GLBA explained: What the Graham-Leach-Bailey Act means for privacy and IT security

This banking regulatory act has an infosec reach that goes far beyond the financial services industry.

wan bank networking finance2
Thinkstock

GLBA meaning and definition

The Graham-Leach-Bailey Act (GLBA) is a 1999 law that allowed financial services companies to offer both commercial and investment banking, something that had been banned since the Great Depression. The general public may be most aware of the GLBA in the context of debates as to whether it helped cause the 2008 subprime mortgage crisis, but for IT professionals, it's much better known for the data security and privacy mandates it imposes on a wide range of companies and organizations, even beyond the banking industry. While many of these rules represent best IT practices, the legal stakes of noncompliance are high, with big fines and even potential jail time looming for those who fall short.

GLBA compliance requirements

It may seem a bit strange at first that a financial services law has such a profound impact on IT and data security. But the framers of the law correctly foresaw that by loosening existing banking regulations, they were opening the door to the creation of huge, sprawling firms offering an array of services ranging from checking accounts to high-end investments—and that these companies would have access to huge amounts of customer information. The data security and privacy aspects of the law were included to allay fears that this info would be misused or exploited.

That said, it isn't just the Citibanks of the world who fall under the watchful eye of regulators thanks to the GLBA. The law applies to any business that is "significantly engaged" in providing financial products or services to consumers. The list of businesses that fall under this heading is broad, and includes debt collectors, real estate appraisers, automobile dealers, and even higher education institutions, which maintain bursar accounts for students and administer student loans.

When it comes to data security and privacy compliance requirements under the GLBA, there are three main sets of regulations—each called a Rule in regulation-speak—that IT needs to worry about: the Financial Privacy Rule, the Safeguard Rule, and the Pretexting Rule.

GLBA Privacy Rule

The Financial Privacy Rule (generally just shortened to the Privacy Rule) is relatively straightforward. Financial institutions need to provide customers with written information explaining what information is collected about them, how that information is used, where and with whom it's shared, and how it's protected. In line with the older Fair Credit Reporting Act, the Privacy Rule also requires that institutions give consumers the ability to forbid the financial institution from sharing their information with unaffiliated third parties.

Privacy notices like these need to be issued at the beginning of a customer's relationship with an institution and at least once per year thereafter; updated versions of the information must be issued when privacy policies change. The language of the notices may be fairly boilerplate, and indeed the SEC makes model forms available.

GLBA consumer vs. customer. When it comes to the Privacy Rule, the GLBA makes a distinction between different types of people a company interacts with. Anyone who obtains financial products or services from a company is dubbed a consumer, but consumers who maintain a continuing relationship with that institution are customers. All customers are consumers, but not all consumers are customers; customers are those consumers whose relationship with an institution are longer-lasting and more intimate.

For instance, if you have a checking and savings account at Bank A, you're Bank A's customer; if you don't have an account at Bank B but use their conveniently located ATM to withdraw cash from your account at Bank A, from Bank B's perspective you're only a consumer. Or, as another example, if you apply for a loan at Bank C and have no pre-existing relationship with them, you're still only considered a consumer; you become a customer only if the loan is approved and you receive the money.

As you might expect, data privacy requirements are stricter for customers. For example, consumers who aren't customers are only entitled to privacy and opt-out notices if an institution makes specific plans to share those consumers' data with third parties; customers have these rights as soon as they establish a customer relationship.

GLBA Safeguard Rule

The Safeguard Rule requires that any institutions covered by the GLBA protect, via administrative, technical, and physical means, the confidentiality, integrity, and security of any nonpublic personal information that institution retains. This is, obviously, a very broad mandate, though the good news is that it's obviously also a set of best practices that any organization that retains personal data ought to be following anyway; it's also broadly similar to regulatory mandates imposed on other industries like health care, so companies covered by multiple sets of regulations shouldn't have to duplicate work.

The Digital Guardian blog breaks down some of the specific steps that companies covered by the GLBA should take so as to get their house in order and ensure that they're in compliance with this Rule. You'll need to:

  • Designate employees to coordinate an infosec program
  • Identify risks to customer information across your company and assess the effectiveness of your current safeguards
  • Design, implement, monitor, and test an overarching safeguard program
  • Select service providers that are able to meet the requirements of the GLBA, and write that into your contract with them
  • Continually evaluate your program as circumstances and the threat landscape change

The Safeguard Rule's mandates are generally phrased in terms of outcomes rather than specific infosec techniques that are required to achieve those outcomes. For instance, there's no specific GLBA password requirements; instead, GLBA-covered institutions are expected to follow contemporary best practices for authenticating access to personal data, which in practice today would include an appropriate password regime.

