The Gramm-Leach-Bliley Act (GLBA) aims to protect consumers’ personal financial information while allowing financial institutions to innovate and offer a variety of services. Its privacy and security provisions are critical in ensuring that consumer data is handled responsibly and securely.
In 2018, SunTrust experienced a data breach where an ex-employee stole and potentially shared information about 1.5 million clients. The breach raised significant concerns about the bank’s compliance with the Safeguards Rule under GLBA. While specific penalties under GLBA were not highlighted, the incident emphasizes the importance of internal controls and security measures.
In June 2023, the FTC implemented updated requirements within the GLBA Safeguards Rule to help bolster security and keep pace with evolving technologies and risks.
Common GLBA violations typically revolve around failures to adequately protect consumer information and comply with the Act’s various provisions. Some common GLBA violations include:
-
Failure to Implement Adequate Safeguards
Organizations may be cited for not implementing reasonable security measures to protect sensitive consumer information. This could include the absence of encryption or Multi-Factor Authentication (MFA), weak password policies, unmanaged laptops/workstations, or insufficient access controls.
-
Lack of Written Information Security Plan
GLBA requires financial institutions to develop and maintain a written information security plan detailing their policies and procedures for protecting customer information. Violations occur when institutions fail to create or update such a plan, or when the plan does not meet minimum requirements.
-
Unauthorized Disclosure of Consumer Information
Financial institutions may violate GLBA if they disclose consumer information to unauthorized parties, either intentionally or inadvertently. This could happen through data breaches, improper sharing of information with third-party vendors, or employee misconduct/non-compliance with policy.
-
Inadequate Privacy Notices
GLBA mandates that organizations provide customers with clear and accurate privacy notices explaining their information-sharing practices. Violations occur when institutions fail to provide these notices, provide incomplete or misleading information, or do not allow customers to opt out of certain information-sharing practices.
-
Insufficient Employee Training
GLBA requires financial institutions to train their employees on how to protect consumer information and comply with the Act’s requirements. Violations can happen if institutions fail to provide adequate training or if employees do not understand their responsibilities under GLBA. Learn more about CampusGuard’s GLBA training course for your staff.
-
Inadequate Oversight of Third-Party Service Providers
Organizations often work with third-party vendors to handle various aspects of their operations. Violations of GLBA can ensue if institutions fail to properly vet these vendors for their security practices or if they do not have adequate contracts in place to ensure that vendors protect consumer information.
-
Failure to Conduct Risk Assessments
GLBA requires institutions to periodically assess the risks to consumer information in their possession and implement safeguards to mitigate those risks. Failing to conduct these regular risk assessments or not taking appropriate action based on the results can result in a violation. It is also important to formally log results in a documented risk register.
-
Delayed or Inadequate Response to Data Breaches
GLBA requires institutions to have procedures in place to respond to data breaches promptly and effectively. The updated Safeguards Rule reporting requirement took effect on May 13, 2024, and requires institutions to notify the FTC no later than 30 days after discovery of a breach involving the information of at least 500 consumers. Violations occur if institutions fail to detect breaches promptly, delay notifying affected customers or regulators, or fail to take appropriate steps to mitigate the impact of the breach.
RELATED: How to Prepare for a GLBA Audit
Penalties for violations can vary depending on the severity and frequency of the infractions and may include fines, regulatory enforcement actions, or civil lawsuits. Having a robust compliance program in place helps to ensure your organization will meet GLBA requirements and protect consumer information effectively.
Contact the GLBA experts at CampusGuard to complete an assessment of your GLBA program and offer guidance to help you meet and achieve GLBA compliance.
