If you provide financial products or services to consumers, you need to comply with the GLBA. We've put together this GLBA compliance reports checklist to help you meet the regulatory requirements.
Network Security and Administration ExpertUpdated: July 31, 2023
The Gramm-Leach Bliley Act (GLBA) or the Financial Services Modernization Act as it’s also known, has played a massive role in changing how financial institutions manage sensitive information.
The GLBA was a US law passed in 1999 that regulated how financial institutions must protect sensitive consumer information. At the time, the GLBA was created to repeal the Glass-Steagall Act of 1933, which prohibited commercial banks from offering additional financial services like insurance.
Once the act was passed, personal data such as names, addresses, and credit history would have to be kept private. Organizations become responsible for implementing measures to maintain the privacy of customer data.
Under the law financial institutions had an obligation to notify customers how their non-public personal information (NPI) is shared, what data they collect, and who they share this data with. In addition, customers would also have the right to choose whether they want their NPI to be shared.
Beyond these external obligations, financial institutions are also required to implement internal safeguards to protect consumer data from falling into the wrong hands. Safeguards include “prevention and response measures for attacks, intrusions, and other systems failures.”
Generally, these measures are cybersecurity best practices like firewalls and encryption alongside specific tools like network intrusion detection systems. Creating a custom security plan is also required to detail the steps an organization will take to secure their customers’ information. For example, disposing of paper documents via shredding to prevent fraud.
Combating fraud is one of the core aims of the GLBA. The GLBA clearly states that institutions must have robust protections in place to prevent pretexting, a form of fraud where an unauthorized individual uses forged or stolen documents to gain access to personal information (we will look at these protections in more detail).
The GLBA is important not only because it set data handling standards but because it increased consumer rights. The act made it law that customers can access their NPI whenever they want increasing transparency between everyday consumers and financial institutions.
Customers could find out exactly how their data is used and who that data is shared with. The growth in transparency empowered consumers to choose how their data is handled and to opt-out of sharing information with third parties.
The law was also important because it confronted issues like fraud and pretexting head-on. The GLBA made it illegal for someone to try to gain access to protected data by imitating another individual or by deception. Likewise the spotlight on pretexting helped force financial institutions to take greater steps to protect personal data.
While fraud has always been a challenge in the finance industry the GLBA highlighted challenges and put forward a modernized approach for addressing these threats. Today that means fewer consumers falling victim to fraudsters.
The GLBA applies to financial institutions and any companies that offer financial products or services to consumers. In other words, a company that offers a financial product like a loan or insurance is subject to the requirements and needs to protect customer data from unauthorized access.
In practice, that means that any company that offers financial advice or tax advice is subject to GLBA restrictions. Even organizations that aren’t considered as financial institutions can fall under this umbrella. The rules are so expansive that even a retail business that issues a credit card will have to comply!
The penalties for non-compliance with the GLBA are unforgiving. Penalties range from fines to five years imprisonment. A financial institution can be fined $100,000 for each violation. If that wasn’t enough, officers and directors can also be fined up to $10,000 for each violation. The gravity of the penalties for non-compliance can have devastating financial and legal consequences.
These measures are strictly enforced. Just recently, Venmo and PayPal Inc. were alleged to have violated customer protection laws and had to reach a settlement with the Federal Trade Commission.
Beyond the legal penalties, non-compliance can significantly damage a financial institution’s reputation. Companies that share data without permission and don’t take data protection seriously will inevitably lose existing as well as potential customers.
The GLBA is broken down into three sections. Each of these includes different requirements you must adhere to. These three sections are as follows:
The Privacy Rule states that you must notify customers about your privacy policies and protect the confidentiality of their data. A privacy notice must be shared with the customer the moment the relationship is established or the policy is changed.
The privacy notice must explain to the customer what information is collected, how that information is shared, who it is shared with, and how you’re protecting that information. The notice should also offer them the opportunity to opt-in or opt-out of sharing their personal data with third parties.
Furthermore, any time you plan to disclose a customer’s NPI you must also issue them with a privacy notice. It is necessary to issue annual privacy notices to make sure customers are kept updated on how you’re handling their data. Trying to maintain transparency between the customer and the institution is paramount here.
The Safeguards Rule outlines what measures you need to take to keep NPI secure. One of the most important elements of this rule is that financial institutions must develop a detailed written security plan that outlines how customer data will be protected. A generic security plan won’t do, so institutions need to run a risk assessment to find specific vulnerabilities.
The security plan itself needs to contain a number of components:
These measures are intended to be applied on a case by case basis. The most important thing is to implement safeguards that are in accordance with your own circumstances. It is essential to apply general best practices like data encryption to protect customer data in transit.
It is critical to note that financial institutions are also responsible for ensuring that any third-party service providers implement the necessary procedures to protect customer data. If you work with a company that doesn’t have adequate protection in place then you could be vulnerable to non-compliance.
