Skip to main content
Compliance

Gramm-Leach-Bliley Act (GLBA)

I. PURPOSE

The Gramm-Leach-Bliley Act (GLBA) is a federal law that imposes on “each financial institution . . . an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” In fulfilling this purpose, GLBA established (1) a “Privacy Rule” that requires financial institutions to provide notice of their information sharing practices to customers and gives customers the right to “opt out” of certain information sharing practices; and (2) a “Safeguards Rule” that requires financial institutions to have specific measures in place to keep customer information secure.

II. HISTORY

In response to the financial failures of the Great Depression, Congress passed the Glass-Steagall Act in 1933 to prohibit commercial banks from affiliating with securities companies. Subsequent acts and revisions resulted in many American banks with unregulated privacy standards and a lack of consumer protection against unwanted information sharing. After a series of high profile cases involving banks selling consumer information with adverse consequences for customers—including credit fraud and identity theft— GLBA was introduced by Senator Phil Gramm and Representatives James Leach. GLBA was signed by President Bill Clinton on November 12, 1999. The Federal Trade Commission (FTC) has promulgated implementing regulations under the GLBA, including regulations governing (1) the Privacy Rule, which took effect on July 1, 2001 and were recently amended in 2009;8 and (2) the Safeguards Rule, which took effect on May 23, 2003. The Consumer Financial Protection Bureau (CFPB) also has adopted implementing regulations with respect to entities under its jurisdiction.

III. APPLICABILITY TO BYU–HAWAII

Any institution that is “significantly engaged in financial activities” is considered a “financial institution” that is subject to GLBA. “Financial activities” are broadly defined, encompassing things such as “lending, exchanging, transferring, investing for others, or safeguarding money.” GLBA does not apply to all information collected in business or commercial activities. For example, “a retailer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue.”

“The FTC has made it clear that it considers educational institutions to be ‘financial institutions’ subject to its jurisdiction for purposes of GLBA.” Further, the Department of Education (ED) requires universities to comply with GLBA in their Program Participation Agreements. On July 1, 2016, ED issued a Dear Colleague Letter with guidance on universities’ GLBA compliance obligations.

BYU–Hawaii likely would be considered a “financial institution” because the university engages in financial activities with, and collects and maintains financial information about, students and others. These activities include, for example, administering student loans and other financial aid programs. Also, BYU–Hawaii has entered into a Program Participation Agreement, through which BYU–Hawaii expressly agreed to comply with the Safeguards Rule under GLBA.

IV.REQUIREMENTS

GLBA establishes two general rules governing financial institutions: (1) the Privacy Rule and (2) the Safeguards Rule. As outlined below, universities are deemed compliant with the Privacy Rule if they comply with the Family Educational Rights and Privacy Act (FERPA). However, universities are not exempt from the Safeguards Rule.

A. Privacy Rule

Under the Privacy Rule, financial institutions are required to do the following to protect consumer financial information:

  1. Provide annual notice to customers about the institution’s privacy policies and practices;
  2. Describe the conditions under which the institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and
  3. Provide a method for consumers to opt out of personal information disclosures to most nonaffiliated third parties.

The FTC suggests that a business determine if the company’s clients are consumers or customers. A consumer is any individual who obtains or has obtained a financial product or service from the institution that is used primarily for personal, family, or household purposes, or that individual’s legal representative. A customer, however, is a consumer who has a continuing customer relationship with a financial institution.

The distinction between consumer and customer is important because only customers are entitled to receive a financial institution’s privacy notice every year for as long as the customer relationship lasts. On the other hand, financial institutions must provide consumers with a privacy notice only if the financial institution shares the consumers’ information with nonaffiliated third parties.

Because institutions of higher education must already comply with FERPA regulations, an exhaustive list of privacy requirements are not included in this research memo. Once again, a university that complies with FERPA and its regulations is deemed to have met the Privacy Rule of GLBA.

B. Safeguards Rule

The Safeguards Rule of GLBA sets forth “standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” These provisions apply to not only customers with whom a university has a customer relationship, but also to customers of other financial institutions that have provided such information to a university.

To comply with GLBA, an institution must develop, implement, and maintain a comprehensive information security program. This program must be written in one or more readily accessible parts and must contain administrative, technical, and physical safeguards appropriate for the size, complexity, nature, and scope of the financial institution’s activities. The purpose of establishing and maintaining an information security program is to: “(1) insure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.”

