The Gramm-Leach-Bliley Act (GLB)—also known as the Financial Services Modernization Act of 1999—repealed laws that prevented the merger of banks, brokerage companies and insurance companies. Increasing the risk that financial institutions would have access to more personal information, it also added privacy protections that required all financial institutions to provide privacy notices to their customers and put measures in place to safeguard customers’ personal information.
A Brief History
Congress Passed the Gramm-Leach-Bliley Act
GLB repealed sections of the Glass-Steagall Act which prohibited banks from affiliating with securities companies as well as repealed sections of the Bank Holding Act that prohibited banks from conducting insurance activities. It also provided limited privacy protections for the use of private information by financial institutions and provided safeguards for that information.
The Federal Trade Commission Issued the Safeguards Rule
The Safeguards Rule implemented GLB by requiring financial institutions subject to Federal Trade Commission (FTC) jurisdiction to establish information security programs with administrative, technical and physical safeguards.
Congress Passed the Dodd-Frank Wall Street Reform and Consumer Protection Act
The Dodd-Frank Wall Street Reform and Consumer Protection Act transferred primary rulemaking authority for GLB’s privacy protections from numerous regulatory agencies to the Consumer Financial Protection Bureau (CFPB).
Who Must Comply
The GLB Privacy Rule applies broadly to financial institutions that provide services to individuals (rather than businesses) who are significantly engaged in financial activities including
- lending, exchanging, transferring, investing for others or safeguarding money/securities
- providing financial, investment or economic advisory services
- brokering loans
- servicing loans
- debt collecting
- providing real estate settlement services
- career counseling (individuals seeking employment in the financial services industry)
The GLB Safeguards Rule applies to all financial institutions over which the FTC has jurisdiction.
The GLB Privacy Rule only applies to nonpublic personal information (NPI) including
- personal information a person provides to obtain a financial product or service such as
- Social Security number
- other information on an application
- transaction information such as
- account numbers
- payment history
- loan/deposit balances
- credit/debit card purchases)
- information from court records or consumer reports
The GLB Privacy Rule requires financial institutions to provide their customers with a privacy notice that describes
- the types of NPI the financial institution collects and how it uses that information
- the right to opt out to prevent the financial institution from sharing NPI with certain third parties
- a description of the safeguards the financial institution uses to protect unauthorized access to NPI
The GLB Safeguards Rule requires financial institutions subject to FTC jurisdiction to develop a written information security plan addressing how they
- ensure the security and confidentiality of customer data
- protect against any threats to the security of customer data
- protect against unauthorized access to customer data
The Safeguards Rule also requires financial institutions to designate an employee or employees to coordinate their security programs, to assess risks to consumer data and to test/monitor safeguards.
GLB also prohibits pretexting (someone trying to gain access to your NPI without proper authority). This includes requesting a person’s private information while impersonating them by phone, mail or email.
The CFPB has primary rulemaking and enforcement authority over the privacy provisions of GLB. While there is no private right of action for violations, the FTC and other federal banking agencies may bring enforcement actions against violators. Individual states are responsible for issuing regulations and enforcing the law for insurance companies. GLB also does not preempt states from enacting more protective laws (except to the extent that they are inconsistent with it).