The Gramm-Leach-Bliley Act, 1999 is a federal law of the United States and (as the name of the statute suggests) it was introduced in the Senate by Phil Gramm, Jim Leach and Thomas J. Bliley Jr. repealing the Glass Steagall Act, 1933. The Act confers regarding how a financial institution (Investment banking institution or Commercial Banking Institution) should explain their practices of information sharing to their customers so as to safeguards sensitive data.
The Gramm-Leach-Bliley Act, 1999 or “GLBA” is also known as:
- Financial Services Modernization Act, 1999;
- Federal Home Loan Bank System Modernization Act, 1999; and
- Program for Investment in Micro-Entrepreneurs Act, 1999.
While the Glass Steagall Act, 1933 created a distinction between the Commercial and the Investment Banking, due to the distinction created by the 1933 Act, there were many loopholes that the regulatory bodies and financial firms were able to exploit.
The GLBA not only negates such distinction between the financial institutions but embraces both, commercial banking and Investment Banking, under one roof and tightens and regularises the privacy and safety of Non-Public Personal Information. It creates compliances on the financial institutions not to impart client’s private information to outsiders by implementing explicit protection.
Under the Title V (Privacy) Subtitle A the GLBA (Disclosure of Non-Public Personal Information) Section 502 prohibits any financial institution from disclosing any non-public personal information to any non-affiliated third party, about a customer unless:
- Such financial institutions fulfil the condition of notice and opt out requirements, and
- There is no election from the side of consumer to opt out of such disclosure.
There are three Compliance Requirements under the 1999 Act:
In 2018, the US Financial Technology Company, PayPal settled the charges imposed by the Federal Trade Commission (commission that works to protect the consumers of America) over the failure of Venmo (subsidiary of PayPal) regarding the ability of transferring funds and privacy settings which violated the Safeguard and Privacy Rule of the GLB Act, 1999. Hence, the non-compliance of GLBA can also cause a harm on the reputation of the company.
KEY OBJECTIVES OF GLBA
The quintessential intention of this federal law is to guarantee the confidentiality of the financial data of the customer and Personally Identifiable Information by implementing proper security standards. The Personally Identifiable Information (for example Credit Card number) is representation of information which grants permission to the identification of any individual to whom such information that has been reasonable inferred either by direct or by indirect means.
The privacy standards in GLBA are applicable only to those businesses that are engaged significantly in financial activities as described in 4(k) of the Bank Holding Company Act, 1956. This “Significantly Engaged” test excludes specific activities that may be against the Privacy Rule. There are two factors that govern whether any activity excels that test of “Significantly Engaged”:
- Whether or not there exist any formal arrangement for such activity? And
- What is the frequency at which a business engages in financial activities?
After confirming that a business falls under the head of “Significantly Engaging” in financial activities, it must be verified whether the clients of such business are Customers or Consumers. The privacy rule makes a distinction between Customers and Consumers. Hence, for the Privacy Rule all customers are consumers, but all consumers are not customers.
A consumer is a customer if he or she has a continuing relationship with the entity. Such continuing relationship includes:
- Holding a credit or investment account with the entity;
- Getting a loan from the entity;
- Buying an insurance product from the entity;
- Holding an investment product via the entity, such as when such entity acts as a custodian for securities or assets in an IRA;
- Entering into a contract or understanding with the entity under which such entity agrees to arrange or broker a home mortgage loan or credit to purchase a car for the consumer;
- Entering into a non-operating lease of personal property with the entity;
- Paying the entity for financial, investment, or economic advising services;
- Becoming customer of the entity in order to pay such entity for tax preparation or credit counselling services;
- Seeking career advice while looking for work with a financial institution or a company’s finance, accounting, or audit department (or while employed by such a financial institution or department);
- Being obligated on an account obtained from another financial institution, regardless of whether the account was in default at the time of purchase, until the entity identifies the consumer or attempt to collect any amount owed on the account;
- Hiring the entity for real estate settlement services or;
- Holding a loan for which the entity has servicing rights.
