• GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity. • Major components put into place to govern the collection, disclosure, and protection of consumers' nonpublic personal information; or personally identifiable information include: •
Financial Privacy Rule •
Safeguards Rule •
Pretexting Protection Financial Privacy Rule (Subtitle A: Disclosure of Nonpublic Personal Information, codified at ) The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer's right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the
Fair Credit Reporting Act. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a
privacy policy agreement between the company and the consumer pertaining to the protection of the consumer's personal nonpublic information. On November 17, 2009, eight federal regulatory agencies released the final version of a model privacy notice form to make it easier for consumers to understand how financial institutions collect and share information about consumers.
Financial institutions GLBA defines financial institutions as: "companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance". The
Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these: • Non-bank mortgage lenders, • Real estate appraisers, • Loan brokers, • Some financial or investment advisers, • Debt collectors, • Tax return preparers, • Banks, and • Real estate settlement service providers. These companies must also be considered significantly engaged in the financial service or production that defines them as a "financial institution". Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLB. State law can require greater compliance, but not less than what is otherwise required by the GLB.
Consumer vs. customer defined The
Gramm–Leach–Bliley Act defines a "consumer" as :"an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual." (See .) A customer is a consumer that has developed a relationship with privacy rights protected under the
GLB. A customer is not someone using an automated teller machine (ATM) or having a check cashed at a cash advance business. These are not ongoing relationships like a customer might have—i.e., a
mortgage loan, tax advising, or credit financing. A business is not an individual with personal nonpublic information, so a business cannot be a customer under the
GLB. A business, however, may be liable for compliance to the
GLB depending upon the type of business and the activities utilizing individual's personal nonpublic information.
Consumer/client privacy rights Under the
GLB, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms. The privacy notice must also explain to the customer the opportunity to 'opt out'. Opting out means that the client can say "no" to allowing their information to be shared with nonaffiliated third parties. The
Fair Credit Reporting Act is responsible for the 'opt-out' opportunity, but the privacy notice must inform the customer of this right under the GLB. The client cannot opt out of: • Information shared with those providing priority service to the financial institution • Marketing of products or services for the financial institution • When the information is deemed legally required. • When entering into a financial transaction, the institution providing said transaction must provide the customer a secure room with the ability to close in order to better protect the clients personal information.
Receipt of GLBA notices by consumers ¶ Service of notice requirements Notice requirements may vary. In most cases, service of a GLBA notice is not necessary unless the entity serving the notice intends to "share" customer information, which the FTC defines as, "non-public personal information (NPI)", of customers required to be protected under
GLBA.
¶ Response to receipt of a GLBA notice A consumer may react to service of a
GLBA notice by: • Not responding • Indicating, on an acknowledgment form that notice was not provided (typically for in-person signed documents) • Responding according to format suggested in the GLBA Notice • Responding with a prepared letter (alone or in addition to the form)
Synergy between GLBA and GDPR The
European Union's General Data Protection Regulation (GDPR) became enforceable on 25 May 2018. As applies to consumers, the
GDPR includes provision on scope of data collection, but also includes
right of access,
right to erasure, right to restriction of processing and right to data portability. Due to the multinational nature of some transactions, including data and internet transactions, and the possible implementation of corresponding regulations in some US states, it is likely that business and other entities will comply with the
GDPR as well as US
GLBA requirements. Individualized requests for privacy under the
GLBA are likely to include provisions guaranteed by the
European Union's
GDPR.
Safeguards Rule (Subtitle A: Disclosure of Nonpublic Personal Information, codified at ) The Safeguards Rule implements data security requirements from the GLBA and requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect its clients' nonpublic personal information. The Safeguards Rule applies to information of any consumer's past or present regarding the financial institution's products or services. The written plan must include: • Denoting at least one employee to manage the safeguards • Constructing a thorough
risk analysis on each department handling the nonpublic information • Develop, monitor, and test a program to secure the information • Adapting the safeguards as needed with contemporary changes in how information is collected, stored, and used The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. The Federal Register features approaches for risk assessments such as evaluating the likelihood of magnitudes of harm that result from threats and errors and safeguards are commensurate with the risks they address. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the
GLBA. In December 2021, the Safeguards Rule was updated, amid some controversy, with a six-month compliance extension, from January to June 2023, granted for some types of institutions in November 2022.
Pretexting protection (Subtitle B: Fraudulent Access to Financial Information, codified at )
Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by telephone, by mail, by e-mail, or even by "
phishing" (i.e., using a phony website or email to collect data). GLBA encourages the organizations covered by GLBA to implement safeguards against pretexting. For example, a well-written plan designed to meet GLB's Safeguards Rule ("develop, monitor, and test a program to secure the information") would likely include a section on training employees to recognize and deflect inquiries made under pretext. In fact, the evaluation of the effectiveness of such employee training probably should include a follow-up program of random spot checks, "outside the classroom", after completion of the [initial] employee training, in order to check on the resistance of a given (randomly chosen) student to various types of "social engineering"—perhaps even designed to focus attention on any new wrinkle that might have arisen
after the [initial] effort to "develop" the curriculum for such employee training. Under United States law, pretexting by individuals is punishable as a
common law crime of
false pretenses. ==Effect on usury law==