CHAPTER 9:
GLBA
The Financial Services Modernization Act 1999, usually called the Gramm-Leach-Bliley Act (‘GLBA’) after its sponsors, covers all US-regulated financial services corporations. It applies to
• banks, securities firms and insurance companies,
• lending, brokering or servicing any type of consumer loan,
• transferring or safeguarding money,
• preparing individual tax returns,
• providing financial advice or credit counselling,
• providing residential real estate settlement services,
• collecting consumer debts, and
• an array of other activities.
The GLBA charges the boards of these entities with protecting their customers’ personal information against any ‘reasonably foreseeable’ threats to its security, confidentiality or integrity. The GLBA also applies to a wide range of ‘non-bank’ managers.
The GLBA gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule:
• The Financial Privacy Rule governs the collection and disclosure by financial institutions of customers’ personal financial information. It also applies to companies, whether or not they are financial institutions, who receive such information.
• The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions ‘such as credit reporting agencies’ that receive customer information from other financial institutions.
• The ‘pretexting’ provisions of the GLBA protect consumers from individuals and companies that obtain their personal financial information under false pretences, a practice known as ‘pretexting’.
The GLBA requires a company’s management to develop, draft, approve and implement an appropriate information security program as part of their normal accountabilities. The information security requirements of the Act are contained in the Standards for Safeguarding Customer Information: Final Rule (16 CFR Part 314, 23 May 2002 – the rules issued by the other banking agencies are substantively identical). The rules relate to ‘non-public personal information’ which consists of ‘personally identifiable financial information’ and includes any information collected through a ‘cookie’.
The purpose of the GLBA is defined as setting standards for:
‘developing, implementing, and maintaining reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information’ [S 314.1(a)].
The GLBA Final Rule is explicit in requiring financial institutions to:
‘identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information’ [S314.4 (a)(1)];
consider risks in each area of operations, particularly ‘information systems, including network and software design, as well as information processing, storage, transmission and disposal’ [S314.4 (a)(2)]; and
be responsible for ‘detecting, preventing and responding to attacks, intrusions, or other systems failures’ [S314.4 (a)(3)].
The interplay between regulatory regimes is exemplified in the statement that the GLBA does not ‘modify, limit or supersede operation of the FRCA’ and does ‘not pre-empt any state law that provides greater protections’. The growing body of state regulations that interact with the GLBA include California’s Senate Bill 1386 and the Online Personal Privacy Act (‘OPPA’) and, for a growing number of companies, the EU Safe Harbor provisions are also relevant.
The Fair Credit Reporting Act (‘FRCA’)
The FRCA was passed in 1999. It is designed to ‘promote accuracy and ensure the privacy of the information used in credit reports’, applies specifically to consumer reporting agencies (such as credit bureaux), also covers organizations sharing information with their subsidiaries, and is enforced by the FTC. It is underpinned by a range of state laws.