out guidelines institutions need to follow to prevent access to their customers’ data from an unauthorized person. To help employees spot and prevent cases of identity fraud and stay in line with GLBA compliance, it’s important to follow each part of this checklist.
Multi-Factor Authentication for Customers and Employees
One of the easiest and most effective ways to prevent unauthorized access, internally or externally, remains multi factor authentication. Customers and employees who have access to customer data should have this implemented to curtail unauthorized access.
Data Access Controls
The fewer people that can access data, the more secure it is. Limiting access internally, based on which employees truly need access to customer data, reduces entry points for malicious actors, making your company and customers safer.
Regular Security Training
A regular and robust security training program for employees will help them identify and prevent data fraud attempts. Pretexting comes in many forms, and the more employees know about these various forms, the better.
Included in this training should be phishing and pretexting attempts from your internal security team. These will help your employees in learning how to identify them, and will provide avenues for further training.
Constant Monitoring and Detection
The best defense in the data world is often a proactive offense. Using monitoring and detection software, best if powered by AI, can help to detect and identify malicious activity before it reaches a customer or employee.
Response Plans
Even the best security plans can run afoul at times. In these cases, it’s tantamount to have an incident response plan ready. The longer a breach goes on, the more expensive and damaging it becomes. Knowing what to do immediately after you detect a breach or attack helps shorten down time and protect your company’s and its customers’ assets.
Industries where GLBA Compliance is Necessary
While financial institutions are the most heavily impacted by GLBA regulations, any company that engages in financial activities must also follow these regulations. Companies and professions that fall under GLBA regulations include:
- Banks
- Insurers
- Brokerage Firms
- Accountants
- ATM Operators
- Car Rental Companies
- Courier Services
- Credit Reporting Companies
- Credit Unions
- Debt Collectors
- Financial Advisory Firms
- Hedge Funds
- Non-bank Mortgage Lenders
- Payday Lenders
- Property Appraisers
- Real Estate Firms
- Retailers
- Stockbrokers
- Tax Preparers
- Universities
While many similar regulations include a size requirement, the GLBA notably does not. If your business is “significantly engaged” in financial products or services, following the GLBA regulations is a requirement.
Ensure GLBA Compliance with Shred Nations
Shred Nations offers a number of services that help companies stay in compliance with GLBA regulations. From shredding documents outside of their retention period, to secure and encrypted document management systems, Shred Nations partners can help businesses of any size navigate federal, state, and local regulations around data privacy. Give us a call at (800) 747-3365, or fill out the form on the page, and we’ll find you a Shred Nations partner that fits your data privacy needs.