How the Gramm-Leach-Bliley Act governs data security practices

Enacted by Congress in 1999, the Gramm-Leach-Bliley Act (GLBA) initially addressed modernizing the financial industry. It also laid out privacy and security requirements for financial institutions managing information on behalf of their customers. While the GLBA scope is expansive, this article centers on its regulation of data security practices and how an enterprise-wide password manager facilitates compliance.

According to the Federal Trade Commission (FTC), the GLBA “requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.” The FTC then goes on to explain the GLBA “Safeguards Rule”, a component of the Act. The Safeguards Rules “requires covered companies to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.”

On June 9, 2023, new amendments to the Safeguard Rule went into effect. In a comprehensive article about the changes, Reuters describes the amended Safeguards Rule as “a more prescriptive approach” that “acknowledges that comprehensive information security programs must account for the size and complexity of users/organizations, nature and scope of the activities, and sensitivity of any customer information.”

The Reuters article further defines the amendments. While we encourage you to read through all of the requirements, at a high-level they encompass the following:

• Designating qualified security individuals: An individual - either internal or a third party - must be responsible for overseeing a covered financial institution’s information security plan

• Risk assessments: Financial institutions holding customer information for 5K customers or more must conduct risk assessments

• Access restrictions: Financial institutions must be able to demonstrate they can limit user (employee) access to customer information

• Encryption: Customer information must be encrypted in transit and at rest

• Training: All employees must be offered security training

• Incident Response Plans: Financial institutions holding customer information for 5K customers or more must have an incident response plan in place

• Periodic Assessments: Financial institutions holding customer information for 5K customers or more must be able to demonstrate they can assess the effectiveness of their data security practices and potential threats; this may be through strategies such as penetration testing

• Data minimization: Financial institutions must be able to show they have a strategy for minimizing customer data that hasn’t been used or accessed in over two years

FTC notes and Section 314.2(h) lists example entities including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.

Also included in this list - and added as part of the Safeguards Rule amendments - are ‘finders’. Finders are defined as “a company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate…acting as a finder is an activity that is financial in nature.”

With such a broad definition in place, it’s likely some businesses that previously sat outside GLBA regulation will now find themselves - as ‘finders’ - in the position of needing to develop an information security program that protects customer information. They may include car dealerships, furniture stores, and other companies offering third-party financing. 

In reviewing the GLBA Safeguards Rule amendments, it’s clear the federal government wants to hold financial institutions accountable for protecting customer information from internal and external theft and interference. When considering this, the need for financial institutions to implement an enterprise-wide password management program becomes abundantly clear. 

By enabling employees to create, manage, and store strong and unique passwords, a password management system such as Bitwarden helps mitigate the risk of data breaches caused by weak and reused passwords. Bitwarden secure sharing tools allow employees to share and manage sensitive data across their team and throughout the organization. Bitwarden is encrypted end-to-end, user-friendly, and available cross-platform and across browsers. Bitwarden also offers two-factor authentication (2FA), which strengthens user security for websites and applications by utilizing a second method (the first being the password) to verify identity. For employees handling sensitive customer information, the extra layer of protection offered by two-factor/multi-factor authentication is an absolute must.

Simply deploying password management software across a financial institution isn’t enough to meet the needs of the GLBA Safeguards Act; as the above explanation makes clear, there are a number of information security strategies that should be implemented. But, requiring employees to uniformly utilize an enterprise-wide password manager is a necessary first step and one that will go far in fostering a security-centric (and hopefully, GLBA-compliant) culture.

Ready to simplify your security with a password management solution? Get started with a free business trial to help your team stay safe online, or quickly sign up for a free individual account.