Fact Sheet 24e:
Is Your Financial Information Safe?


Send to PrinterSend to Printer
Copyright © 2004-2016
Privacy Rights Clearinghouse
Posted September 2004
Revised July 2016
  1. Introduction
  2. Companies that must safeguard your financial information
  3. What companies must do to protect your financial information
  4. Pretexting
  5. Resources

1. Introduction

In this guide we explain how financial companies must safeguard your personal information, the types of companies that must follow security procedures, and what you can do to protect yourself.

The federal Gramm-Leach-Bliley Act, or GLB, (15 U.S.C. §§ 6801-6810) requires financial institutions to adopt procedures to safeguard your personal information. This is called the Safeguards Rule. Another section of GLB creates civil as well as criminal penalties when someone uses false pretenses to get your personal financial information, called “pretexting."

Privacy and security go hand in hand. You have probably heard these terms used frequently, but are still not clear what they mean. Think of it this way: Privacy is your right to control how your personal information is collected and used. Security is the obligation of the company that collects and uses your information to make sure the information is safe against unauthorized access and uses.

2. Companies That Must Safeguard Your Financial Information

Does GLB cover banks?

Yes, and much more. The GLB privacy and security provisions apply to “financial institutions,” a term defined in the Bank Holding Company Act of 1956 as an institution that is “significantly engaged in financial activities….” (12 U.S.C. 1843(k)).

Obviously, banks and other companies such as credit unions that are engaged in activities like accepting deposits meet the definition of “financial institution.” Other companies covered by the Safeguards Rule include:

  • Debt collectors.
  • Investment brokers.
  • Retailers that extend credit by issuing credit cards to consumers.
  • Check cashing businesses.
  • Mortgage brokers.
  • Non-depository lenders.
  • Consumer reporting agencies.

For other companies that come under the jurisdiction of the FTC, see Financial Institutions and Customer Data: Complying with the Safeguards Rule.

Do insurance companies have to safeguard my information?

Yes. Insurance companies are considered “financial institutions” under GLB. Because the insurance industry is primarily regulated by states, GLB privacy regulations regarding notice and opt-out were published by states. Your state insurance department is the best source for information.

Do I lose security protections when my information is shared?

It depends. The FTC’s Safeguards Rule requires financial institutions to take steps to ensure that affiliates and service providers also safeguard customer data. The rule also requires financial institutions that receive customer data from another financial institution to safeguard information. But, the Safeguards Rule does not apply if the recipient of your information is neither a financial institution nor an affiliate or service provider.

Even the security provisions that apply to service providers have their limitations. Your financial institution may, for example, employ another company to send out mail, print account statements, provide accounting services or any number of other functions. The company that provides these services has to comply with the established security procedures.

However, the service provider that works for your company may employ an independent contractor or yet another company to perform some service that involves access to your personal information. In that case, the security requirements do not apply except to the service provider that contracts directly with the company you’re doing business with.

Is GLB the only federal law that covers personal data?

No. The federal Fair Credit Reporting Act (FCRA) governs personal information included in consumer reports. (15 U.S.C. §1681 et seq.) The main “security” feature of the FCRA is that the law limits access to certain “permissible purposes,” such as credit, employment, insurance underwriting, and rental history. Many companies covered by the FCRA may also be “financial institutions” under GLB.

As a safeguard against identity theft, the FCRA includes an important section that requires proper disposal of personal data, such as shredding by consumer reporting agencies and those who obtain consumer reports for credit, employment, insurance, rental history, or other “permissible purposes” must discard sensitive data in a structured way.

3. What Companies Must Do to Protect Your Financial Information

Generally, companies are left on their own to develop security programs that are appropriate to their individual size and operations. The federal agencies determined flexibility was necessary because of the many different kinds and sizes of companies that would have to comply.

In the end, security under GLB translates to “guidelines” rather than strict rules for compliance. There are some things a financial institution must do. For example, financial institutions are required to:

  • Develop a written security plan.
  • Designate responsible employees.
  • Assess risks to customer data.
  • Test and monitor safeguards.

Other than these requirements, security procedures are generally left up to the financial institution. The FTC identified three areas as important to security: (1) employee management and training; (2) information systems; and (3) managing system failures. The FTC’s Safeguards Rule goes on to suggest steps a company might take to secure information.

