Key Points:

• GLBA (Gramm-Leach-Bliley Act) Compliance mandates US financial institutions to protect non-public personal information (NPI), ensuring customer data privacy.
• GLBA compliance involves adherence to Privacy Rule, Safeguards Rule, and Pretexting Provisions, overseen by the FTC, OCC, and Federal Reserve.
• Metomic assists in GLBA compliance by identifying risks, automating safeguards, reducing data in SaaS apps, and providing real-time monitoring and employee notifications from a unified platform.

What is GLBA Compliance?

Also known as the Financial Modernization Act, GLBA stands for the Gramm-Leach-Bliley Act - a law that requires financial institutions in the US to protect non-public personal information (NPI). 

It was brought in to help safeguard the privacy of customers and since 1999, those in the financial sector such as banks, insurance companies, and fintech businesses, have adhered to it. 

Companies need to tell their customers how they share their sensitive data, let them know that they’re able to opt out of their data being shared with third parties, and ensure they’re aligned with a clear information security plan.  

A revised Safeguard rule is coming into force on June 9th, 2023 that sets out more recommendations for keeping customer data safe. 

What is NPI? 

NPI stands for Nonpublic Personal Information and covers a multitude of data that is typically not available to the public. NPI can include: 

• PII (Personally Identifiable Information) which could be someone’s full name, street address, date of birth, or social security number 
• Financial information such as credit card details or account balances 
• Knowledge of transactions such as withdrawals of cash, deposits and money transfers 

GLBA 2.0 Compliance Requirements – A Complete Checklist

Under GLBA, financial institutions must comply with three key elements: 

1. Privacy Rule: The Privacy Rule states that financial institutions must keep their customers informed about their privacy practices and give them the opportunity to opt out of sharing their personal information with third parties.

2. Safeguards Rule: The Safeguards Rule requires financial institutions to develop information security programs to protect customer information effectively. That could include risk assessments, putting safeguards in place to control risks, regularly testing the effectiveness of the safeguards, and training employees on security procedures. One person must take ownership of this plan and it must be regularly reviewed. 

The company’s third parties must also put systems in place to protect customer information so they do not pose a threat to the data. 

3. Pretexting Provisions: As tactics from malicious actors become more sophisticated, GLBA includes requirements for businesses to prevent pretexting. Those in the financial sector need to ensure sensitive data is locked down and unable to be accessed by those who aren’t authorised to view it. 

Who oversees GLBA compliance? 

The Federal Trade Commission (FTC) ensures companies are complying with GLBA, as well as the Office of the Comptroller of the Currency (OCC) and the Federal Reserve. 

What happens if you don’t comply with GLBA? 

You could be facing financial losses such as fines, as well as reputational losses too. It’s not just on a company level either - individuals who violate GLBA could face up to five years in prison.

Financial penalties include: 

• Financial institutions that violate GLBA could pay $100,000 per violation 
• Individuals who are in charge of overseeing GLBA compliance could pay $10,000 per violation 

How can Metomic ensure companies adhere to GLBA requirements? 

Sheree Buller Lim, Head of Product at Metomic says, “Metomic can help companies ensure their compliance with GLBA in a number of ways: 

1. We help to form part of your information security programme by showing you the risks to your business, as well as your most critical files 
2. We help you put safeguards in place to control risks with our automated rules and redactions
3. We help you minimise the amount of data you hold in your SaaS applications 
4. You get access to real-time continuous monitoring so you have visibility over your sensitive data 
5. Your team is clued up on security policies with real-time notifications to make them aware of any violations they have made.” 

‍Which of Metomic’s features can help ensure GLBA is adhered to easily and smoothly?   

There are three main features of Metomic that can help you ensure compliance with GLBA: 

• Metomic’s AI-powered Risk Score can help you understand how your business is performing when it comes to controlling your most sensitive assets and high-risk files. 
• Our employee notifications reach your colleagues directly when they breach security policies to ensure everyone adheres to the rules. This can help towards your employee training aspect of GLBA. 
• You’ll be able to limit access to your most sensitive data and implement tighter controls on your documents to keep your customer’s information secure. 

And the best part is that you can do all of it from one platform. 

Want to try it for yourself? We offer a risk audit for your business. Just fill out the form here to let us know you’re interested and we’ll be in touch soon: https://metomic.io/contact-us

‍‍