The Grammy-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act of 1999, or the Gramm-Leach-Bliley Financial Services Modernization Act, modernized the regulations governing financial institutions. One part of this act concerns the way that these organizations communicate information-sharing and how they protect sensitive data. The financial industry is one of the prime targets for cybercriminals that want a profitable return on their activities, so it’s essential for businesses to comply with these regulations. According to the Verizon Data Breach Report for 2023 95% of all breaches reported were Financially motivated.

The Penalties of Non-compliance

Failure to comply with GLBA has several fines to consider. Failure to comply can see the organization receive a $100,000 fine for each violation, as well as an amount that goes up to one percent of the company’s assets. Senior executives get directly penalized $10,000. Employees may also face fines on an individual basis, if they do not follow safety policies and procedures. They may face a fine of $10,000 and between 5-12 years of prison time.

Who is subject to the GLBA?

One may assume that only financial institutions such as banks have to worry about the GLBA. However, any size business that offer consumers financial products or services like loans, financial or investment advice, or insurance are covered. Some examples include Insurance companies, credit reporting agencies, mortgage brokers, tax preparers, and investment professionals to name a few.

How to comply with the Gramm-Leach-Bliley Act?

Your organization needs to have safeguards to protect consumer data, as well as ensuring that affiliated providers and partners take the same approach with this information. Here are the Major requirements.

• Written IT security Plan – You need to put together a plan to keeps your customer data safe. Your proposed security measures should account for the type of information you work with from your consumers, the complexity of your infrastructure and your business activities.
• Coordinator(s) for the program – At least one employee who oversees this program who is to ensure it is implemented and maintained properly.
• Risk Assessment and Audit – Auditing and assessing continually the IT security plan, helps you identify vulnerabilities, and discover if the measures you put in place are effective and allows you to understand the risks that your data faces. Information systems, managing system failures, employee management and training are the three key factors highlighted within the safeguards rule.
• Implement safeguards program – After the plan is developed, you need to deploy hardware, software, and policies that if consists of. A change management plan can help prepare your organization for any alterations to your typical operations.
• Proactively monitor the program – You will need to keep an eye on the IT security program to address any issues before they become major or become a full data breach. This also allows you to monitor to ensure you stay compliant with GLBA.
• Change the program as the IT security landscape changes – The landscape of Cyber Security changes daily if not even faster than that. the organization may need to adapt the IT security plan to confront the risks that may differ from when the plan was implemented.
• Accommodate unique risks – Not every financial organization has the same structure, so the plan can’t be a one size-fits-all approach. This could leave gaps.
• Only collect what you need – Collect what you need to do business and nothing more. If you gather data without a clear purpose you could end up with data that you can’t properly protect.

IT Security Best Practices

Here are several security best practices that cover many common threats and address vulnerabilies

• Vetting Employees – Background checks and other reference checking.
• Limiting employee access to data – Least privilege, giving your employees access to the information they need for their job and nothing more, and removing access when they leave the organization.
• Creating strong password policies and enforcing them – Frequently updated and complex passwords reduce the risks of account breaches.
• Encrypting consumer data – Encryption helps to ensure that attackers aren’t getting any usable data.
• Cyber Security training – The human element, is a leading cause of incidents, education and training to help strengthen you and your employees against security threats.
• Staying current on new security threats – Pay close attention to the latest attacks and how to protect your data against them. If you know what they are doing you can better protect you data against it.

How Managed Security Service Provider’s (MSSP) help you Meet Compliance Requirements

Properly protecting consumer data is an extensive undertaking that requires the correct knowledge and resources.

An MSSP can give you the additional resources you need to come into compliance and maintain it. The fines for noncompliance of GLBA are extensive, let alone the lost of consumer trust do to a data breach. Get the assistance that you need, contact us today so we help you operate securely and within compliance.