GLBA Cloud Compliance

What is the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act (GLBA) is a United States federal regulation to protect consumer financial privacy. The regulation provides restrictions on the sharing of consumer financial information to third parties, a practice that many financial institutions and organizations engage in. GLBA require financial institutions – defined broadly to encompass companies that provide financial services or products – to disclose their information-sharing practices to customers and make clear the right to ‘opt-out’ of this information sharing with nonaffiliated third parties.

GLBA also establishes restrictions on the reuse and re-disclosure of a customer’s financial information. In addition, the GLBA Data Protection Rule requires appropriate administrative, technical and physical safeguards on the customer data. Even if the financial institution does not disclose nonpublic financial information to third parties, GLBA compliance is still mandatory.

GLBA calls for severe civil and criminal penalties for noncompliance, including fines and imprisonment. If a financial institution violates GLBA:

• The institution will be subject to a civil penalty of not more than $100,000 for each violation
• Officers and directors of the institution will be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation
• The institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both

Violations of GLBA can also result in a number of sanctions and can adversely affect an institution’s reputation.

Who does it apply to?

GLBA applies to all businesses that are ‘significantly’ engaged in providing financial products or services to consumers. Companies not traditionally considered to be financial institutions but provide financial products or services such as check-cashing businesses, payday lenders, mortgage brokers, non-bank lenders, retailers, ATM operators and credit reporting agencies are similarly required to comply with GLBA.

What data are protected?

• Nonpublic personal information: personally identifiable financial information collected in connection with providing a financial product or service or otherwise collected by a financial institution.
• Nonpublic personal information includes:
  • Customer name, address, social security number, account number
  • Information a customer provides on an application
  • Information obtained on a legal document that pertains to a summons, bankruptcy, divorce, etc.
  • Information from a “cookie” obtained in using a website
  • Information on a credit report obtained by a financial institution