GLBAGramm-Leach-Bliley Act
We advise your organization on its relationship to the GLBA, assess your information security needs, and establish steps toward GLBA compliance
GLBA Updated Safeguards Rule
The FTC’s revised Safeguards Rule is designed to help organizations ensure the security and confidentiality of customer information and protect against anticipated threats or unauthorized access to sensitive data.
CampusGuard is eager to help your organization understand how the GLBA and the updated Safeguards Rule apply to your environment and identify next steps in building an information security program to meet your organization’s ongoing compliance requirements.
Comprehensive GLBA Risk Assessments
All financial institutions are required to be compliant with the GLBA. For campus and community-based organizations with many end users and multiple payment systems and applications, it can be difficult to keep track of all the data that you are required to protect. We’ve got you covered with our GLBA Compliance Assessment.
CampusGuard's GLBA Compliance Assessment
Our goal for the assessment is to identify and analyze areas of risk, understand the impact of third party services, and evaluate the sampled areas against the appropriate industry-recognized information security frameworks. We will gauge your organization’s compliance with these key cybersecurity elements of the GLBA Safeguards Rule:
-
A documented information security program
-
Designated employee(s) to coordinate the program
-
Identify reasonably foreseeable internal and external risks to data security via formal, documented risk assessments
-
Employee training and management
-
Information systems, including network and software design, as well as information processing, storage, transmission, and disposal
-
Control the risks identified, by designing and implementing information safeguards and regularly test/monitor their effectiveness
Access the Higher Ed Guide to Achieving GLBA Compliance
Our GLBA Guide is designed to help higher education institutions understand how the GLBA and the updated Safeguards Rule apply to campus environments, and how best to meet the new compliance requirements which took effect June 9, 2023. The guide will help your institution effectively structure your information security program with tools to:
- Clarify GLBA impact and who it applies to
- Identify the information and systems in scope
- Outline best practices for protecting customer information
- Specify written information security program requirements
- Pinpoint the next steps with a GLBA Compliance Checklist
- Understand the benefits of GLBA Compliance
- Learn more about CampusGuard’s GLBA online training course and assessment services
- Access additional resources, such as case studies and blog articles that provide GLBA guidance and insight
Why Choose CampusGuard?
At CampusGuard, our assessment methodology is designed specifically for complex, campus and community-based organizations. Our GLBA experts work directly in partnership with your organization to help you understand the requirements, identify vulnerabilities, and report recommended steps for remediation.
Explore Our GLBA Video Series
Looking for more insight into GLBA requirements, new updates, and how to prepare your organization for an audit? Watch our must-see GLBA Video Series to learn more actionable steps to help you achieve and maintain GLBA compliance.
Preparing for a GLBA Audit
For a successful GLBA audit, your organization can enhance its preparation by focusing on a few crucial areas. Watch the video to learn what steps your organization needs to take to achieve and maintain GLBA compliance.
GLBA Compliance FAQs
In this video, CampusGuard discusses the GLBA and your most frequently asked questions (FAQs). We’ll discuss the basics of GLBA, the requirements, GLBA compliance and risk assessments, preparing for a GLBA audit, and other common questions related to GLBA compliance.
Updates to the GLBA Safeguards Rule
The GLBA Safeguards Rule requires financial institutions to establish a comprehensive information security program tailored to their size, complexity, and activities in order to ensure the confidentiality and integrity of the customer data they use and store.
The latest updates to the Safeguards Rule outline more prescriptive requirements, potentially affecting GLBA programs that were previously considered compliant.
What Is the GLBA?
Learn what the Gramm-Leach-Bliley Act (GLBA) is, who it applies to, the different rules that make up the GLBA, penalties for non-compliance, and how an assessment will benefit your team by analyzing your areas of risk, impact of third-party services, and more.
GLBA Awareness Training Course
CampusGuard’s GLBA Awareness Training Course is designed to help your organization and staff safeguard sensitive personal information and prevent potential data breaches. The training provides an overview of the GLBA Privacy Rule and new requirements from the updated FTC Safeguards Rule.
Related Products and Services
Simplify Your Safeguards
Protecting the nonpublic personal information of your customers can be achieved through a GLBA Compliance Assessment with CampusGuard.
