Editing Gramm–Leach–Bliley Act (section)

==Privacy==
* GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity.
* Major components put into place to govern the collection, disclosure, and protection of consumers' nonpublic personal information; or personally identifiable information include:
** [[#Financial Privacy Rule|Financial Privacy Rule]]
** [[#Safeguards Rule|Safeguards Rule]]
** [[#Pretexting protection|Pretexting Protection]]

===Financial Privacy Rule===
(Subtitle A: Disclosure of Nonpublic Personal Information, codified at {{usc|15|6801|6809}})

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer's right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the [[Fair Credit Reporting Act]]. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a [[privacy policy]] agreement between the company and the consumer pertaining to the protection of the consumer's personal nonpublic information.

On November 17, 2009, eight federal regulatory agencies released the final version of a [https://www.sec.gov/news/press/2009/2009-248.htm model privacy notice form] to make it easier for consumers to understand how financial institutions collect and share information about consumers.

====Financial institutions====
GLBA defines financial institutions as: "companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance". The [[Federal Trade Commission]] (FTC) has jurisdiction over financial institutions similar to, and including, these:
* Non-bank mortgage lenders,
* Real estate appraisers,
* Loan brokers,
* Some financial or investment advisers,
* Debt collectors,
* Tax return preparers,
* Banks, and
* Real estate settlement service providers.

These companies must also be considered significantly engaged in the financial service or production that defines them as a "financial institution".

Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLB. State law can require greater compliance, but not less than what is otherwise required by the GLB.

====Consumer vs. customer defined====
The ''Gramm–Leach–Bliley Act'' defines a "consumer" as
:"an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual." (See {{usc|15|6809(9)}}.)

A customer is a consumer that has developed a relationship with privacy rights protected under the ''GLB''. A customer is not someone using an automated teller machine (ATM) or having a check cashed at a cash advance business. These are not ongoing relationships like a customer might have—i.e., a [[mortgage loan]], tax advising, or credit financing. A business is not an individual with personal nonpublic information, so a business cannot be a customer under the ''GLB''. A business, however, may be liable for compliance to the ''GLB'' depending upon the type of business and the activities utilizing individual's personal nonpublic information.

{{blockquote|Definition: A "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.

Examples of consumer relationships:
* Applying for a loan
* Obtaining cash from a foreign ATM, even if it occurs on a regular basis
* Cashing a check with a check-cashing company
* Arranging for a wire transfer<ref name=ftcoutline>{{cite web|title=The Gramm–Leach–Bliley Act Privacy of Consumer Financial Information|url=http://www.ftc.gov/privacy/glbact/glboutline.htm|work=Federal Trade Commission Bureau of Consumer Protection Division of Financial Practices|publisher=FTC|access-date=25 October 2011|author=FTC|author-link=Federal Trade Commission|date=June 18, 2001|url-status=live|archive-url=https://web.archive.org/web/20111031133633/http://www.ftc.gov/privacy/glbact/glboutline.htm|archive-date=31 October 2011}}</ref>}}

{{blockquote|Definition: A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer.

Examples of establishing a customer relationship:
* Opening a credit card account with a financial institution
* Entering into an automobile lease (on a non-operating basis for an initial lease term of at least 90 days) with an automobile dealer
* Providing personally identifiable financial information to a broker in order to obtain a mortgage loan
* Obtaining a loan from a mortgage lender
* Agreeing to obtain tax preparation or credit counseling services

"Special Rule" for Loans: The customer relationship travels with ownership of the servicing rights.<ref name=ftcoutline/>}}

====Consumer/client privacy rights====
Under the ''GLB'', financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.

The privacy notice must also explain to the customer the opportunity to 'opt out'. Opting out means that the client can say "no" to allowing their information to be shared with nonaffiliated third parties. The ''[[Fair Credit Reporting Act]]'' is responsible for the 'opt-out' opportunity, but the privacy notice must inform the customer of this right under the GLB. The client cannot opt out of:
* Information shared with those providing priority service to the financial institution
* Marketing of products or services for the financial institution
* When the information is deemed legally required.
* When entering into a financial transaction, the institution providing said transaction must provide the customer a secure room with the ability to close in order to better protect the clients personal information.

