The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that requires financial institutions to act in a way that ensures the confidentiality and security of customers’ nonpublic personal information (NPI) and to explain how they share and protect that sensitive data.
To be GLBA compliant, financial institutions must communicate to their customers how they share customers’ NPI, inform customers of their right to opt-out, and apply appropriate data protections to customers’ NPI.
The GLBA’s primary data protection requirements are outlined in its Safeguards Rule. The Safeguards Rule requires financial institutions to store sensitive customer information securely and ensure its secure transmission, as well as maintain programs and implement audit procedures that prevent unauthorized access and improper disclosure.
The GLBA is specifically designed for organizations within the finance industry, however it applies to many organizations who may not typically think of themselves as a financial institution. In fact, the Safeguards Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. This includes, for example, mortgage brokers, payday lenders, nonbank lenders, real estate appraisers, and professional tax preparers.
The Safeguards Rule also applies to third parties—such as ATM operators and credit reporting agencies—that receive customers’ NPI. Therefore, financial institutions are responsible for not only developing their own safeguards but must also ensure that their service providers and other third-party affiliates take the necessary steps to safeguard customers’ NPI while in their hands.
Aside from avoiding penalties and fines, the GLBA Safeguards Rule ultimately helps strengthen customer loyalty and trust by providing customers with the assurance that their sensitive data is protected at all times by the financial institution(s) with whom they choose to do business.
The GLBA Safeguards Rule is designed to benefit customers in a number of ways:
The GLBA Safeguards Rule requires that covered institutions create a written information security plan describing the measures taken to protect customers’ sensitive information. As part of this plan, covered institutions must:
Addressing compliance concerns extends beyond avoiding penalties and fines to also building more trusting client relationships that drive engagement and loyalty. Your reputation distinguishes your firm from the next and without careful attention given to client privacy and compliance, quite frankly, your reputation is at risk. A recent Deloitte survey indicates that 73% of consumers are more likely to be open to or neutral about sharing data if they are satisfied with privacy policies explaining how data is used. By simply educating consumers about how their data is used, you can earn clients’ trust.
Organizations that take a leading-edge approach to protecting NPI to meet GLBA compliance requirements have a crucial competitive advantage in today’s business landscape.
Standing up an information security program for the first time? Looking to mature your existing program? Download a free copy of our checklist to learn more about which data protection capabilities should be incorporated into your security strategy.
Learn how organizations throughout the mortgage supply chain should incorporate data protection capabilities into their security strategy to ensure compliance with the GLBA Safeguards Rule.
Download Now