Finally, you must report data breaches to the customer ASAP. There are many software products with incident response features that can help you to detect data breaches and respond.
The Pretexting Provisions are a list of steps that organizations need to take to stop pretexting or social engineering. Pretexting is essentially a form of fraud where an individual impersonates another person to gain access to private information.
To prevent fraud, financial institutions are expected to implement safeguards such as employee training to prevent unauthorized access to NPI. Employee training is one of the top weapons you can use against pretexting. Educating an employee on the signs of pretexting enables them to raise the alarm if there is suspicious activity.
There is some crossover between the Safeguards Rule and Pretexting Provisions in that organizations must create a cybersecurity plan and monitor account activity to help detect fraud. The key is to be aware of pretexting and to implement measures to minimize the risk of impersonation and fraud.
Compliance reports have a critical role to play in demonstrating data protection. To protect your data you need to have a system that offers dashboards and reporting so that you can detect threats to customer data and act accordingly. If you don’t have the necessary visibility you won’t be able to identify threats and protect NPI before it’s compromised.
Many software platforms have reporting features designed with GLBA compliance in mind. In this section we’re going to look at some solutions you can use to create compliance reports:
SolarWinds Security Event Manager is a log management tool that can collect and analyze real-time log data to detect cyber attacks. It has anomaly detection and automated threat remediation so that the moment something suspicious has been spotted the program will start to find a solution.
Key Features:
SolarWinds Security Event Manager is a package of security tools that include a log manager, a SIEM, user activity tracking, and file integrity monitoring. The log management service in the package provides compliance auditioning features and the platform also implements compliance reporting. This is an on-premises software package.
There are 300-built in compliance reports designed specifically to comply with GLBA, PCI DSS, SOX, NERC CIP, and HIPAA regulatory requirements. You can even build custom reports if you need to watch out for specific threats. These reports can be scheduled and exported to make sure that they always reach the necessary employees in time.
This is a solution for large organizations. It is able to pull in log messages from all around the business, including operating systems, software packages, networks, and services. Centralized log management forms the basis of all of the functions of the package. This adapts to the specific standard with which you need to comply.
If you require a tool to help you find threats to NPI then SolarWinds Security Event Manager is a tool worth examining. SolarWinds Security Event Manager starts at a price of $4,665 (£3,540). There is also a 30-day free trial.
ManageEngine ADAudit Plus is a compliance auditing solution that helps companies to comply with GLBA, FISMA, PCI, HIPAA, and SOX regulations. The program allows you to monitor Successful Logon / Logoff, Unsuccessful Logon, RDP Logon, File Access, File Integrity Monitoring, Policy Changes in AD, Changes to Users, Groups & Permissions. Monitoring information like file access allows you to monitor for unauthorized users.
Key Features:
ManageEngine ADAudit Plus is a user bevaior analytics tool. The package relies on Active Directory as a reference source and so it also ensures the security of AD domains. The tool is not primarily an Active Directory management system – ManageEngine produces ADManager Plus for that.
The ManageEngine ADAudit Plus software comes with pre-configured reports for GLBA. There are over 200 report templates which you can generate or schedule for the future. There are also real-time alerts so that you are notified if data has been compromised. Real-time alerts help you to keep an eye on any changes or breaches that could mean you have to notify customers.
This system relies on Active Directory, so you need to e running Active Directory or Azure AD as your access rights manager. The software runs on Windows Server, Azure, or AWS. you can run the on-premises version with Azure AD and vice versa. An AWS installation connects to your Azure AD or on-premises AD.
There are four versions of ManageEngine ADAudit Plus: Free, Trial, Standard, and Professional. The Free version includes 25 workstations free. The Trial version is free for 30 days. The Standard version costs $595 with 200 plus audit reports. The Professional version starts at $945 and includes additional features like Group Policy Objects settings audit. You can download the 30-day free trial.
Protecting your customers from persistent cybercriminals and fraudsters is not easy. By taking the time to comply with GLBA requirements you will not only avoid the shame of paying hefty fines but also keep your customers safe. Fraud can have a devastating impact on consumers and by implementing safeguards you can make sure that your customers don’t fall victim to criminals
Going the extra mile to protect the data of your customers also shows that you are committed to maintaining their privacy. Gaining the confidence of customers is as much about showing that they can trust you with their data as it is about any fancy product you can offer them.
GLBA compliance reports will be a vital tool to help you to keep a close eye on your data protection strategy and to deal with vulnerabilities and breaches promptly. Embracing transparency with customers is essential for meeting the terms of GLBA.
Safeguard your reputation by taking a proactive approach to data protection making employees aware of security best practices and threats like pretexting to make sure that you’re never unprepared.
The Gramm-Leach-Bliley Act is written in three sections and each of these sections constitutes a “rule.” The three key rules of the GLBA are:
The easiest way to comply with GLBA is to get a data management tool that enforces data governance for GLBA.
There are four types of systems to consider in order to be compliant with GLBA: