What is GLBA?
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a US federal law that has significant implications for financial institutions. It primarily aims to oversee and control the way financial institutions deal with the private information of individuals. GLBA was enacted to update and modernize the financial industry. The key facet of the regulation is its requirement that companies explain their information-sharing practices to their customers and to safeguard sensitive data.
Why the Gramm-Leach-Bliley Act Exists?
GLBA came into existence to address concerns about the privacy of personal financial data. Prior to GLBA, financial institutions could share or sell customer information without any notification. This lack of transparency had potential negative impacts for customers in terms of identity theft, fraud, and violation of privacy. Therefore, GLBA was enacted to protect customers' personal information and provide measures for the financial institution to disclose their information sharing policies to their customers.
Who Needs the Gramm-Leach-Bliley Act?
The GLBA applies to all companies that offer financial products or services like loans, financial or investment advice, or insurance. Not only traditional banks, but non-bank financial institutions such as payday lenders, check-cashing businesses, mortgage brokers, financial advisors, tax preparers, and debt collectors fall under the purview of this Act. While these rules primarily apply to financial businesses, all businesses in possession of monetary customer data need to comply to avoid hefty federal penalties and potential class action litigation.
The Gramm-Leach-Bliley Act in Cybersecurity
In the context of cybersecurity, GLBA imposes strict rules on financial institutions regarding the protection of customer data. These institutions are required to develop a written information security plan describing their programme to protect customer information. The safeguards mentioned within the Act fall into three categories: administrative, technical, and physical. This law is a common reference point for establishing best practices for data management and information security within the financial sector.
GLBA and Cloud Infrastructure
When considering GLBA in the context of cloud infrastructure and SaaS, financial institutions should ensure that their vendors meet GLBA compliance standards. Since GLBA requires strict privacy controls, any cloud provider or SaaS vendor utilized by the financial institution must also have appropriate controls in place to protect customer data. With the growing adoption of DevOps, IAM, and least privilege access in cloud environments, adhering to GLBA guidelines becomes integral in safeguarding customer information and maintaining compliance.