Gramm-Leach-Blilely Act of 1999: Title V Privacy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Welcome back to the course everyone. It's Chris.
00:00
I'm Cybrary's instructor for
00:00
its US information privacy course.
00:00
In Lesson 7.3, we're going to
00:00
look at the Gramm-Leach-Bliley Act of 1999,
00:00
specifically focusing in on Title V,
00:00
which focuses in on privacy.
00:00
We have several learning objectives.
00:00
We're going to look at the GLBA's privacy goals,
00:00
its two rules: Privacy Rule and Safeguards Rule.
00:00
We're going to look at its requirements
00:00
for privacy notices in the disclosure of
00:00
non-public personal information
00:00
and then we're going to look at
00:00
fraudulent access information and
00:00
some of the ponies for doing so.
00:00
Let's get right to it.
00:00
Let's talk about those,
00:00
GLBA's goals, Privacy Rules and Safeguards Rule.
00:00
From a privacy perspective,
00:00
it was to ensure that these financial institutions,
00:00
they had to comply with the GLBA,
00:00
weren't sharing consumer person
00:00
identifiable information as it applied
00:00
to financial information without giving
00:00
notice and without also
00:00
having the appropriate security safeguards in place.
00:00
The impetus behind this was back in 1999,
00:00
several of the state's Attorney Generals
00:00
had investigated cases
00:00
that where you had companies, banking institutions,
00:00
that were sharing consumer financial information,
00:00
account information with non-affiliated companies,
00:00
like telemarketers, without consent.
00:00
Then those telemarketers were
00:00
>> turning around and billing
00:00
>> those customers for products and services
00:00
that they had not requested or consented to.
00:00
We call that a negative option.
00:00
What happened was Minnesota and
00:00
several other states investigating
00:00
these companies found them guilty of state level laws.
00:00
Two companies in Minnesota were
00:00
fined to the amount of three million dollars.
00:00
Congress realized this was probably
00:00
a more widespread problem
00:00
and so what it sought to do with
00:00
the GLBA was include
00:00
this privacy requirement that you had
00:00
to give notice whether you
00:00
were sharing this information with
00:00
affiliated and non-affiliated companies.
00:00
But in doing so,
00:00
if you were sharing information
00:00
with a non-affiliated company,
00:00
you had to state to your privacy notice
00:00
those information sharing activities and then
00:00
allow the individuals to opt out
00:00
of the sharing of
00:00
their information with non-affiliated companies.
00:00
A key thing is making sure
00:00
that you give notice at the appropriate time.
00:00
The first time that you engage in
00:00
offering services or products to the consumer,
00:00
you have to give them notice and then you have to give
00:00
them annually updated notices.
00:00
Now, there's been a revision to
00:00
that requirement in fixing
00:00
the America's Surface Transportation Act Section
00:00
503 that says that there are
00:00
certain instances where you
00:00
don't want to give that notice.
00:00
If the notice hasn't changed significantly,
00:00
then you don't have to reissue that notice.
00:00
Or if you have
00:00
companies themselves providing routing services,
00:00
like data processing and things like that,
00:00
then you don't have to give notice every
00:00
time that you share that information.
00:00
The Privacy Rule is simply it.
00:00
It says that, hey, if you are
00:00
a financial institution that
00:00
has to comply with the GLBA,
00:00
then you have to give your consumers notice and
00:00
that notice needs to state what you've collected,
00:00
why you're sharing it, how you use it,
00:00
with whom you're sharing it,
00:00
and also provide insights into
00:00
your information security practices.
00:00
The Safeguards Rule says that, again,
00:00
you have to ensure that you are
00:00
addressing the confidentiality, integrity,
00:00
and availability of this consumer
00:00
>> financial information,
00:00
>> ensure that you have the
00:00
appropriate security safeguards from an administrative,
00:00
physical, and technical safeguards
00:00
perspective to protect that information.
