GLBA Compliance Strategies

Since the passage of the Gramm-Leach-Bliley Act (GLBA) in 1999, securing the privacy and security of consumer financial data has become a high priority to the financial services industry. The GLBA and its implementing regulations specifically require financial institutions in the United States to create an information security program to ensure the security and confidentiality of customer information, guard against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

However, innovations in technology—such as new mobile payment platforms and novel means of analyzing consumer financial data—are creating complex challenges for financial services institutions seeking to comply with the GLBA and other relevant privacy and security laws.

Epstein Becker Green’s Privacy & Security Group guides financial services clients through this highly regulated and rapidly changing environment. In addition, members of the group:

  • Counsel clients on applying the GLBA and existing federal and state privacy and security laws to new strategies and emerging technologies
  • Review and revise, where necessary, clients’ existing privacy policies and programs, information sharing procedures, data safeguards, and opt-out notice provisions
  • Advise on information security “best practices” for assessing, updating, and managing company policies, procedures, and data protection programs
  • Create training materials and compliance programs for employers and management to help ensure that consumer financial information is properly collected and managed
  • Draft confidentiality and privacy agreements between financial services clients and their business partners or third parties regarding the sharing, management, and protection of financial data
  • Update clients on new changes to the area of financial privacy and data protection and revise client policies, programs, and practices, where necessary, to conform to those changes
  • Represent clients in investigations and administrative proceedings concerning alleged violations of the GLBA
  • Represent clients in data breach litigation

GLBA and the Cloud

GLBA’s Financial Privacy Rule requires financial institutions to provide an annual notice to customers explaining how the customers’ data is maintained and shared as well as the steps that are taken to protect it. Additionally, the GLBA Safeguards Rule requires institutions to implement an information security program. However, the introduction of “cloud computing” and the use of the services of an outside cloud provider can complicate matters greatly. Many financial institutions are wrestling with the loss of data control that comes with the business benefits of cloud adoption.

At Epstein Becker Green, we advise clients on cloud computing and other attractive and inexpensive storage technologies. We help our clients evaluate the risks of storing information in the cloud and then identify legal solutions—such as creating policies and procedures to ensure compliance with the GLBA’s Financial Privacy and Safeguards Rules and managing cloud providers—so that our clients are able to take advantage of these cost-saving technologies.