The purpose of this guide is to provide you with a thorough understanding of GLBA as well as tips for ensuring compliance with your organization.
- What Is The GLBA?
- Who Does The GLBA Apply To?
- What Does GLBA Protect?
- Which Regulators Have GLBA Responsibility?
- Regarding GLBA, What Does PSI Mean?
- Regarding GLBA, What Does NPI Stand For?
- How Long Can You Hold Personal Data For Under GLBA?
- What Does GLBA Have To Do With Information Security?
- Centralized Logging For GLBA
The GLBA stands for the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999. The law regulates how financial institutions handle customers' personal and financial information in the United States. GLBA requires financial institutions to explain their information-sharing practices to their customers and give them the opportunity to opt out of certain kinds of sharing. To protect customer information, the GLBA also requires financial institutions to implement information security programs, which should include administrative, technical, and physical safeguards.
In the United States, the GLBA applies to a wide variety of financial institutions. Among these are:
- Banks and other depository institutions, such as savings and loan associations and credit unions.
- Companies that deal in securities, such as broker-dealers, investment advisers, and mutual funds.
- Any insurance company that offers certain financial products, such as annuities.
- Federally chartered and state-chartered financial institutions are all subject to the GLBA. Also covered by the law are non-financial companies that offer financial products or services, such as retailers that issue credit cards and offer loans.
It is pertinent to note that the GLBA applies to institutions that are located in the United States, regardless of whether they are owned by foreign entities or operate outside of the country. It is also worth considering that some financial products, such as insurance products, may be exempt from the GLBA.
The GLBA aims to protect the privacy and security of financial institutions' customers' personal and financial information. What Are The Three Arms of GLBA?
There are three main "arms" of the GLBA that financial institutions must adhere to:
Under the Privacy Rule, financial institutions must provide their customers with a privacy notice that explains their information-sharing practices and offers them the option to opt-out. This notice must be provided to customers at the beginning of the customer relationship and annually thereafter.
In accordance with the Safeguards Rule, financial institutions are required to develop, implement, and maintain a comprehensive information security program that reflects the size and complexity of their operation and the sensitivity of the customer information they handle.
Under the Pretexting Provisions of the GLBA, businesses are prohibited from misrepresenting themselves to obtain customer information. Under the Pretexting Provisions, financial institutions must develop policies and procedures designed to prevent pretexting, and train their employees to detect and prevent it.
The following are the main regulators responsible for GLBA:
The Federal Reserve System is responsible for state-chartered banks that are members of the Federal Reserve System, as well as bank holding companies and foreign banks with U.S. operations.
The Federal Deposit Insurance Corporation (FDIC) has GLBA responsibility for state-chartered banks that are not members of the Federal Reserve System and are insured by the FDIC.
The Office of the Comptroller of the Currency (OCC) has GLBA responsibility for national banks and federal savings associations.
The National Credit Union Administration (NCUA) has GLBA responsibility for federally chartered credit unions.
The Securities and Exchange Commission (SEC) has GLBA responsibility for securities firms, including broker-dealers, investment advisers, and mutual funds.
The Commodity Futures Trading Commission (CFTC) also has GLBA responsibility for futures commission merchants, commodity trading advisors, commodity pool operators, and introducing brokers.
And lastly, the Department of the Treasury has GLBA responsibility for certain types of financial institutions, including insurance companies that are not regulated by other federal agencies.
In the context of the GLBA, PSI stands for "Pretexting and Social Engineering Indicator." It refers to a requirement for financial institutions to include measures that detect and prevent pretexting and social engineering attacks in their information security programs.
NPI stands for "Nonpublic Personal Information." In the context of the GLBA, NPI refers to any personally identifiable financial information that is not publicly available. Included in this category are names, addresses, Social Security numbers, bank account numbers, credit card numbers, and any other private financial information.
While the GLBA does not specify a time period for how long personal data can be held, it does require financial institutions to properly dispose of the information when it no longer needs to be used for business purposes, as well as to establish policies and procedures to ensure the proper disposal of the information.
In order to protect customer information, the GLBA requires financial institutions to implement and maintain a comprehensive information security program. In addition, financial institutions are required to appoint an employee to oversee and update the information security program in response to changes in technology and customer risks.
A centralized logging system can support information security and help financial institutions comply with the GLBA. Having logs from various systems and devices centralized allows financial institutions to detect potential security incidents, such as unauthorized access or attempted attacks, more easily. This can help financial institutions detect and respond to security incidents more quickly and effectively, which is a key component of the GLBA's information security requirements.
Additionally, centralized logging can assist financial institutions in meeting other information security and privacy regulations, such as those outlined in the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).
According to 2.M.7, it is essential to centralise logs. Financial institutions are responsible for ensuring that logs are centralized and normalized, and that controls are in place and working so that time gaps in logging cannot occur.
In order to provide full visibility across your operating environment, you can send your log and metrics data from your servers, platforms, and third-party tools to the Logit.io centralised GLBA compliance platform.