Does the Safeguards Rule apply only to computer data?

No. The rule applies to all “customer information” “whether in paper, electronic, or other form that is handled or maintained by” a financial institution or its affiliates. (16 CFR 314.2)

Can I get a copy of my financial institution’s written security plan?

Very unlikely. Most companies would consider this proprietary or confidential commercial data. Public disclosure of a company's security plan could actually jeopardize data security. Many companies include general statements about security in the annual privacy notice you receive under the privacy provisions of GLB. However, these notices will not give you a detailed description of a company’s data security plan.

Does the Safeguards Rule always apply when I supply personal information?

No. The rule only applies to “customers” of a financial institution. You are a “customer” if you have an “ongoing” relationship with the company. Supplying personal information alone is not enough to make you a customer.

For example, you may cash a check or make an ATM withdrawal from a bank where you do not have an account. To complete the transaction, you will probably have to supply your account number, your personal identification number (PIN), and possibly even your drivers’ license number or other identifying information.

It makes no difference whether these transactions are a one-time event or you cash your checks at the same place every week. If you do not have an ongoing relationship with the company that cashes your checks – meaning you don’t have an established account – you are what GLB calls a “consumer." But you are not a “customer” whose data is covered by the security requirements.

Am I a “customer” or “consumer” of my former financial institution?

“Once a customer, always a customer” does not apply when it comes to data security. If your account is closed, you no longer have an “ongoing” relationship. This makes you a consumer.

I am a small business owner. Does the Safeguards Rule apply to my account?

No. GLB applies only to financial products or services obtained for “personal, family, or household use.” Commercial uses are not covered, even if you are a sole proprietor where the lines between personal and business data are often blurred.

4. Pretexting

Pretexting occurs when someone gains access to your personal information through false pretenses. Another person may want your personal financial information for any number of reasons. Another term for pretexting is “social engineering.” Here are just some of the ways your information could be used against you:

  • Your bank account could be depleted.
  • Your information could be sold to a shady data broker.
  • The information could be used by an identity thief.
  • The information could be used against you in court or for an investigation.

GLB includes a specific section that prohibits fraudulent access to your financial information.  The pretexting section applies if someone calls you and tricks you into giving personal information, or calls someone else such as your bank. It also applies if someone uses a forged or stolen document to get your information. (15 USC, Subchapter II, Sec. 6821-6827)

The law includes civil as well as criminal penalties for one who uses false pretenses to get your personal financial information.

Am I at risk for pretexting?

No one is immune. However, there are certain life situations in which you could be more vulnerable than others to pretexting. Here are just a few questions you can ask to assess your risk level:

  • Am I a public figure such as a politician or entertainer?
  • Am I a spokesperson for a highly controversial public policy issue?
  • Do I have considerable personal wealth?
  • Am I engaged in a high-stakes court battle or a nasty divorce where significant sums of money and/or child custody are involved?
  • Am I an executive or researcher of a company in a highly competitive environment, one that is involved in developing cutting-edge products or services?

If you’ve answered “yes” to any of these scenarios, you could be vulnerable to pretexting, where your financial account information is unwittingly made available to a clever imposter.

What can I do to protect myself against pretexting?

  • Don't give out personal information on the phone, through the mail, or over the internet unless you've initiated the contact or know whom you're dealing with. Pretexters may pose as representatives of survey firms, banks, internet service providers, and even government agencies to get you to reveal your SSN, mother's maiden name, financial account numbers, and other identifying information. Legitimate organizations with which you do business already have the information they need and will not ask you for it.

  • Pay attention to your statement cycles. Review your statements carefully and promptly. Report any discrepancies to your institution immediately in writing.

  • Alert family members to the dangers of pretexting. Explain that only you, or someone you authorize, should provide personal information to others.

  • Keep items with personal information in a safe place. Shred any documents containing sensitive information.

  • Use unique and complex passwords on all of your online accounts. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers

  • Be mindful about where you leave personal information in your home, especially if you have roommates or are having work done in your home by others.

5. Resources

Federal Law

    Government Publications

    The Privacy Rights Clearinghouse developed this guide with funding from
    the Rose Foundation Consumer Privacy Rights Fund.

    Content type: 
    Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.