The Gramm-Leach-Bliley Act (GLB), also known as the Financial Modernization Act of 1999, was enacted to control the ways that financial institutions deal with their customers’ nonpublic personal information (NPI). Under the GLB Act, financial institutions are required to:

• Ensure customers’ NPI is properly protected (Financial Privacy Rule)
• Develop a written information security plan that describes their program to protect customer information (Safeguards Rule)
• Protect customers from individuals and companies that collect their NPI under false pretenses (Pretexting Rule)

The Financial Privacy Rule

Protecting the privacy of consumer information held by financial institutions is at the heart of the financial privacy provisions of the GLB Act. The GLB Act requires companies to give consumers privacy notices that explain the institutions’ information-sharing practices. In turn, consumers have the right to limit some—but not all—sharing of their information.

The GLB Act defines financial institutions as companies that offer financial products or services to individuals, like loans, insurance, or financial or investment advice. The Federal Trade Commission (FTC) has authority to enforce the law with respect to financial institutions that are not covered by the federal banking agencies, the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisors, tax preparers, providers of real estate settlement services and debt collectors. At the same time, the FTC’s regulation applies only to companies that are “significantly engaged” in such financial activities.

The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.

A company’s obligations under the GLB Act depend on whether the company has consumers or customers who obtain its services. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A customer is a consumer with a continuing relationship with a financial institution. Generally, if the relationship between the financial institution and the individual is significant and/or long-term, the individual is a customer of the institution. This is important because only customers are entitled to automatically receive a financial institution’s annual privacy notice.

The annual privacy notice must be a clear statement of the company’s privacy practices. It should explain how the company collects NPI, who the NPI is shared with and how the company protects that data. Consumers and customers have the right to opt out of, or say no to, having their information shared with certain third parties. The privacy notice must explain how they can do that, and offer a reasonable way.

In 2015, Congress amended the GLB Act as part of the Fixing America’s Surface Transportation Act (FAST). The amendment allows exemptions to the annual privacy notice for financial institutions that meet certain conditions. Those conditions include the institution limiting the sharing of customer information so that the customer does not have the right to opt out and not changing the privacy notice from the one previously delivered to the customer.

The Safeguards Rule

The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Safeguards Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. As part of its plan, each company must:

• Designate one or more employees to coordinate its information security program;
• Identify and assess the risks to customer information and evaluate the effectiveness of the current safeguards;
• Design and implement a safeguards program, and regularly monitor and test it;
• Select service providers that can maintain appropriate safeguards; and
• Evaluate and adjust the program when necessary.

Pretexting Rule

The Pretexting Rule was put in place to stop individuals or companies from gathering and selling NPI under false pretenses. Pretexters sell a person’s information to people who may use it to get credit in the victim’s name, steal the victim’s assets, or investigate or sue the victim. Pretexting is illegal.

Under the GLB Act’s Pretexting Rule, it is illegal for anyone to:

• Use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution;
• Use forged, counterfeit, lost or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution; and
• Ask another person to get someone else’s customer information using false, fictitious or fraudulent statements.

Violations of the Pretexting Rule can result in civil penalties up to $11,000 for each violation, as well as criminal penalties.