====Receipt of GLBA notices by consumers====
===== ¶ Service of notice requirements =====
Notice requirements may vary. In most cases, service of a GLBA notice is not necessary unless the entity serving the notice intends to "share" customer information, which the FTC defines as, "non-public personal information (NPI)", of customers required to be protected under ''GLBA''.<ref>[https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm **How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act**], FTC</ref><ref>[https://files.consumerfinance.gov/f/201410_cfpb_final-rule_annual-privacy-notice.pdf Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley], (US) Bureau of Consumer Financial Protection, modifying a requirement for financial institutions to provide an annual GLBA disclosure (.pdf)</ref><ref>[https://www.dlapiper.com/en/us/insights/publications/2016/01/annual-privacy-notice-requirement/ Annual privacy notice requirement eliminated for certain financial institutions] - explanation of rule change from DLA Piper law firm</ref>

=====¶ Response to receipt of a GLBA notice=====
A consumer may react to service of a ''GLBA'' notice by:

* Not responding
* Indicating, on an acknowledgment form that notice was not provided (typically for in-person signed documents) 
* Responding according to format suggested in the GLBA Notice
* Responding with a prepared letter (alone or in addition to the form)

====Synergy between GLBA and GDPR====
The [[European Union|European Union's]] [[General Data Protection Regulation|General Data Protection Regulation (GDPR)]] became enforceable on 25 May 2018. As applies to consumers, the [[General Data Protection Regulation|GDPR]] includes provision on scope of data collection, but also includes [[General Data Protection Regulation#Right of access|right of access]], [[General Data Protection Regulation#Right to erasure|right to erasure]], right to restriction of processing and right to data portability. Due to the multinational nature of some transactions, including data and internet transactions, and the possible implementation of corresponding regulations in some US states, it is likely that business and other entities will comply with the [[General Data Protection Regulation|GDPR]] as well as US ''GLBA'' requirements.

Individualized requests for privacy under the ''GLBA'' are likely to include provisions guaranteed by the [[European Union]]'s [[General Data Protection Regulation|GDPR]].

===Safeguards Rule===
(Subtitle A: Disclosure of Nonpublic Personal Information, codified at {{usc|15|6801|6809}})

The Safeguards Rule implements data security requirements from the GLBA and requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect its clients' nonpublic personal information. The Safeguards Rule applies to information of any consumer's past or present regarding the financial institution's products or services. The written plan must include:{{citation needed|date=November 2022}}

* Denoting at least one employee to manage the safeguards
* Constructing a thorough [[risk analysis (business)|risk analysis]] on each department handling the nonpublic information
* Develop, monitor, and test a program to secure the information
* Adapting the safeguards as needed with contemporary changes in how information is collected, stored, and used

The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. The Federal Register features approaches for risk assessments such as evaluating the likelihood of magnitudes of harm that result from threats and errors and safeguards are commensurate with the risks they address.<ref>{{cite web|last=Cronin|first=Chris|date=December 9, 2021|title=Standards for Safeguarding Customer Information|url=https://www.federalregister.gov/documents/2021/12/09/2021-25736/standards-for-safeguarding-customer-information}}</ref> No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the ''GLBA''.

In December 2021, the Safeguards Rule was updated, amid some controversy,<ref name=TNLR/> by the FTC to include specific criteria requiring financial institutions to introduce new security controls and to increase the accountability of [[Board of directors|boards of directors]],<ref>[https://www.reuters.com/legal/transactional/new-safeguards-rule-how-will-it-impact-financial-institutions-2021-12-09/ "New Safeguards Rule: How will it impact financial institutions?] Alex Koskey and Matt White, ''Reuters'', December 9, 2021. Retrieved November 28, 2022.</ref> with a six-month compliance extension, from January to June 2023, granted for some types of institutions in November 2022.<ref name=TNLR>[https://www.natlawreview.com/article/ftc-delays-safeguards-rule-implementation-certain-financial-institutions "FTC Delays Safeguards Rule Implementation for Certain Financial Institutions"] Mercedes Kelley Tunstall ''[[The National Law Review]]'' Volume XII, Number 331, November 23, 2022. Retrieved November 30, 2022.</ref>

===Pretexting protection===
(Subtitle B: Fraudulent Access to Financial Information, codified at {{usc|15|6821|6827}})

[[Pretexting]] (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by telephone, by mail, by e-mail, or even by "[[phishing]]" (i.e., using a phony website or email to collect data). GLBA encourages the organizations covered by GLBA to implement safeguards against pretexting. For example, a well-written plan designed to meet GLB's Safeguards Rule ("develop, monitor, and test a program to secure the information") would likely include a section on training employees to recognize and deflect inquiries made under pretext. In fact, the evaluation of the effectiveness of such employee training probably should include a follow-up program of random spot checks, "outside the classroom", after completion of the [initial] employee training, in order to check on the resistance of a given (randomly chosen) student to various types of "social engineering"—perhaps even designed to focus attention on any new wrinkle that might have arisen ''after'' the [initial] effort to "develop" the curriculum for such employee training. Under United States law, pretexting by individuals is punishable as a [[common law]] crime of [[false pretenses]].