"We have been working with CampusGuard for the past six years and their services have been invaluable. Our Chief Strategy and Technology Officer, Chris Boniforti, had a vision to increase IT Security and awareness at the university and the first step toward that was for us to formalize a PCI program and align with NIST standards. CampusGuard was instrumental in helping us achieve his goals. They helped us complete a PCI Assessment, which eventually helped us build our PCI compliance program. Next, we added a GLBA Compliance assessment, GDPR brainstorm sessions, review and updating of University IT Security policies and most recently an external penetration test.”
GLBA Frequently Asked Questions
The Gramm-Leach-Bliley Act (GLBA) is a federal law in the US that aims to protect the privacy of consumer financial information by requiring financial institutions to inform customers about their information-sharing practices and to allow customers to opt-out of certain types of information sharing. It also requires financial institutions to establish safeguards to protect the security and confidentiality of customer information.
The GLBA applies to a wide range of financial institutions, including banks, securities firms, insurance companies, and other financial service providers. It is enforced by several federal agencies, including the Federal Trade Commission (FTC) and the Federal Reserve Board.
The GLBA applies to a wide range of financial institutions, including:
- Banks and credit unions
- Securities firms, including broker-dealers, investment companies, and investment advisors
- Insurance companies, including life, health, and property and casualty insurers
- Mortgage brokers, loan servicers, and other non-bank lenders
- Financial service providers, including check-cashing and money-transmission businesses
- Any other entity that provides financial products or services to consumer
GLBA applies to both large and small financial institutions, and compliance is required regardless of the size of the institution.
The GLBA has three main rules that financial institutions must comply with to protect the privacy and security of customer information. These rules include:
- Financial Privacy Rule: This rule requires financial institutions to provide customers with a privacy notice that explains what information is collected, how it is used, and how it is shared. Financial institutions must also provide customers with the opportunity to opt-out of sharing their non-public personal information with third parties.
- Safeguards Rule: This rule requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect the confidentiality, integrity, and availability of customer information. The program must be appropriate to the size and complexity of the institution and the nature and scope of its activities.
- Pretexting Protection Rule: This rule prohibits the practice of pretexting, which is when someone uses false pretenses to obtain customer information from a financial institution. Financial institutions must have procedures in place to verify the identity of any person requesting customer information, and they must report any unauthorized attempts to obtain customer information to the appropriate authorities.
According to the FTC Safeguards Rule, there are numerous components that financial institutions must consider when developing their information security program. These include:
- Risk Assessment: Financial institutions must identify and assess the risks to customer information in their possession.
- Security Program: They must develop a written information security program to address the identified risks. This program should outline the procedures and measures in place to protect customer information.
- Designate a Coordinator: Appointing an individual or team responsible for coordinating and overseeing the information security program is necessary.
- Employee Training: Training employees to implement the information security program effectively and maintain the security of customer information is crucial.
- Access Controls: Implementing access controls to limit access to customer information to authorized individuals only.
- Service Provider Oversight: Financial institutions need to evaluate the security practices of their service providers who have access to customer information and ensure they implement appropriate safeguards.
- Regular Monitoring and Testing: Ongoing monitoring and periodic testing of the information security program are necessary to identify vulnerabilities and address them promptly.
- Adjustments and Updates: The information security program should be regularly reviewed, updated, and adjusted in response to changes in technology, the sensitivity of customer information, and other factors.
- Incident Response and Recovery: Establishing a plan to respond to and recover from security incidents involving customer information, including notifying affected individuals when necessary.
While the specific requirements may vary depending on the size and complexity of the financial institution, these components generally form the foundation of a comprehensive information security program under the Safeguards Rule. CampusGuard is ready to assist your organization in meeting GLBA compliance. Let us know how we can help!
West Virginia University Achieves GLBA Compliance Partnering with CampusGuard
Learn how CampusGuard's remediation strategies enabled WVU to make decisions about security-related initiatives to accept, reduce, or eliminate risks. They also support longterm strategic risk management activities to ensure the protection of NPI.
View the Case Study about the West Virginia University Achieves GLBA Compliance Partnering with CampusGuard