Drive GLBA sensitive data compliance

GLBA Overview

The Gramm-Leach-Bliley Act

Passed in 1999, The Gramm-Leach-Bliley Act applies to both financial institutions and any business that offers consumers financial products or services (loans, financial or investment advice, insurance, etc.). 

It requires businesses to explain their information-sharing practices to customers and to provide evidence to auditors that they take active steps to safeguard sensitive data.

Businesses impacted

GLBA applies to any size business that provides financial products or services for personal, family, or household purposes, and in doing so, collects non-public personal info (NPI) on consumers.

Companies subject to GLBA either identify as a financial institution or receive NPI from a financial institution as a 3rd party. 

GLBA does not apply when a financial institution collects information for business or commercial purposes, such as commercial loans, commercial checking accounts, and other B2B services. GLBA also does not apply to information collected on individuals not applying for a financial product. 

Data types covered

Any “non-public personal info” or NPI about consumers collected by companies offering financial services is covered under the act. 

NPI is any personally identifiable financial information collected about an individual, including:

• any personal information provided by a consumer to obtain a financial product
• any information collected during a transaction (credit card and bank account numbers)
• any information collected while providing a financial service

Compliance requirements

The act has three main sections, consisting of two rules and a set of provisions. 

To be GLBA compliant, financial institutions must: 

1. communicate to customers how they share sensitive data
2. inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties
3. provide auditors evidence that they’ve taken steps to protect customers’ private data in accordance with their written information security policy

The primary data protection implications of the GLBA are outlined in its Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Financial Privacy Rule.

The Safeguards Rule requires businesses to have controls in place to protect, store and dispose of customer information. It requires businesses to identify risks to consumer’s private information in each relevant area of the company’s operation, evaluate the effectiveness of the current safeguards for controlling these risks and to provide evidence to auditors that steps. 

Enforcement and penalties

All GLBA rules went into effect on November 12, 1999 and are enforced by the FTC, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies.

If a GLBA non-compliance allegation is proven, the punishment can have business-altering – and even life-altering – ramifications. Non-compliance penalties include:

• Financial institutions found in violation face fines of $100,000 for each violation.
• Individuals in charge found in violation face fines of $10,000 for each violation.
• GLBA also includes provisions for criminal enforcement. In criminal cases, financial institutions, officers, and directors can face statutory fines, and officers and directors can also face up to 5 years of federal imprisonment.

Six ways Qohash drives compliance

Breach identification

Monitor sensitive data risk around the clock and receive alerts the instant risky accumulation, deletion or exfiltration occurs. If an incident occurs, use keyword search to look up a specific data element and track the full data lineage, including the exact location where the data got out of an environment, where it ended up – every touch point in between.

Sensitive data inventory

Qohash provides a complete inventory of sensitive, unstructured data at-rest. Qohash discovers sensitive data 50x faster than alternatives, across any data source, in any location. Qohash provides labeling, classification, custom RegEx and keyword searches, plus ranked and contextualized risk.

Data deletion

Run keyword searches by name, date, credit card number and more to find all copies of sensitive data across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations. Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.

Risk assessment

A foundational step in conducting a risk assessment, Qohash provides an inventory of regulated data across every data source. It provides access control lists for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much sensitive data is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.

Policy enforcement

Qohash provides auditors with evidence that sensitive data is monitored and cross-referenced to employee interactions, enabling in-the-moment policy enforcement. Qohash looks into files to track data elements. It monitors those elements and cross-references them to employees and locations. Know the instant an employee has a risky interaction with sensitive data. Trace the lineage of any data element that moves onto workstations, for faster remediation.

Access control

Quickly create an access control list of all regulated data. Provide evidence of restrictions and show regular evaluation of whether those with access have a legitimate business need for it.