The Gramm-Leach-Bliley Act Cybersecurity Considerations (And How They Apply to Businesses Besides Banks)

The Gramm-Leach-Bliley Act requires financial institutions to be transparent with their customers when it comes to how they use and store data.

“Financial institutions” are defined as entities engaged in the offer of financial products or services to consumers, including activities such as lending money, taking deposits, selling insurance and providing investment advice.

This definition covers a wide range of entities. Most people understand that this applies to banks, credit unions, securities firms and insurance companies—but it also applies to many others.

Join the thousands of business leaders who receive a monthly email with our trusted advisors’ latest insights, designed to help you make the best decisions for your organization. Subscribe here. 

Which Organizations Besides Banks Must Comply With the Gramm-Leach-Bliley Act?

The GLBA can apply to organizations you may not traditionally think fall into the category of “financial institutions,” such as:

• Mortgage lenders;
• Mortgage brokers;
• Payday lenders;
• Finance companies;
• Account servicers;
• Check cashing companies;
• Wire transferors;
• Collection agencies;
• Credit counselors; and
• Other financial advisors even if they aren’t required to register with the SEC.

Even institutions of higher education and automobile dealerships would be subject to these regulations.

Colleges and universities that process federal financial aid for students are subject to the Gramm-Leach-Bliley Act and have been advised by the Department of Education to consider implementing cybersecurity standards to help protect confidential information concerning applications for and receipt of Title IV student assistance.

Automobile dealerships may be subject to the provisions of the Gramm-Leach-Bliley Act if they offer financing for vehicle purchases. It’s important to note that the exact applicability of the Gramm-Leach-Bliley Act to automobile dealerships depends on the specific products and services offered and the jurisdictions in which they operate.

Rent-to-own companies may also fall under this definition, as they provide consumer credit through lease agreements.

These organizations, much like the other more traditional financial institutions, must also comply with the Gramm-Leach-Bliley Act’s cybersecurity provisions.

What Does the Gramm-Leach-Bliley Act Mean for My Company’s Cybersecurity?

The Gramm-Leach-Bliley Act outlines cybersecurity provisions—known as Privacy and Safeguards Rules—for protecting consumer financial information, such as:

• Implementing written information security plans and risk assessments;
• Training employees on information security;
• Safeguarding sensitive information through encryption and access control measures;
• Providing annual privacy notices to their customers; and
• Describing their information-sharing practices.

Your cybersecurity programs must encompass all systems, databases and processes that collect, process and distribute information—including Personal Identifiable Information (PII).

What Are the Penalties for Not Being in Compliance With the Gramm-Leach-Bliley Act’s Cybersecurity Provisions?

The consequences of not being Gramm-Leach-Bliley Act compliant can include fines, legal action and damage to a company’s reputation.

The Federal Trade Commission (FTC) is the primary enforcement agency for the Gramm-Leach-Bliley Act and can take enforcement action against financial institutions that fail to comply with the provisions of the Act. The FTC has the authority to impose severe financial penalties per violation for companies that violate the Gramm-Leach-Bliley Act.

In certain cases, individuals may be held accountable for Gramm-Leach-Bliley Act compliance as part of their roles as company officers, directors or managers. In these cases, the regulatory agencies may take enforcement action against the individuals who participate in unfair or deceptive practices in connection with the provision of financial products or for failing to exercise sufficient oversight or control over the company’s compliance with the Gramm-Leach-Bliley Act.

Finally, non-compliance with the Gramm-Leach-Bliley Act cybersecurity provisions can result in damage to a company’s reputation and loss of customer trust, as customers may view the failure to protect their personal information as a breach of privacy and security. In today’s increasingly security-conscious business environment, these consequences can be significant and long-lasting.

The compliance deadline for the recently revised Privacy and Safeguards Rules was extended until June 2023.

Learn More About Gramm-Leach-Bliley Act Cybersecurity Considerations for Businesses Besides Banks

While the Gramm-Leach-Bliley Act may be most commonly associated with banks, many other organizations that conduct certain financial activity will be subject to the Act’s provisions.

It’s always critical to know your organization’s regulations and how to best adhere to them.

To learn more about the Gramm-Leach-Bliley Act cybersecurity provisions and how your organization should respond to and implement them in your specific scenario, reach out to your Warren Averett advisor, or ask a member of our team to reach out to you.