Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|ISP||Information Security Plan|
|NPI||Nonpublic Personal Information|
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. These financial institutions must communicate to their customers how they share the customers' sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers' private data in accordance with a written information security plan (ISP) created by the institution.
Compliance with GLBA is mandatory. A policy to protect information from foreseeable threats in security and data integrity must exist regardless of whether a financial institution discloses nonpublic information or not.
The act has three main sections, consisting of two rules and a set of provisions, to govern the collection, disclosure, and protection of consumers' nonpublic personal information (NPI) or personally identifiable information (PII):
Financial Privacy Rule Safeguards Rule Pretexting Provisions
The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer's right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act.
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.
Pretexting occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or by phishing. GLBA encourages the organizations covered by GLBA to implement safeguards against pretexting.
The FTC is responsible for enforcing its Privacy Rule and its Safeguards Rule.
- Compliance with GLBA is mandatory.
- GLBA consists of two rules and a set of provisions.