The increase of security breaches involving personally identifiable information (PII) has added to the loss of millions of records over the past few years. Violations involving PII are dangerous to individuals through blackmail and identity theft, while organizations can be liable for remediation costs and loss of company trust. Through the Gramm-Leach-Bliley Act, the Federal Trade Commission has required organizations to protect the confidentiality of personal information. The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, directs financial institutions to offer clients policies disclosing the methods they have organized to protect clients’ information.
The Act consists of three rules: Financial Privacy, Pretexting, and Safeguards.
The Privacy Rule
The Privacy Rule is meant to direct the gathering and disclosure of private financial information. Financial institutions must share their information-sharing systems to all customers – the type of information they collect and what kind of businesses the information may be shared with. Since it is the clients' right to decide if they don’t want their information given to certain third parties, the companies must offer clients the opportunity to opt-out of the disclosure. This must be provided the moment the customer relationship is established before any PII is shared with a non-affiliated third-party. When related to real estate, PII can be described as any information that is given to a title company or is passed to or through as a third party, for purposes of obtaining a financial product or service. This includes information about:
- Identification data (name, bday, SSN)
- Contact information
- Bank and credit card account numbers
- Credit histories
- Information obtained through other sources including consumer or credit reports or court records.
The Pretexting Rule was created to prevent identity theft. Pretexting is when someone obtains personal information through fraud through “impersonating the account holder, by phone, by mail, by email, or by phishing.” The GLBA expects financial organizations to develop a written plan for monitoring account activity and provide training to staff.
Under the Safeguards Rule, financial businesses are required to ensure the administrative, technical, and physical safeguarding of consumers’ PII. Since the GLBA applies to all consumer information, whether in electronic, paper, or other forms, safeguards would include firewalls and encryption software for electronic devices. As a part of this compliance requirement, companies may need to contact affiliates and service providers to verify they are following the maintain PII protection plan. Companies are required to:
- “Ensure the security and confidentiality of customer records and information.
- Protect against any anticipated threats or hazards to the security or integrity of such records.
- Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
- Evaluate and adjust in light of relevant circumstances, including changes in the firm’s business or operations”
When a GLBA non-compliance charge is confirmed, the penalty can have significant consequences, including:
- Financial institutions found in violation face fines of $100,000 for each violation.
- Individuals in charge found in violation face fines of $10,000 for each violation.
- Individuals found in violation can be put in prison for up to 5 years.
Measures to Take to Protect Personally Identifiable Information
The financial institution must also have rules and procedures for securely destroying information.
Benefits of GLBA Compliance
Complying with the GLBA puts businesses at a lower risk of damage from illegal loss or sharing of private client information. Customers remain confident that their information is being kept safe by the organization. Compliance may result in an increase in customer loyalty, repeat business, boost in reputation, and more.
To learn more about FDIC laws click here.