Gramm-Leach-Bliley Act: Get the Facts

What is the Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act of 1999, is a U.S. federal law that repealed depression-era restrictions separating the businesses of banking, securities and insurance. It incorporates various kinds of consumer protections, including for the first time provisions addressing the privacy of nonpublic personal information. The privacy provisions, found in Title V of the Act, include essentially three different requirements: 1) the data security and safeguards requirement, which instructs the financial regulators to institute data security requirements establishing "administrative, technical, and physical safeguards" for the companies they regulate; 2) the privacy notice requirement, which requires financial institutions to give notice of their information sharing policies and an opportunity for customers to opt-out in certain circumstances; and 3) the pretexting provisions, which prohibit accessing customer information held at financial institutions using false pretenses.

What types of organizations are regulated under the GLB Act?

The privacy provisions of the Gramm-Leach-Bliley Act apply to financial institutions - a wide range of businesses that deal with financial information. Under the law, "financial institutions" include banks, securities firms and insurance companies, as well as many companies that provide financial products and services to consumers. Examples of these products and services include lending, brokering or servicing consumer loans, preparing individual tax returns, credit counseling, providing real estate settlement services and much more.

What does the Privacy Notice Rule require of financial institutions?

The Privacy Notice Rule governs the collection and disclosure of nonpublic personal information by financial institutions and the companies that receive such information. It requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. It also gives consumers the right to limit some sharing of their information.

What does the Data Security and Safeguards Rule require of financial institutions?

The Data Security requirement and Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions that receive the information.

The rule states that companies must develop a written information security plan describing their programs to protect customer information. The plan must be tailored to meet the specific needs of the company, taking into account its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each company must:

Designate one or more employees to coordinate its information security program.
Identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling those risks.
Design and implement an information security program, and regularly monitor and test it.
Select service providers that can maintain appropriate safeguards, ensuring that their contract requires them to maintain safeguards, and overseeing their handling of customer information.
Evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring customer.

What is pretexting and how does the GLB Act protect consumers against it?

Pretexting is the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers' personal financial information. The GLB Act makes it illegal to:

Use false, fictitious or fraudulent statements or documents to obtain customer information from a financial institution or directly from a customer of a financial institution.
Use forged, counterfeit, lost or stolen documents to obtain customer information from a financial institution or directly from a customer of a financial institution.
Ask another person to obtain someone else's customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost or stolen documents.

How are the provisions of the GLB Act enforced?

Depending upon the financial institutions' supervisory authority, GLB Act compliance audits are conducted by the appropriate functional regulator, including the Office of the Comptroller of the Currency (OCC), the Federal Reserve Systems (Fed), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration, the Securities and Exchange Commission, the Federal Trade Commission and State insurance authorities.

Civil and criminal penalties for noncompliance include fines and even imprisonment, such as the following:

Civil penalties for businesses can include fines up to $100,000 for each violation
Officers and directors can be held personally liable for a civil penalty for up to $10,000 per violation
Criminal penalties may include up to five years in prison

Is the GLB Act applicable to data security?

CSIA believes that comprehensive federal legislation to ensure the security of personal information should set forth reasonable security measures based on widely-accepted industry standards, best practices or, where appropriate, existing federal law. The data security and safeguards provisions of the GLB Act should certainly be considered as a basis for information security measures mandated by future data security legislation.

Where can more information on the GLB Act be found?

The Federal Trade Commission (FTC) Website has a number of informative publications on the GLB Act. They are available by visiting: http://www.ftc.gov/privacy/privacyinitiatives/glbact.html.