Schedule a demo
See how you can maintain an inventory of GLBA-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be-forgotten requests at endpoints, and policy enforcement.
Passed in 1999, The Gramm-Leach-Bliley Act applies to both financial institutions and any business that offers consumers financial products or services (loans, financial or investment advice, insurance, etc.).
It requires businesses to explain their information-sharing practices to customers and to provide evidence to auditors that they take active steps to safeguard sensitive data.
GLBA applies to any size business that provides financial products or services for personal, family,
or household purposes, and in doing so, collects non-public personal info (NPI) on consumers.
Companies subject to GLBA either identify as a financial institution or receive NPI from a financial institution as a 3rd party.
GLBA does not apply when a financial institution collects information for business or commercial purposes, such as commercial loans, commercial checking accounts, and other B2B services. GLBA also does not apply to information collected on individuals not applying for a financial product.
Any “non-public personal info” or NPI about consumers collected by companies offering financial services is covered under the act.
NPI is any personally identifiable financial information collected about an individual, including:
The act has three main sections, consisting of two rules and a set of provisions.
To be GLBA compliant, financial institutions must:
The primary data protection implications of the GLBA are outlined in its Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Financial Privacy Rule.
The Safeguards Rule requires businesses to have controls in place to protect, store and dispose of customer information. It requires businesses to identify risks to consumer’s private information in each relevant area of the company’s operation, evaluate the effectiveness of the current safeguards for controlling these risks and to provide evidence to auditors that steps.
All GLBA rules went into effect on November 12, 1999 and are enforced by the FTC, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies.
If a GLBA non-compliance allegation is proven, the punishment can have business-altering – and even life-altering – ramifications. Non-compliance penalties include:
Meet GLBA’s safeguards rule with automated GLBA-regulated sensitive data discovery across all data sources, proof of policy enforcement and right to be forgotten.
Qohash provides a complete inventory of GLBA-regulated, sensitive, unstructured data at-rest. Qohash discovers sensitive data 50x faster than alternatives, across any data source, in any location.
Qohash provides labelling, classification, custom RegEx and keyword searches, plus ranked and contextualized risk. All functionality is offered for a one-time flat fee – no on-premises servers required.
GLBA requires businesses “note where data is collected, stored, or transmitted” with an “accurate list of all systems, devices, platforms, and personnel.”
Provide auditors with evidence that sensitive data is monitored and cross-referenced to employee interactions, enabling in-the-moment policy enforcement.
Qohash looks into files to track data elements. It monitors those elements and cross-references them to employees and locations. Know the instant an employee has a risky interaction with sensitive data. Trace the lineage of any data element that moves onto workstations or onto OneDrive for faster remediation.
Content of Privacy Notice 8.h. requires proof of “policies for protecting the confidentiality,
security, and integrity of customer nonpublic personal information.”
Quickly create an access control list of all GLBA-regulated data. Provide evidence of restrictions and show the regular evaluation of whether those with access have a legitimate business need for it.
Content of Privacy Notice 14.a requires proof of the process to regulate “who has access to NPI.”
See when files were last accessed in on-premises locations, in the cloud, and on workstations. Delete data directly within the tool to show compliance with data deletion requests in any location – including endpoints.
GLBA requires the secure disposal of “customer information no later than two years after the most recent use of it to serve the customer.”
Provide regulators with evidence of real-time policy enforcement the instant risky behavior occurs. Tracking sensitive data elements, cross referenced with employees interaction and location data enables immediate action when policy-violating accumulation,
deletion and exfiltration occurs.
Content of Privacy Notice 14. b. requests evidence of “security practices to ensure the confidentiality of NPI in accordance with the institution’s policy”
Assess and address risk in preparation for passing
GLBA audit. As a foundational step in risk assessment, know how much sensitive data is on business systems and who has access to it, and find critical exposure points. Classify data and monitor employee interactions with it to enforce policies in real-time.
GLBA requires that potential risks are identified and assessed on an ongoing basis.