The Gramm-Leach-Bliley Act (GLBA), or the Financial Modernization Act of 1999, is a federal law in the United States that governs how financial institutions protect their clients’ personally identifiable information (PII). According to the law, financial institutions must respect their customers’ privacy and prevent unauthorized access to their sensitive data.
🛑 Take control of endpoint security with NinjaOne.
What is the purpose of GLBA?
The Gramm-Leach-Bliley Act ensures that all financial services and their affiliates develop privacy practices and policies that detail how they gather, sell, and share consumer information. Consumers must also be allowed to decide which information a company can disclose or retain.
A related requirement discusses data integrity and governance as part of a comprehensive IT cybersecurity policy.
The history of GLBA
The GLPA repealed large portions of the Glass-Steagall Banking Act of 1933 and the Bank Holding Company Act of 1956. It amended multiple provisions that allowed commercial banks, brokerage houses, and insurance firms to merge. As a result, the Gramm-Leach-Bliley Act created a new structural framework whereby a bank holding company could legally acquire full-service investment banks and insurance companies, allowing them to engage in a more diverse array of financial activities.
The catalyst for GLBA was the merger between Citicorp and the insurance firm Travelers Group. The merger led to the formation of the conglomerate Citigroup, which provided commercial banking, insurance services, and securities-related businesses—a then-direct violation of the Glass-Steagall Act and the Bank Holding Company Act. As a consequence of GLBA, the U.S. Federal Reserve was granted expanded supervisory power to regulate these new financial structures, effectively removing the prohibition on simultaneous services within member banks.
The impact on IT enterprises
You may think that MSPs, MSSPs, and other IT enterprises don’t need to be familiar with financial services law; however, the GLBA has a profound impact on IT and data security. The law applies to any business significantly engaged in providing financial products or services to its consumers, including endpoint security.
It requires business leaders to maintain a certain level of compliance on three main sets of regulations, each called a “Rule”: The Financial Privacy Rule, the Safeguard Rule, and the Pretexting Rule.
You can read the 145-page full act on the U.S. Government Printing Office website. But to summarize:
Financial Privacy Rule
The Financial Privacy Rule (also known as the Privacy Rule) states that all institutions covered by the GLBA must inform all clients what information is collected about them, how that information is and will be used, where and with whom it is and will be shared, and how it is protected. In line with the Fair Credit Reporting Act, the Privacy Rule also allows consumers to forbid any financial institution from sharing their PII with third parties.
It must be noted that these privacy notices must be issued at the very beginning of the consumer’s relationship with their financial institution at least once per year or as needed once privacy policies change.
Safeguards Rule
The Safeguards Rule requires institutions to protect their consumer PII’s confidentiality, integrity, and security. This is obviously a very broad mandate, and the law offers some specifics about the different types of safeguards and security tools. However, it is up to the organization to determine the exact protective strategies it needs to ensure data security.
We recommend watching this on-demand webinar on improving your security posture to get started.
Pretexting Rule
The third major data privacy aspect of the GLBA is the Pretexting Rule. Pretexting is a type of social engineering tactic that threat actors use to convince victims to give up valuable information or access to a service or system. The cybercriminal comes up with a story, or a pretext, to emotionally manipulate the victim. For example, a threat actor finds different information about you from social media and, armed with this data, tries to bluff a bank to give them access to your account.
As such, this Rule requires financial services to take proactive steps to prevent all forms of pretexting, including phishing emails. This would include various requirements for people to prove they are who they say they are to access specific accounts.
Reduce security vulnerabilities and protect critical business data with NinjaOne’s endpoint management tool.
Becoming GLBA compliant
It’s worth noting that getting read and becoming compliant with GLBA can be a massive undertaking and will inevitably overlap with your cybersecurity strategy. Nevertheless, the Infosec Institute suggests ten top-level steps toward achieving GLBA compliance.
- Understand the regulation and how it applies to you.
- Conduct a risk assessment. It’s a good idea to follow your existing IT risk management framework.
- Ensure effective controls are in place to mitigate risks.
- Protect yourself from insider threats.
- Service providers need to be GLBA-compliant.
- Confirm you’re meeting the privacy rule requirements.
- Update your IT business continuity and disaster recovery plans.
- Prepare a written information security plan. We suggest using our IT security checklist as your guide.
- Report to relevant stakeholders or your determined Board.
- Constantly review, revise, and improve.
GLBA penalties
Failure to comply with the GLBA can lead to:
- A $100,000 fine for each violation
- A $10,000 for each violation for responsible individuals at the institutions
- Up to 5 years in prison for responsible individuals
How NinjaOne can help you become GLBA-compliant
NinjaOne is an endpoint management company trusted by 17,000+ clients worldwide. Its cloud-native endpoint management tool not only automates the hardest parts of IT, but it is also SOC 2 Type 2 certified, with SSO available in all packages and at all price points. You also have granular control over permissions and access, including granular RBAC and IP-based login restrictions.
NinjaOne’s IT management software has no forced commitments and no hidden fees. If you’re ready, request a free quote, sign up for a 14-day free trial, or watch a demo.
