If you read our post on whistleblowers, you know that we mentioned the Gramm-Leach-Bliley Act. If you think this law only applies to banks and other financial institutions, you would be wrong. The act formerly known as the Financial Modernization Act of 1999 may affect your small business and how you handle your data.
The Gramm-Leach-Bliley Act was signed into law by President Bill Clinton in 1999. The act caused a lot of controversy because it allowed banks, securities companies and insurance companies to consolidate, creating financial institution behemoths. The act imposes privacy legislation on companies that fall under the umbrella of financial institutions. Banks and insurance companies are already familiar with this legislation, but you need to know how the act affects your business.
What is Considered a “Financial Institution” Under the Act?
The Federal Trade Commission (FTC), which holds jurisdiction over financial institutions, including businesses that are engaged in the following activities:
• Extending credit and servicing loans
• Collection agency services
• Real estate and personal property appraising
• Check guaranty services
• Credit bureau services
• Real estate settlement services
• Leasing real or personal property (on a nonoperating basis for an initial lease term of at least 90 days)
For the purposes of the Act, the FTC further defines these businesses as:
• Mortgage lender or broker
• Check casher
• Pay-day lender
• Credit counseling service and other financial advisors
• Medical-services provider that establishes for a significant number of its patients long-term payment plans that involve interest charges
• Financial or investment advisory services including tax planning, tax preparation, and instruction on individual financial management
• Retailer that issues its own credit card
• Auto dealers that lease and/or finance
• Collection agency services
• Relocation service that assists individuals with financing for moving expenses and/or mortgages
• Sale of money orders, savings bonds, or traveler’s checks
• Government entities that provide financial products such as student loans or mortgages
How Does a Business Comply with the Act?
Gramm-Leach-Bliley compliance is mandatory if you are involved in one of these businesses. You must ensure that consumer’s personal data and identifying information is protected. The act is complicated, but we will provide a run down of the main points.
The Financial Privacy Rule
To summarize, whether or not you share your customers non-public information, you must provide your customers with a privacy note at the time the relationship is established. If you share your customer’s information with a non-affiliated third party, you must also provide an “opt-out” notice explaining the customers rights not to share that information. You must also provide customers with an annual notice. These notices contain information such as categories of information that are collected and shared; Social Security numbers, names, addresses, dates of birth and other account information.
You may send these documents electronically if the customer agrees. For the protection of all parties, you should only use a secure document delivery method.
The Safeguards Rule
This section of the Act requires companies to develop a written information security plan for protecting their client’s information. The plan must include the following:
- Designating at least one employee to manage safeguards.
- Preparing a risk analysis on all departments handling non-public information.
- Developing and monitoring safe and secure storage and retention of all customer non-public information.
- The FTC recommends processes that we have discussed many times in this blog; conducting background checks on all employees who have access to consumer data, asking employees to sign a confidentiality agreement and controlling access to the data on a need to know basis.
- The FTC also recommends safeguards on Bring Your Own Devices and using a secure content management system to store information in encrypted files.
Pretexting Provision of the Gramm-Leach-Bliley Act
Customers must be protected from pretexting attempts, also referred to as fraudulent access to financial information.
Pretexting is a form of social engineering where an individual uses a false pretense to obtain information. All organizations subject to the Gramm-Leach-Bliley Act must ensure that their employees are trained and understand the dangers of pretexting. An example of this would be someone who calls a financial institution and pretends to be the account holder in order to obtain information to use for identity theft or illegal financial gain.
We hope that makes things a bit clearer. The FTC has extensive information on their website. Complying with the Act requires knowledge and action. Familiarize yourself with the rules and take advantage of companies that offer services like secure document delivery and content management, to ensure that you are compliant with the law.