In an ordinary sense, the end user of the product or services, possessed with the right of consumption, are consumers whereas the purchaser of products or services, possessing the right of consumption and resale, is a customer. A customer can be an individual or an organization but a consumer can be an individual, family or group of people. Thus, Consumers have a subclass that includes Customers.
The privacy rule protects a customer’s Non-public Personal Information or “NPI” which can be broadly defined as any information that is not publicly available and that:
- A consumer offers to a financial institution in order to get a financial product or service from the institution;
- Results from a transaction between the consumer and the institution involving a financial product or service; or
- Financial institution obtains about a consumer in connection with delivering a financial product or service.
The obligations under the privacy rule include issuance of privacy notices to the customers and such notices can be initial notices and annual notices.
Hence, the privacy rule is one of the most fundamental rules that a Financial Institution must conform to. The rule mainly contains the duty to provide notice to the customers (and in some cases even to consumers) and also provide a reasonable opportunity to use optout notice whenever required.
This rule is applicable on those entities that are under the jurisdiction of the Federal Trade Commission or the FTC”. The safeguard rule in GLBA mandates companies to come up with a security plan in writing that specifically defines their programs to safeguard the information of the customers. Such plans are dependent on the size and complexity of the company, the nature of the activities performed by the company and the scope of such activities, and with how much of sensitivity the company is handling the customers’ information. Hence, each company, in order to comply with the safeguard rule, must:
- Assign one or more people to coordinate the information security program of the company.
- Identify and assess the risks to customer information in each relevant aspect of the company’s business, as well as evaluate the effectiveness of the current protections in place to control these risks.
- create and implement a safeguards programme that is frequently monitored and tested;
- Choose service providers who can maintain appropriate safeguards, ensure that your contract requires them to do so, and supervise their handling of customer information; and
- evaluate and adjust the programme in light of relevant circumstances, such as changes in the firm’s business or operations, or the results of security testing and monitoring.
The aforementioned requirements are flexible so as to benefit the companies in implementing the safeguards which are apt for the circumstances. The safeguard standards mandate the companies to assess and address the risks to information as provided by the customers in all areas where the company operates including 3 key areas:
Employee Management and their training
Employee Management and their training so as to make sure that the success of the security plan for the information that has been provided by the customers to the company.
Information Systems include the networking design and software design, the processing of information, its storage, transmission, retrieval and disposal.
Detecting and Dealing with System Failures
Detecting and Dealing with System Failures is a must for effective security management for the company, and such effective management includes deterrence, detection and defending against the security breaches. This implies taking reasonable steps to prevent attacks, quickly diagnosing a security incident, and having a plan in place for responding effectively.
Often regarded as the “Red Flags Rule” in the provisions of the FTC, the Pretexting Rule was established after the Privacy and Safeguards Rules. The pretexting rule provides support system to the entities so as to enable protection from the social engineering or pretexting which happens when a fraud person impersonates a customer of any entity so as to breach the privacy and acquire the non-public information of the customers.
The modus operandi of such social engineering is impersonating an account holder either by telephone or mail and includes:
- Vishing and Smishing
Before the enforcement of GLBA, pretexting could only be prosecuted under the las regarding fraud or deception. Hence, GLBA has explicitly made Pretexting illegal for every such person ho obtains or attempts to obtain, so as to disclose or causing the disclosure of Customer’s information of any financial institution with the intent of fraud or deception.
The GLBA and its three key rules have created a protective envelope around the Non-public Information of the customers of the Financial Institutions. As stated above, the Privacy rule provides for protection regarding the private information by distinguishing between Customers and Consumers. The Safeguards Rule provides measures and security plan for the protection of the data of the customers. The GLBA illegalises the Pretexting which before the GLBA was not accurately applicable to the attacker by directly addressing the problem of Pretexting and not by applying legal provisions for Fraud or Deception.
Hence, the GLBA has proved to be beneficial for the protection of the Customer’s information unlike GDPR (General Data Protection Regulation) that addresses the issue of privacy of data as a whole.