The Gramm-Leach-Bliley Act, or GLBA, was enacted on November 12, 1999, to reform the financial services industry and address concerns relating to consumer financial privacy. The Act’s primary purpose is to ensure that financial institutions safeguard the confidentiality of non-public personal information (NPPI) gathered from consumers’ records.

GLBA is based upon two main sections: the Financial Privacy Rule and the Safeguards Rule . The Privacy Rule requires financial institutions to notify consumers about their information-sharing practices and explain to them their right to "opt-out.” The Safeguards Rule requires financial institutions and their affiliates to have necessary administrative, technical, and physical measures to keep customer information secure.

In addition to protecting consumer financial information, organizations under GLBA must also take measures to detect and prevent incidents.

GLBA covers a broad range of financial institutions that “offer consumers financial products or services like loans, financial or investment advice.” These include many companies not traditionally viewed as financial institutions, e.g. check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, appraisers, retailers that issue branded credit cards, professional tax preparers, and courier services.

The law also applies to companies like credit reporting agencies and ATM operators that receive customer information. GLBA also covers Title IV schools entrusted with student financial aid information.

GLBA compliance is mandatory, and all institutions covered by the law must have policies and controls in place to protect customer information from foreseeable threats.

The Federal Trade Commission (FTC) conducts GLBA audits of covered institutions to ensure GLBA compliance. The non-compliance may cost significant financial and operational losses along with damaged reputation. GLBA provisions include severe penalties for non-compliance including fines and even imprisonment. In case of GLBA violation:

• The institution will be subject to up to $100,000 penalty for each violation;
• Chief executives of the institution will be personally liable and may be subjected up to $10,000 for each violation;
• The institution and its executives may also be subject to imprisonment for not more than five years.

Finally, data breaches have additional significant costs aside from formal penalties. Such losses may include:

• Loss of customers’  and consumers’ trust
• Lawsuits
• Loss of existing and prospective contracts
• Public image damage

As the GLBA covers a wide range of financial institutions, including those not traditionally considered the ones, no one-fits-all approach to GLBA compliance exists. However, there are general requirements that all organizations must meet, including:

• Develop, implement, and maintain a comprehensive information security program and adjust it in light of the results of the testing and monitoring;
• Designate a qualified individual responsible for overseeing, implementing, and enforcing your information security program (e.g. Chief Information Security Officer (CISO) or Chief Privacy Officer (CPO);
• Conduct risk assessments periodically and implement additional controls to mitigate identified risks;
• Regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems;
• Implement policies and procedures to ensure that personnel can enact your information security program (security awareness training; regular security updates);
• Timely identify and address vulnerabilities in systems and applications;
• Establish a written incident response plan designed to respond and recover from any security event materially affecting the confidentiality, integrity, or availability of customer information in your control.

Planet 9 employs seasoned professionals with years of experience working in the financial industry that can help with addressing all GLBA requirements. A typical approach consists of the following process:

• Conduct a discovery to understand the customers’ organization, business processes, and technologies;
• Perform a GLBA compliance review to identify safeguards in place and compliance gaps;
• Perform a risk assessment to identify risks to customer data;
• Develop a roadmap for addressing the identified compliance gaps and risks;
• Assist the client in executing the roadmap.

Depending on the clients’ internal resources’ expertise and availability, Planet 9 can implement the entire road map, position the client to execute the road map independently, or supplement the clients’ team.