00:00
You have to be conducting periodic investigations,
00:00
risk assessments of your information
00:00
>> security practices.
00:00
>> You have to have
00:00
a written information security policy in place.
00:00
You have to ensure that you have
00:00
somebody that manages your
00:00
>> information security program.
00:00
>> Now that privacy policy also
00:00
has to include how to opt out.
00:00
If I'm a consumer and I don't want
00:00
my information shared with non-affiliated companies,
00:00
then you have to give me the ability to opt out of
00:00
that process and you need to
00:00
respond to that request within 30 days.
00:00
When we talk about the protection of
00:00
nonpublic information, it' exactly that.
00:00
Ensuring that you have full disclosure
00:00
with whom you're sharing that information to
00:00
ensure that consumers can make
00:00
informed decisions on whether or not they want you
00:00
to have the ability to share
00:00
that information with non-affiliated companies.
00:00
When we talk about some of the obligations,
00:00
we've talked about those.
00:00
The ability to opt out of not having
00:00
my financial information shared
00:00
with non-affiliated third parties.
00:00
Once I give notice, again,
00:00
and they opt out of the process,
00:00
I have to honor that process,
00:00
When we talk about disclosure
00:00
of institutional privacy policy,
00:00
that has to be provided to the consumer or posted on
00:00
your public facing website notifying them
00:00
what your privacy practices are
00:00
specifically with whom you share information.
00:00
Again, they can review your policy and ensure
00:00
that they can opt out of those practices.
00:00
Notice the Federal Trade Commission
00:00
from a perspective that enforces this law.
00:00
But also after 2010,
00:00
the Consumer Financial Protection Bureau
00:00
took over some of those enforcement
00:00
and rule-making authorities for GLBA.
00:00
We also have some of
00:00
the financial regulations that
00:00
>> also enforce this law from
00:00
>> a financial regulatory perspective and they do so under
00:00
the Financial Institution Reform,
00:00
Recovery, and Enforcement Act, FIRREA.
00:00
Question 1 ask
00:00
the GLBA Privacy Rule requirements include?
00:00
The appropriate answers are A, B, C,
00:00
and D. Question 2 asks,
00:00
the GLBA requires financial institutions to
00:00
disclose what information to their customers?
00:00
The appropriate answers are A, B, C,
00:00
and D. Question 3 asks,
00:00
the GLBA is Safeguards Rule
00:00
>> security safeguards include?
00:00
>> The appropriate answers are A, B, C,
00:00
and D. In summary,
00:00
the GLBA is an important law because
00:00
it includes privacy protections for consumers,
00:00
ensure that they're informed
00:00
about whom these financial institutions that have to
00:00
comply with the GLBA share
00:00
their information and whether
00:00
they're affiliated, and non-affiliated.
00:00
After giving notice, if that consumer decides that they
00:00
don't want that information shared with
00:00
non-affiliates in most circumstances,
00:00
then that financial institution has to
00:00
honor that request within 30 days,
00:00
that you have to give notice.
00:00
The notice contains information
00:00
on what you're collecting,
00:00
why you're collecting it,
00:00
with whom you share it, affiliated, non-affiliated.
00:00
It has to state an opt-out provision that if you don't
00:00
approve of having that information shared with
00:00
non-affiliated companies or entities,
00:00
then again, the company must do
00:00
so and honor that request within 30 days.
00:00
It says that you got to give notice at
00:00
the time that you first engage
00:00
in offering services to that
00:00
>> consumer and then annually,
00:00
>> except for under certain circumstances.
00:00
It has two rules: the Privacy Rule that
00:00
really details what the privacy notice must
00:00
include and the Safeguards Rule that outlines
00:00
information security practices from a confidentiality,
00:00
integrity, and availability
00:00
perspective and the use of administrative, physical,
00:00
and technical safeguards to protect
00:00
that financial information from the time
00:00
it's collected until the time it's disposed off.
Up Next