July 19, 2023

    Your Guide to GLBA Compliance in 2023

    In this blog post, we'll unravel the mysteries surrounding GLBA compliance and empower you with the knowledge you need to stay ahead in the financial industry. Get ready for a great introductory overview into the world of the Gramm-Leach-Bliley Act and discover how compliance can be your secret weapon in building trust, enhancing data security, and propelling your business to new heights. So grab your coffee, buckle up, and let's embark on this compliance adventure together!

    What is the GLBA?

    The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a U.S. law that requires financial institutions to protect customer information and privacy. The act was passed by Congress after many brokerage firms began merging with banks in order to gain access to deposits and expand their investment businesses. As part of this merger process, they were required to share customer information with each other so they could better serve customers through cross-selling opportunities.

    For example, under the Act, if your bank merged with a brokerage firm or insurance company its new affiliates would be subject to certain privacy rules. In addition to requiring financial institutions to adopt policies on protecting consumer information, the GLBA also requires that they report breaches involving unsecured protected health information (PHI) or any other breach involving more than 500 customers within 60 days after discovery of any unauthorized disclosure of such confidential customer information."

    To comply with GLBA requirements on shared customer data and privacy protection, financial institutions must develop written policies and procedures that address:

    • Accessing nonpublic personal information about consumers (including employees)
    • Sharing nonpublic personal information
    • Safeguarding consumer records
    • Providing notice of security breaches involving sensitive personal information

    Unraveling the FACT ACT Amendments

    The FACT Act law on December 21, 2002. It amended the GLBA and added Subpart C, which covers access to consumer reports, and Subpart D, which covers the security of consumer information. Subpart C covers the right of consumers to access their own credit reports (and those of their children under 18) at no charge once per year from each credit reporting agency and isn't relevant to you for secure file sharing. However, Subpart D includes a variety of security measures for businesses that handle sensitive personal information such as Social Security numbers or financial account numbers (e.g., credit card numbers). These requirements include: ensuring that all employees who have access to this information must receive annual training about proper handling techniques; implementing strong password policies; encrypting all data traveling over public networks; and providing third-party service providers with reasonable assurances they meet industry standards related specifically how they handle sensitive personal information before entering into contracts with them

    Within the FACT Act, there is also a "Red Flags Rule" that requires financial institutions to have procedures in place to detect, respond to, and prevent identity theft.

    The Key Provisions and Must-Know Requirements of GLBA Compliance

    Broadly, the GLBA requires financial institutions to implement and maintain a written information security program designed to: 

    1. Ensure the security and confidentiality of customer records and information.
    2. Protect against any anticipated threats or hazards to the security or integrity of such records.
    3. Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.

    Financial institutions are defined as banks, savings associations, credit unions, broker-dealers in securities registered with the Securities Exchange Commission (SEC), mutual funds that sell investment interests to the public and federal covered entities including state-licensed insurance companies.

    The GLBA applies only if your institution has 500 or more customers who are not individuals within one year from when you first begin offering services as a financial institution.

    GLBA Compliance is More than Policy Implementation

    Your first step is to understand the impact of GLBA on your organization, and how it will affect your day-to-day operations.

    One of the first things you should do is identify which parts of your business are covered by GLBA. Once you've done that, it's important to understand what needs to happen at each stage in order for your organization to meet compliance requirements.

    The next thing is understanding which policies must be updated or created altogether in light of this new legislation—and then begin implementing them across all employees.

    GLBA Compliance Checklist

    If you're wondering how to get started with GLBA compliance, here are a few tips:

    • Start with the basics. Review your privacy policy, create a list of documents that need to be prepared, and refer to the Federal Trade Commission's website for more information.
    • Be sure to include all applicable state laws and regulations in your checklist so that you don't miss anything important.
    • Think about what would cause customers or employees to complain about your company's data security practices, then make sure those issues are addressed before it becomes a problem for them (and also for yourself).
    • Work with a File Transfer Protocol (FTP) site provider to secure your data on a GLBA-compliant site.

    Ensuring GLBA Compliance with Sharetru: A Secure and Trustworthy Partner

    You've come a long way, and if you've made it this far, then you're probably ready to take on the challenge of implementing the GLBA. This is where Sharetru comes into play. As a cloud-based file transfer software, Sharetru is designed with regulatory compliance and security at its core. It offers unparalleled security measures, including end-to-end encryption, Multi-Factor Authentication, IP address restrictions, and granular permissions. Its robust admin settings and integration freedom provide a host of options to meet the highest level of industry security requirements. Furthermore, Sharetru's granular permissions system safeguards against inadvertent sharing with unauthorized individuals, thereby minimizing the risk of user error. Lastly, the privacy requirements can be met with Sharetru in several ways: by using the text field for the login customization, or throught he clickwrap agreement.

    You may have questions about what steps your organization should take next. We hope that this guide helped answer some of those questions and provided some useful tips on how to get started with compliance. If it didn't quite hit the mark, don't worry! We have plenty more resources for you that will help bring order and clarity into your life. If you need a GLBA compliant file sharing platform, we have you covered!


    Arvind Mistry

    Arvind, Sharetru's Director of Compliance, brings 11+ years' experience in cloud solutions for Federal Govt. & public sector from esteemed companies.

    Other posts you might be interested in

    View All Posts