The Gramm-Leach-Bliley Act - Information

Information that many would consider private--including bank balances and account numbers--is regularly bought and sold by banks, credit card companies, and other financial institutions. The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of your private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses.

The GLBA primarily sought to modernize financial services--that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use. Prior to GLBA, the insurance company that maintained your health records was distinct from the bank that mortgaged your house and the stockbroker that traded your stocks. Once these companies merge, however, they would have the ability to consolidate, analyze and sell the personal details of their customers lives. Because of these risks, the GLBA included three simple requirements to protect the personal data of individuals: First, banks, brokerage companies, and insurance companies must securely store personal financial information. Second, they must advise you of their policies on sharing of personal financial information. Third, they must give consumers the option to opt-out of some sharing of personal financial information.

== Financial Privacy Rule ==

(Subtitle A: Disclosure of Nonpublic Personal Information, codified at {{usc|15|6801|6809}})

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter.  The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected.  The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties per the [[Fair Credit Reporting Act]].  Should the privacy policy change at any point in time, the consumer must be notified again for acceptance.  Each time the privacy notice is reestablished, the consumer has the right to opt-out again.  The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement.  In summary, the financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information.

== Safeguards Rule ==

(Subtitle A: Disclosure of Nonpublic Personal Information, codified at {{usc|15|6801|6809}})

The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.  (The Safeguards Rule also applies to information of those no longer consumers of the financial institution.)  This plan must include:

* Denoting at least one employee to manage the safeguards,

* Constructing a thorough [risk management] on each department handling the nonpublic information, 

* Develop, monitor, and test a program to secure the information, and

* Change the safeguards as needed with the changes in how information is collected, stored, and used. 

This rule is intended to do what most businesses should already be doing: protecting their clients.  The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes.  No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLBA.

== Pretexting protection ==

(Subtitle B: Fraudulent Access to Financial Information, codified at {{usc|15|6821|6827}})

[[Pretexting]] (sometimes referred to as social engineering) occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by phishing (i.e., using a phony website or email to collect data). The GLBA encourages the organizations covered by the GLBA to implement safeguards against pretexting.  For example, a well-written plan designed to meet GLBAs Safeguards Rule (develop, monitor, and test a program to secure the information) would likely include a section on training employees to recognize and deflect inquiries made under pretext.  In fact, the evaluation of the effectiveness of such employee training probably should include a follow-up program of random spot-checks, outside the classroom, after completion of the [initial] employee training, in order to check on the resistance of a given (randomly chosen) student to various types of social engineering -- perhaps even designed to focus attention on any new wrinkle that might have arisen after the [initial] effort to develop the curriculum for such employee training.  Under [[United States]] law, pretexting by individuals is punishable as a [[common law]] crime of [[False Pretenses]].

== Financial institutions defined ==

The GLBA defines financial institutions as: …companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The [[Federal Trade Commission]] (FTC) has jurisdiction over financial institutions similar to, and including, these:

* non-bank mortgage lenders,

* loan brokers,

* some financial or investment advisers,

* debt collectors,

* tax return preparers,

* banks, and

* real estate settlement service providers. 

These companies must also be considered significantly engaged in the financial service or production that defines them as a financial institution.

Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLBA.  State law can require greater compliance, but not less than what is otherwise required by the GLBA.

== Consumer vs. customer defined ==

The Gramm-Leach-Bliley Act defines a ‘consumer’ as

:an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual. (See {{usc|15|6809 (9)}}.}             

A ‘customer’ is a consumer that has developed a relationship with privacy rights protected under the GLBA.  A ‘customer’ is not someone using an automated teller machine (ATM) or having a check cashed at a cash advance business.  These are not ongoing relationships like a ‘customer’ might have; i.e., a [[mortgage loan]], tax advising, or credit financing.  A business is not an individual with personal nonpublic information, so a business cannot be a customer under the GLBA.  A business, however, may be liable for compliance to the GLBA depending upon the type of business and the activities utilizing individual’s personal nonpublic information is required by the GLBA.

== Consumer/client privacy rights ==

Under the GLBA, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.

1. The privacy notice must also explain to the customer the opportunity to ‘opt-out’. Opting out means that the client can say no to allowing their information to be shared with affiliated parties. The Fair Credit Reporting Act is responsible for the ‘opt-out’ opportunity, but the privacy notice must inform the customer of this right under the GLBA. The client cannot opt-out of:information shared with those providing priority service to the financial institution
2. Marketing of products or services for the financial institution
3. When the information is deemed legally required.