The Gramm-Leach-Bliley Act (GLBA) doesn't exactly have a good reputation. Some economists argue that it was one of the reasons for the 2008 subprime crisis in the U.S. However, one area where it redeems itself is in protecting the privacy of customers' financial data.
This act has become relevant again because its regulations, recently amended to keep up with modern cybersecurity challenges, come into effect on June 9, 2023. In this article, we review the GLBA, its rules and provisions for insurance companies, best practices for compliance, and the use of technology to streamline your compliance.
What Is the GLBA?
The Gramm-Leach-Bliley Act is a federal law enacted in 1999 for the modernization of financial institutions. In addition, it was also a privacy act that legislated standards for data privacy by these organizations.
The financial modernization initiatives involved the repeal of some provisions of older acts — like the Glass-Steagall Act and the Bank Holding Company Act of 1956 — in order to allow a financial institution to offer a wider range of financial activities covering commercial and investment banking, investments, and insurance.
In the past, such wide-ranging businesses were curtailed to prevent them from having too much control over customers' finances. The GLB Act sought to remove these restrictions to help financial businesses grow.
In addition, the Gramm-Leach-Bliley Act legislated data privacy and data protection standards for providers of financial products and financial services. These consumer protection rules apply to a wide variety of financial service providers:
- Insurance companies
- Non-bank financial institutions
- Mortgage companies
- Credit card issuers
- Credit unions
- Tax preparers
- Investment advisers
- Real estate lenders
Many more businesses are also required to comply, but in this article, we focus on the insurance sector.
Which Insurance Companies Come Under the GLB Act?
The following are some of the important insurance businesses that must comply with the Gramm-Leach-Bliley Act:
- Licensed life insurers
- Property insurers
- Co-operative insurers
- Financial guarantee insurers
- Mortgage guarantee insurers
- Reciprocal insurers
- Title insurers
- Accident and health insurers
- Non-profit insurers
- Public health insurers
- Licensed underwriters
In the next section, you'll find out the rules and regulations that apply to these businesses under the act.
GLBA Rules and Regulations for Insurance Companies
In this section, we explain some important Gramm-Leach-Bliley Act requirements and related regulations relevant to insurance companies. We focus on the rules for protecting financial information under "Title V – Privacy" of the GLB Act.
Consumers and Customers
Compliance teams must note that these rules don't use the terms "consumer" and "customer" interchangeably. The rules and obligations are different for consumers and customers. They are defined as follows:
- Consumer: A consumer is any individual who avails, or attempts to avail, financial products or services for personal, family, or household purposes. A business entity or an individual who avails them for business is not considered a consumer.
- Customer: A customer is a consumer who has a deeper continuing business relationship with your products or services.
For example, any person who enquires about your insurance policies is a consumer. If they purchase a policy, they are a customer, regardless of whether that policy is a life-long one or short-term travel insurance. When a customer relationship ends, they become a consumer again.
The Financial Privacy Rules
The GLBA's Title V, Subtitle A lays out the obligations of financial institutions to protect the privacy and confidentiality of any nonpublic personal information (NPI) of consumers.
NPI includes any personally identifiable financial information given by a consumer or derived from a transaction or service interaction with a consumer. For example, names, addresses, and Social Security numbers are examples of NPI. Public personal information is anything that is publicly available legally, in government records for instance. Additionally, any mixed data that includes NPI is also treated as NPI.
The financial privacy rules are:
- Privacy policies to customers: The company must provide privacy notices to its customers covering the categories of data it discloses to third parties, the treatment of NPI of former customers, its data security practices, and any NPI disclosures required by the Fair Credit Reporting Act.
- Consent of consumers: Any disclosure of NPIs should be with the consent of consumers or at their direction.
- Non-disclosure of NPI to third parties: With some exceptions, a company must not share any NPI with most third parties until it has disclosed its policies to consumers. Additionally, those policies must clearly inform its intention to disclose NPI to third parties and allow consumers to opt out. Companies can base their notices on the model opt-out notices.
- Restrictions on third parties: Third parties must be contractually obligated to maintain the confidentiality of customer data and can't disclose NPI to other non-affiliated third parties.
