From provisions of the law to decisions on collected data and penalties, financial institutions need to know plenty of things about GLBA compliance. Learn new exemptions and challenges associated with the California Consumer Privacy Act (CCPA).
Financial institutions and companies affiliated with them collect data from their consumers, and it is their responsibility to safeguard the data. The federal Gramm-Leach-Bliley Act, also known as the GLBA, regulates how these companies handle, process, and use their consumers’ personal information.
Usually, when managing the collected data, financial institutions and their affiliated businesses face challenges, like:
- Collecting data from multiple sources
- Identifying critical data
- Identifying dark data
- Finding and eliminating duplicate data
- Improving the quality of data
These types of issues make it difficult for businesses to find, manage, and protect their consumers’ information. However, it is essential for them to secure the collected data and comply with GLBA.
What is the Gramm-Leach-Bliley Act, or GLBA?
A significant objective behind the law, which was enacted in November 1999 and enforced by the Federal Trade Commission (FTC), is to modernize financial institutions and safeguard consumer information.
To comply with the GBLA, financial institutions take the necessary measures to protect their consumers’ nonpublic personal information (NPI). Also, the legislation prohibits businesses from disclosing the collected information to third parties.
Additionally, financial institutions are required to notify consumers about their data-sharing exercises and allow them to opt out.
What is Nonpublic Personal Information (NPI)
The GBLA law prohibits businesses from sharing non-public personal information (NPI) of their consumers. NPI is information that is not available publicly. It may include consumer names, contact information, addresses, credit card numbers, bank account numbers, court records, and any other kind of information that:
- Consumers provide to a financial institution
- Is a result of transaction made by a consumer
- Is obtained by a financial institution
However, NPI excludes information that is available publicly or in the media. A business does not need to include a piece of information in NPI if it’s legally available for public use and is not asked by a consumer to keep private.
What Kinds of Financial Institutions Come Under GLBA
Under the GLBA legislation, financial institutions can be defined as those businesses or companies that offer financial services or products, such as loans, insurance services, etc. These are institutions that collect data about their potential consumers to ensure that they are capable of repaying the loan type.
Both financial institutions and their affiliated companies come under the GLBA law. The types of institutions and companies that need to comply with the legislation are:
- Investment advisers
- Mortgage lenders
- Real estate service providers
Apart from these institutions, companies that receive consumer information from these institutions may also need to follow guidelines under the Financial Privacy Rule – a section in the GLBA.
Difference Between Customers and Consumers – Under GLBA
First things first, the GLBA considers customers and consumers as two different entities. According to it, the term customers is a part of the term consumer. It is necessary to understand the difference because the Financial Privacy Rule treats the two types differently.
As per the GLBA, a consumer is someone who contacts a financial institution to obtain its products/services, such as a loan, cash from an ATM, or cashing a check.
On the other hand, according to the legislation, a customer can be defined as a part of consumers and is an individual to maintain a relationship with a financial institution. Some of the services a customer can get include obtaining a loan, getting a credit card, securing financing, or hiring the services of an investment advisor.
How to Comply With the GLBA
To maintain compliance with the law, institutions need to consider three sections:
- The Financial Privacy Rule: It is associated with private financial information of an individual. In this section, financial institutions need to provide their customers with a written statement about their privacy policies.
- The Safeguards Rule: It deals with a security program to protect an individual’s information. The rule makes it essential for institutions to protect the information they collect.
- The Pretexting Prohibition: This section restricts the use of private information without informing the individual. According to this rule, institutions must not lie to their customers to obtain information.
Violation Penalties Associated with the GLBA
An institute that violates the GLBA guidelines may be fined $100,000 for one violation. Apart from that, directors and people in the management of these organizations may also face a fine of $100,000 for each violation. Apart from that, violation penalties may also include five years of prison time.
On the other hand, institutions and organizations that comply with the GLBA regulations can gain customer trust. When customers know that their information is being handled responsibly by an institution, they stay loyal to it and invest more in the future.
How Does CCPA Help Financial Institutions in Case of GLBA
With the introduction of the California Consumer Privacy Act (CCPA), financial institutions and their affiliated companies need to comply with new regulations.
Although the CCPA exempts institutions from following all the guidelines under the GLBA, it doesn’t exempt institutions themselves. And, the exemptions are based on data collected, processed, and sold under the GLBA.
The CCPA exempts NPI, but PI is still there. It means if a financial institution collects information for purposes other than financial ones, then it needs to comply with the CCPA regulations. Also, financial institutions are subjected to a data breach, which means consumers can seek statutory damages.
How Secuvy Helps in Case of GLBA Compliance
Financial institutions and organizations need to comply with the GLBA and the CCPA. And, it is not an easy process and businesses need to build a private network for that.
Institutions need to manage, secure, and report data; it starts with identifying what they have and to whom they belong. Secuvy uses modern, next-generation data discovery tools to provide institutions with visibility and control over data.
Unlike traditional discovery methods, these modern data discovery tools provide real insight into the collected data and enable organizations to protect it while ensuring compliance with the legislation.
Secuvy’s next-generation discovery tools help financial institutions in case of:
- Identifying data and critical information to find its purpose, use, impact, and risk associated with it
- Classifying the collected data to manage it efficiently and effectively
- Cataloging sensitive information automatically from a range of data sources like cloud, Big Data, and others.
- Identifying and eliminating duplicate data
Apart from that, Secuvy helps financial institutions in managing and creating reports on the collected data.
- Centralized System for Unmatched Coverage
The data discovery tools provide financial institutions with one centralized platform where they can store, manage, and protect all types of information – structured and unstructured.
- Unique, Modern Data-Discovery Technology
Conventional data discovery methods had a pattern-based approach. However, modern tools like the ones at Secuvy provide financial institutions and organizations affiliated with them with modern machine learning technology to classify different types of information.
Secuvy’s tools not only help comply with CCPA and GLBA but also are beneficial in the case of reporting.
- Dark Data Identification
Traditional data discovery tools require companies to identify where data is located. Secuvy’s modern tools help identify and classify sensitive data.
- Improved Data Security
Secuvy’s data discovery tools enable organizations to get full control over the available data. After that, the only thing to do is to comply with the GLBA and similar legislation.
Do you want to know more about Secuvy’s data discovery tools? Book your demo and learn how Secuvy can help you discover, classify, and store sensitive data on a centralized platform.