1. Required Elements of an Information Security Program


To establish a GLBA-compliant information security program, a financial institution must do the following:

  1. Designate Coordinator(s): Designate an employee or employees to coordinate the institution’s information security program.
  2. Identify Risks: Identify internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.
  3. Assess: Assess the sufficiency of any safeguards in place to control the internal and external risks, including, at a minimum, consideration of risks in each relevant area of the institution’s operations, including (a) employee training and management; (b) information systems, including network design, software design, information processing, storage, transmission, and disposal; and (c) detecting, preventing, and responding to systems failures.
  4. Design Safeguards: Design and implement information safeguards to control the risks identified through the risk assessment.
  5. Test: Regularly test and monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
  6. Evaluate: Evaluate and adjust the information security program pursuant to the required testing and monitoring, material changes to the operation or business arrangements, or any other circumstances that may have a material impact on the information security program.
  7. Oversee service providers: A financial institution must select and retain service providers capable of maintaining appropriate safeguards for the customer information at issue. This includes requiring the service providers by contract to implement and maintain such safeguards. A service provider includes any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provisions of services directly to a financial institution.

2. FTC Recommended Best Practices


In addition to the above required elements of an information security program, the FTC also recommends numerous other procedural and technological best practices for an information security program, including the following, among others:

  1. Limit data access to those employees with a need to know.
  2. Require employees to use strong passwords that must be changed on a regular basis.
  3. Develop policies for appropriate use and protection of laptops, cell phones, and other mobile devices.
  4. Train employees to take basic steps to maintain the security, confidentiality, and integrity of data.
  5. Impose disciplinary measures for security policy violations.
  6. Take appropriate measures to prevent terminated employees from accessing data.
  7. Take steps to ensure the secure transmission of data (e.g. SSL, encryption).
  8. Dispose of customer information in a secure way, including when disposing of electronic devices.
  9. Take appropriate steps to prevent cybersecurity attacks (e.g. intrusion detection system, activity logs, monitoring large data transmission, use of dummy accounts).
  10. Quickly diagnose and respond to security incidents, including securing data in the event of a breach and possibly notifying consumers, law enforcement, and/or businesses of such breach.
  11. Maintain up-to-date programs and controls (anti-virus and anti-spyware software, firewalls, etc.)
  12. Use appropriate oversight and audit procedures to detect improper disclosure and theft of data.

3. NIST Standards Strongly Encouraged by ED


The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, has developed its own information security standards in NIST Special Publication 800-171 (NIST Standard). The NIST Standard contains recommended federal data security requirements for what is known as “controlled unclassified information”—generally any non-public information that is not considered classified. In a Dear Colleague Letter regarding the application of GLBA to institutions of higher education, the U.S. Department of Education “strongly encourage[d]” institutions of higher education to comply with the NIST standard. Also, certain federal contractors who enter into agreements with the U.S. Department of Defense are required to comply with the NIST standard by no later than December 31, 2017. These NIST Standards include specific requirements for each of the following categories:

1. Access Control Requirements—limit information system access to authorized users.
2. Awareness and Training Requirements—ensure that system users are properly trained.
3. Audit and Accountability Requirements—create information system audit records.
4. Configuration Management Requirements—establish baseline configurations and system inventories.
5. Identification and Authentication Requirements—identify and authenticate users appropriately.
6. Incident Response Requirements—identify and authenticate users appropriately.
7. Maintenance Requirements—perform appropriate maintenance on information systems.
8. Media Protection Requirements—protect media, both paper and digital, containing sensitive information.
9. Personnel Security Requirements—screen individuals prior to authorizing access.
10. Physical Protection Requirements—limit physical access to systems.
11. Risk Assessment Requirements—conduct regular risk assessments.
12. Security Assessment Requirements—assess security controls periodically and implement action plans.
13. System and Communication Protection Requirements—monitor, control, and protect communications.
14. System and Information Integrity Requirements—timely identify, report, and correct information flaws.

V. PENALTIES

While GLBA itself establishes no private right of action, “to the extent the Safeguards Rule is interpreted as imposing a general duty on educational institutions to safeguard covered financial information, it may prove relevant in actions brought under general negligence law [and other] theories in response to failures to maintain the confidentiality of such information.”

The FTC is generally authorized to enforce GLBA. However, the FTC has no jurisdiction over nonprofits.50 Nevertheless, failure to comply with the regulations of GLBA could result in a loss of federal funding under Title IV based on the inclusion of GLBA requirements in the Program Participation Agreement.

VI. COMPLIANCE CALANDER

In order to comply with the GLBA Privacy Rule, a university must annually notify students of their rights under FERPA. The GLBA Safeguards Rule requires financial institutions to “regularly test or otherwise monitor the effectiveness of” the information safeguards the institution has established.