Skip to searchSkip to main content
Inquesta
Risk Intelligence & Solutions
Businessman holding a tablet with floating digital icons representing cybersecurity, logistics, finance, and efficient business solutions.

Financial information protection

Back to RISQ Management
Engage Inquesta to review and update an existing GLBA program, or institute a new, turn-key program  that includes all policies, procedures, controls and personnel training needed.

The Gramm-Leach-Bliley Act (GLBA) is a comprehensive federal law that requires that "covered" financial institutions develop, implement, and maintain administrative, technical, and physical safeguards to protect customers’ financial information.


Covered businesses are entities that regularly provide financial products (brokerage, credit or loans) or financial services (making, acquiring, brokering, collecting, or servicing loans) to consumers, such as

  • universities
  • banks
  • investent companies
  • insurance companies
  • professional tax preparers
  • mortgage brokers
  • credit counselors
  • payday lenders
  • state-registered investment advisors
  • professional tax preparers
  • auto dealers engaged in financing or leasing
  • electronic funds transfer networks
  • real estate settlement companies
  • retailers that issue credit cards to consumers
  • consumer debt collection agencies
  • check-cashing businesses

The GLBA has three principal parts:


Financial Privacy Rule that requires privacy notices and “opt-out” features.


Safeguards Rule that requires administrative policies and procedures; information technology system security, encryption, controls and protections; and physical safeguards and procedures to report and mitigate actual or suspected breaches.

   

Pretexting Protection to prevent unauthorized people from acquiring personal financial information through fraud or deception.

   

Covered businesses should keep in mind that

  • compliance is not an IT-only project;
  • you need to get your security policies in order;
  • potential risks need to be continually identified;
  • non-public and public information must be protected;
  • you need to manage your vendors (third parties);
  • data is encrypted in storage and in transit;
  • data you don't need should be destroyed; and
  • annual privacy policy information should include more than a web page.