Gramm Leach Bliley Act (GLBA)
The Gramm Leach Bliley Act (GLBA) requires financial institutions to protect customer data and honestly disclose all data-sharing practices with customers. Under this U.S law, financial entities must establish security controls to protect customer information from any events threatening data integrity and safety. This includes strict financial information access controls to mitigate the chances of unauthorized access and compromise. GLBA recommends meeting NIST CSF requirements.
Is Complying with GLBA Mandatory?
GLBA compliance is mandatory for all U.S organizations selling, consulting or advising on financial products or services. The ruling by the FTC is that this includes everything from Car dealers with buy here / pay here to charities giving short term loans to help people out. The FTC also includes tax consultants, preparers and just about anyone else who may ever talk about money while collecting your personal information.
The organizations that must comply with GLBA include those that:
-
Sell financial products or services.
• products or financial services.
• check-cashing businesses
• payday lenders
• mortgage brokers
• nonbank lenders
• personal property or real estate appraisers
• professional tax preparers
• courier services
-
Offer financial loans, including extending credit to someone.
• through a retail installment contract
• in connection with the purchase or lease
• arrange for someone to finance, purchase or lease
• car dealers
• furniture stores
• charities
-
Offer any financial or investment advice.
• accountants
• financial advisors
• tax consultants
• brokers
• sell insurance products
• business coaches
• financial planners
What are the penalties for not complying with GLBA?
There are separate penalties for non-compliance, applicable to the violating organization and its officers and directors.
The penalties for violating organizations are:
A civil penalty of up to $100,000 per violation.
Fines in accordance with Title 18 of the United States Code.
The penalties for violating officers and directors are:
A civil penalty of up to $10,000 per violation.
Imprisonment up to 5 years.