It's also worth noting that, from the GLBA's perspective, part of safeguarding data involves having business continuity and disaster recovery plans in place, in case some catastrophic breach or data loss occurs that will affect your customers.

GLBA Pretexting Rule 

The third major data privacy aspect of the GLBA is the Pretexting Rule. Pretexting is form of social engineering in which an attacker tries to convince a victim to give up valuable information or access to a service or system. The distinguishing feature of this kind of attack is that the scam artists comes up with a story—or pretext—in order to fool the victim. For instance, someone might call up your bank, armed with a few pieces of information about you like your address or social security number, and try to bluff them into giving them more information, or even access to your account.

The GLBA has important implications for pretexting in a couple different respects. The first is that it explicitly makes it illegal to use pretexting to try to gain access to the information about victims held by a financial institution covered by the Act. Before the GLBA, these kinds of scams could only be prosecuted under other laws about fraud or false pretenses that didn't always exactly match up with attackers' specific techniques.

From the perspective of infosec pros, though, the more immediately important aspect of the Pretexting Rule is that it requires financial services institutions themselves to take affirmative steps to prevent pretexting. These would take the form of strict requirements about evidence people need to provide to prove they have the right to information they're trying to access, along with staff training to recognize and push back against phishing and other forms of pretexting.

GLBA compliance checklist

As these descriptions should make clear, getting ready for the GLBA is a big effort, but it will largely overlap with needed cybersecurity measures that any institution should be taking. The Infosec Institute outlines ten top-level steps your infosec or IT organization needs to take in order to be GLBA compliant:

  1. Understand the regulations and how they apply to you
  2. Conduct a risk assessment (more on which in a moment)
  3. Ensure that effective controls are in place to mitigate risks
  4. Protect yourself from insider threats
  5. Make sure your service providers are GLBA-compliant
  6. Confirm that you're meeting Privacy Rule requirements
  7. Update your disaster recovery and business continuity plans
  8. Prepare a written information security plan (WISP) — a formal document of this type is a GLBA requirement
  9. Report to the board — the GLBA requires those responsible for inforsec make an annual report to an organization’s managing board on GLBA compliance
  10. Review, revise, and improve 

GLBA risk assessment

A risk assessment is an important part of the threat modeling process that many infosec teams do as a matter of course. But if you're looking for a risk assessment specifically tailored to Federal cybersecurity mandates like the GLBA, the Federal Financial Institution Examination Council (FFIEC) has you covered. Check out their Cybersecurity Assessment Tool, which can help you identify specific areas in which your organization may not be aligned with the GLBA's requirements.

GLBA audit

There are two different processes that people might be referring to when they talk about a GLBA audit. If organizations don't feel that they are up to the task of assessing their own preparedness and compliance, or if they want an honest assessment from an outsider, they can pay a third-party organization to audit their compliance. Such audits can provide invaluable feedback, but keep in mind that they're essentially just providing a second opinion from a private company, not offering the United States Federal government's seal of approval. Deep Odyssey, a company that offers these services, puts it this way in their disclaimer: "The completion of a GLBA Audit does not ensure GLBA compliance. It is the responsibility of the organization to enforce the compliance recommendations at their discretion."

On the other hand, government agencies can and do include GLBA compliance criteria in their audits of institutions covered by the Act. For instance, large educational institutions now have their GLBA compliance reviewed as part of their annual federal compliance audits that they must submit to the Department of Education.

GLBA enforcement

Hopefully our description of the GLBA's broad reach makes it clear why the Department of Education is involved in enforcing a financial service law. In fact, GLBA enforcement is conducted by a number of government agencies—including the Federal Trade Commission, the federal banking agencies, the Consumer Financial Protection Bureau, and state insurance oversight agencies—against any offending companies that might fall under their purview. The FTC is one of the primary enforcement arms; it notched a recent settlement with PayPal over violations from the company's Venmo service, for instance.

GLBA penalties

The consequences for failure to comply with the GLBA can be severe:

  • Institutions violating the law can be fined up to $100,000 for each violation.
  • Responsible individuals at those institutions—generally company officers or members of the board of directors—can be personally fined up to $10,000 for each violation
  • Those individuals may also be sentenced to up to 5 years in prison

Our advice? Make sure you're in compliance now—it'll protect both you and your customers.

Copyright © 2020 IDG Communications, Inc.

8 pitfalls that undermine security program success