echo ''

Virtru Security Insights

Join 10,000+ Security Professionals Who Receive Our Content Every Month

GLBA Compliance – A Quick Guide to Gramm-Leach-Bliley and Financial Data Encryption

January 6, 2015

As we saw with last summer’s massive hack of JPMorgan Chase and other banks, cybercriminals have a huge appetite for financial data — and the wherewithal to get it.

Because of the massive damage that such breaches can incur (the hackers responsible for the JPMorgan Chase attack tapped into more than 80 million accounts), businesses that handle financial data face an understandably high level of scrutiny when it comes to information security.

One safeguard protecting customers is the Gramm-Leach-Bliley Act (GLBA). Instituted in 1999, the GLBA established measures to hold financial institutions responsible for the privacy of their clients’ data. This guide will brief you on the basics of GLBA compliance, from security best practices to the consequences of GLBA violations.

The Gramm-Leach-Bliley Act: A Primer

The GLBA applies to “financial institutions,” a term that includes any business that deals in financial activities, from mortgage lenders to car dealers. In general, if your business deals in loans, debt collecting, real estate settlement or financial advice, then the GLBA likely applies to you. Even if your business only loosely deals with the financial sector — for instance, if you provide career counselling to those seeking jobs in the financial sector — you still may have to be GLBA compliant.

Most customers are familiar with GLBA compliance in the form of privacy notices. Each year, businesses must send their customers reports about their information sharing and security practices. Even if nothing has changed, the bank is still obligated to let you know how they’re protecting your data, and that they are not allowed to sell (or share) your private data with other companies.

Of course, GLBA compliance isn’t just about sharing a long privacy policy and refusing to sell your data — it’s also about protecting it, as the GLBA mandates that all businesses dealing in financial data must have certain security measures in place to protect their customers.

Information Security and GLBA Compliance

The Bureau of Consumer Protection recommends a number of practices to ensure the privacy of customer financial data and maintain GLBA compliance. These include running thorough background checks on all potential employees and giving access to sensitive data only to those that need it, when they need it. All passwords should be complicated and frequently changed, and should not be stored on physical media, digital or otherwise (in other words, don’t be Sony).

When it comes to GLBA compliance, where and how you store financial data matter deeply. While cloud storage is an easy alternative for many things, one should proceed cautiously with storing sensitive financial data in the cloud. If it absolutely has to be stored off-site, it should be in a location with strict data security protocols.

The Importance of Data Encryption

Encryption is another important aspect of protecting the security of financial data. When data is encrypted, it can’t be read unless someone has the key to decrypt it. Not only does this prevent prying eyes from snooping on your client’s information, but it also protects your business should that same data fall into the wrong hands. According to GLBA compliance protocol, you would have to report the breach to your customers, but you would be able to assure them that their data is still protected by encryption.

The Bureau of Consumer Protection recommends encryption not only for data storage, but also for email. Email is the primary medium for exchanging information with clients and partners, but as we’ve seen recently, unprotected email can put an entire enterprise at risk. Virtru not only provides client-side email encryption, but also gives you the ability to control who has access to that secure email message or attachment and revoke access at any time. Ensuring digital privacy for financial information not only helps with GLBA compliance, but improves customer trust and reduces the risk of a devastating hack.

The Consequences of Noncompliance

Not maintaining GLBA compliance is dangerous on all levels for your business. For one, GLBA violations carry a hefty fine: $100,000 for each violation, not to mention potential imprisonment for up to five years.

While those penalties are enough to scare most businesses into compliance, the costs of a GLBA violation go beyond paying legal fines and providing credit monitoring services. If your privacy policies don’t go far enough to protect your customers’ data, those customers might consider taking their business elsewhere.

In 2015, the threat to data security is only growing. Hackers are becoming savvier, and the difference between safe havens and a major data breach could be as small as someone leaving your building with a thumb drive. GLBA compliance, like all data security measures, comes down to ensuring that sensitive data can only be accessed by those authorized to access it. Know the law, and ensure your infosec team has the tools and procedures to lock down your data — you never know how priceless your security investment is until it’s too late.