Gramm-Leach-Bliley (GLBA)
What information sharing can't a consumer opt out of under GLBA?
1. If financial institution shares information with outside companies that provide essential services like data processing or account servicing. 2. If the disclosure is legally required. 3. If the financial institution shares customer data with outside service providers that market the financial company's products or services.
What is excluded from the definition of "nonpublic personal information" under GLBA?
1. Publicly available information 2. Any consumer list that is derived without using personally identifiable financial information.
Under Gramm-Leach-Bliley privacy provisions, what are financial institutions required to do?
1. Store personal financial information in a secure manner. 2. Provide notice of their policies regarding the sharing of personal financial information. 3. Provide consumers with the choice to opt out of sharing some personal financial information. 4. Refrain from disclosing to any non-affiliated third party marketer, other than a CRA, an account number or access code to a consumer's credit card, deposit or transaction account.
What are the requirements of the GLBA privacy notice?
1. What information the financial institution collects about its consumers and customers. 2. With whom is shares the information. 3. How it protects or safeguards the information. 4. An explanation of how a consumer may opt out of having his information shared through a reasonable opt-out process.
What does the GLBA Safeguards Rule require?
Financial institutions must establish a comprehensive information security program that contains administrative, technical and physical safeguards.
Can a financial institution share consumer information with unaffiliated or this party marketing companies?
Yes, other than for defined exceptions, if they have disclosed the information sharing practice and provided opt out option.
Can a financial institution share consumer information with affiliated companies and joint marketing partners?
Yes, so long as they have complied with the notice requirements.
What are the requirements of the GLBA information security program?
1. Designated employee to coordinate the program. 2. Audit systems to determine risks. 3. Procedures to take with service providers to assure security.
What are the 3 levels of security under a GLBA Safeguards Program?
1. Administrative security, including program definition, management of workforce risks, employee training, vendor oversight. 2. Technical security, including computer systems, networks and applications in addition to access controls and encryption. 3. Physical security, including facilities, environmental safeguards, business continuity and disaster recovery.
Who has enforcement power under the GLBA?
Agencies have authority over institutions in their jursidiction such as: 1. Federal Reserve 2. Office of the Comptroller of the Currency 3. Federal Deposit Insurance Corporation 4. Securities and Exchange Commission 5. CFPB (for institutions not otherwise covered) 6. State Attorneys General
What is a financial institution under GLBA?
Any US company significantly engaged in financial activities. Includes banks, insurance providers, securities firms, payment settlement services, check cashing services, credit counselors and mortgage lenders, among others.
Which agency has rule making power over the GLBA?
CFPB with limited exceptions for the SEC and Commodity Futures Trading Commission.
Who is protected by GLBA?
Consumers or individuals who obtain financial products or services from a financial institution to be used primarily for personal, family or household purposes.
Does GLBA preempt state law?
No
Does GLBA have a private right of action?
No, but certain states may consider it a deceptive trade practice for failing to give notice.
What is "nonpublic personal information" under GLBA?
Personally identifiable financial information: 1. Provided by a consumer to a financial institution, 2. Resulting from a transaction or service performed for the consumer, or 3. Otherwise obtained by the financial institution.
What are the possible penalties under GLBA?
Up to $5,500 for violations of law Up to $27,500 if the violations are unsafe, unsound or reckless Up to $1.1M for "knowing" violations.