- Restrictions on marketing: Companies can't disclose account numbers or similar information with non-affiliated third parties for use in telemarketing or email marketing.
- Allowed disclosures: NPI can be disclosed if it's necessary for risk management, dispute resolutions, mergers, or the sale of businesses. Some third parties — like consumer reporting agencies, insurance advisory organizations, rating agencies, and auditors — are also exempt from the above restrictions.
Regulators like the Federal Trade Commission (FTC) have codified these privacy rules under official regulations like the 16 CFR Part 313 - Privacy of Consumer Financial Information.
In the next section, we look into regulations governing data security, which is essential for maintaining the privacy and confidentiality of consumer NPI.
The Safeguards Rule
The act obligates companies to set up administrative, technical, and physical safeguards to ensure the information security and confidentiality of customer records and NPI. Further, companies must protect against any threats, hazards, and unauthorized access to such data.
Regulators like the FTC have published final rules like the safeguards rule for this purpose. The GLBA safeguards rule mandates the security requirements that a company must implement for its information systems that store private information and other sensitive data about its customers.
While the original safeguards rule was codified in 2003, the FTC amended it in 2021 to keep up with technology changes and widened its coverage. Companies must comply with these amendments by June 9, 2023
The implementation of these safeguards is covered in the best practices section below.
The Gramm-Leach-Bliley Act also protects customer information from being stolen through false pretenses like:
- False claims of representation
- The use of documents that are forged, counterfeit, stolen, lost, or malicious
- Soliciting a person to obtain customer data through these false pretenses
How GLBA Compliance Works
The GLBA empowers several federal agencies as well as state insurance regulators to enforce its rules and regulations.
The federal agencies include the FTC, federal banking agencies like the Federal Reserve and the Federal Deposit Insurance Corporation (FDIC), the Comptroller of the Currency, and the Securities and Exchange Commission. The FTC is the default regulator for any business that isn't under any other regulator.
For insurance companies, state insurance regulators are responsible for enforcement through state laws. To ensure uniformity in state laws, the National Association of Insurance Commissioners published model regulations that have become the basis for most of the state laws.
Best Practices for GLBA Compliance
In this section, we explain some of the best practices based on regulatory guidance for your information security plan and other compliance requirements.
Your company's information security program must satisfy these guidelines:
- Scope: It must be proportionate to the size and complexity of your business operations as well as the sensitivity of your consumers' NPI.
- Qualified leader: You must appoint a qualified and experienced individual to implement your information security program. Additionally, this person must be supervised by one of your senior employees.
- Risk assessments: You must conduct periodic risk assessments of the internal and external risks to your customer data. These assessments must be documented and include risk mitigations.
- Risk controls: You must implement risk controls for data security, prevent unauthorized access through access control and multi-factor authentication, encrypt all customer data during storage and network transmissions, adopt secure development processes, practice secure data retention and periodic disposal of unused customer data, and set up monitoring and logging of data access.
- Regular monitoring, testing, and improvements: You should regularly test the effectiveness of your safeguards through vulnerability assessments and penetration tests. Keep improving your information security program based on the tests, risk assessments, and major changes in your business or operations.
- Staff training: You must train your staff to securely handle customer data and ensure that your key security staff are updated with the latest threats and countermeasures.
- Third-party monitoring: You should select service providers who can maintain a high level of information security. Be sure to contractually obligate and monitor them through data processing agreements to maintain the same level of information security for all your customer data.
- Incident response plan: You need to maintain detailed incident response plans. They must cover internal processes that must be initiated, external and internal information-sharing practices, and remediation plans.
- Governance: The qualified leader must report to your board of directors or equivalent senior management. Their reports must include all details of your security program, like risk management practices, conclusions of risk assessments, details of security events and responses, and any other pertinent information that may help management improve the program.
Remember that your company must comply with these guidelines by June 9, 2023.
Penalties for Non-Compliance
Regulators are empowered to impose civil penalties on companies that violate the act's rules or regulations. One such enforcement action resulted in a fine of $2.7 million.
The breaching of customer data through false pretenses invites criminal charges that can result in imprisonment of up to five years, and in cases with multiple charges, up to 10 years. In addition, they may incur fines based on the estimated gain, twice the gain, or $250,000, whichever is greater.