Your GLBA compliance journey with Okta
Introduction
The Gramm-Leach-Bliley Act (GLBA) is a United States Federal law that mandates that financial institutions disclose their information-sharing practices to their customers and proactively secure sensitive data. Also known as the Financial Modernization Act of 1999, the GLBA was focused on updating and modernizing the financial industry. Today, all companies that offer consumers financial products or services like loans, financial or investment advice, or insurance are required to comply with GLBA, which is broadly divided into two sections:
-
The Safeguards Rule
-
The Financial Privacy Rule
The Safeguards Rule
Put simply: financial institutions must protect the customer information they collect.
Before we dig into the specifics of what that means, let’s first make sure we’re clear on who must comply. Under the GLBA, ‘financial companies’ includes a broad range of businesses of all sizes: any organization that is ‘significantly engaged’ in providing financial products or services. That includes any business that collects personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and social security numbers.
More tangibly, that could include check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. The Safeguard Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions.
To comply with the Safeguards Rule, companies must develop a written information security plan that describes how they protect customer information. The requirements are flexible depending on the company’s size, complexity and circumstances, and are ultimately designed to ensure financial institutions assess and address the risks to customer information in all areas of their operation. The three areas that the GLBA identifies as particularly important in information security are:
-
Employee Management and Training
-
Information Systems
-
Detecting and Managing System Failures
Identity and access management security can play a key role across all three of these categories. Under the Employee Management and Tra