How to Keep Customers’ Data Secure Under the Gramm-Leach-Bliley Act (GLBA)
What is Gramm-Leach-Bliley Act (GLBA) for Privacy?
If you deal with customers’ personal financial data, you should be aware of the Gramm-Leach-Bliley Act (GLBA) and its Safeguards rule.
The federal law was enacted in 1999, and serves to protect consumers’ financial data when they’re involved in transactions with financial professionals. This includes a broad range of service industries, including lenders, financial advisors, accountants, real estate appraisers, mortgage brokers, real estate industry professionals, debt collectors, auto dealerships that extend loans to their customers, and any type of business where you’re involved in handling a third-party’s personal financial data.
Organizations that violate the provisions of GLBA can face fines of up to $100,000 per violation. Employees also face the possibility of criminal penalties of up to five years in prison, and the revocation of their professional licenses, and fines of up to $10,000 per senior executive involved in the security breach.
If you’re in any profession that deals with customers’ private financial data, it’s important to ensure that your organization is in compliance with GLBA. Whether you own and operate a business or work for one, here are some of the key facts you should know about the legislation.
Provide security around private consumer data
During the course of a transaction with your organization, a customer may supply you with confidential data about their finances or other personal data, including social security numbers, bank account and investment holdings, payment history, and other details. In this case, GLBA covers all “personally identifiable financial information” that is not publicly available.
In order to comply with GLBA, you need to put in place safeguards that protect this data. These include:
Build a written IT security plan Your organization needs to build a documented IT plan that outlines the protocols you’ll put in place for safeguarding customer data. It should include details of the infrastructure and technology stack that you plan to use throughout the organization, factoring in both in-office and remote communications between colleagues and partners and with customers. You’ll need to appoint at least one employee as a program coordinator, who can oversee the infrastructure and processes.
Set up an employee training program It’s not only important to put the right technology in place to protect customer data; it’s also critical to ensure that your entire organization understands the protocols. Make sure that you put a comprehensive employee cybersecurity training program in place, and regularly assess employees on their compliance by tracking whether protocols are followed. You should also conduct periodic assessments with quizzes to test employees’ knowledge, and conduct additional training sessions when needed or when protocols change.
Conduct a risk audit and assessment Outline all of the key components of your plan, and build an ongoing compliance checklist. You’ll need to conduct periodic audits to help your organization understand risk levels for various elements of your security plan, and identify ways to mitigate those risks once they hit certain levels. It can be helpful to use risk management software that can automatically aggregate and integrate data from all of your sources, so that you can get a comprehensive view of your IT risk in real-time.
Implement information safeguards Your plan should include the deployment of technology and devices that serve to encrypt and protect customer data, including the development of strong passwords, a firewall, and a VPN. Every employee should be limited to getting only the level of access they need to complete their respective jobs, and should be blocked from accessing data that doesn’t concern them.
Ensure that all of your third-party providers subscribe to strong security protocols If your organization is passing along client data to third-party vendors or partners, it’s important to make sure that they have strong cybersecurity protocols in place, too. Ask any provider you’re planning to work with to fill out a questionnaire that evaluates their cybersecurity posture, and addresses steps that they need to take to be in compliance with your security plan before they begin working with you.
Regularly evaluate your information security plan in light of any business changes Whenever a material change takes place, either within your business or related to external conditions, it’s important to evaluate how that change might impact your security plan. For instance, every new vendor should be thoroughly vetted, and changes to industry regulations should be viewed through the lens of your security program to ensure that your compliance standards are up to date for the new requirements.
Putting all of these steps into practice should help you build a comprehensive approach towards managing cybersecurity and protecting your customer data on your organization’s devices. But it’s also important to make sure that customer data is just as secure when employees aren’t in the office.
The dangers of BYOD policies
Especially in a post-COVID-19 era, much of business has moved from secure office facilities to employees’ own homes and cars.
Many organizations now employ a “bring your own device” policy, in which employees are invited to use their personal mobile devices, tablets, and computers to conduct work for the organization. In fact, a Syntonic study found that 87% of companies expect employees to use their personal devices for work. As such, employees may frequently conduct business on personal mobile devices, including calling and SMS texting.
But if they’re using their own mobile devices to discuss confidential customer information, they’re at risk of revealing that customer data if their phone is lost or stolen. One BYOD security report found that businesses were deeply concerned about data leakage and loss (62%), users downloading unsafe apps or content (54%), lost or stolen devices (53%), and unauthorized access to company data and systems (51%).
The report found that 41% of organizations rely on endpoint malware protection for personal devices, which can be difficult to manage when employees are often using different operating systems. And 30% of firms say they don’t protect against malware for BYOD at all.
So how can you give employees the freedom to use the devices of their choice, while still ensuring that customer data is protected?
Ensure employees are using strong security measures If an employee leaves a smartphone in a public space, there’s a reasonable chance that someone will be able to unlock the phone by guessing the password. However, if all employees are mandated to use two-factor authentication on their devices, even if a hacker guesses the password, the employee will still have the opportunity to deny access to the login. They should also set strong passwords, and use biometric authentication via fingerprint or face scanning technology if it’s available on their devices.
Make sure that they completely separate business and personal data If employees are using personal devices for work use, it’s imperative that they fully separate the two forms of communication. They should never use their work email for personal communications, and likewise, they shouldn’t use their phone’s SMS messaging system for work-related communications. If your organization becomes involved in litigation, your employees’ phones may be reviewed for work-related communications, so by completely separating business and personal, they can keep their personal lives private – while avoiding violating the clauses of GLBA.
Use a secure virtual business line To ensure that you’re protecting customer data when using personal devices, your organization should ask employees to install an app like iPlum, which establishes a virtual business line on their own phones. iPlum works over traditional mobile networks, ensuring fidelity of call quality, and encrypts all data sent via SMS. In the event that the device is lost or stolen, your organization will be able to remotely wipe the device of all data stored on the app, helping your customers’ data stay safe.
Why data protection is crucial
When you’re working with customers or outside partners, your organization will be trusted with data that they wouldn’t want getting into the public domain.
That might include private information like social security numbers, bank account numbers and transactions, portfolio holdings, real estate holdings, and other confidential data.
It’s important to stress to your entire team that any time you’re engaging with a customer or partner, it’s crucial to ensure all of this data is protected within your organization and blocked from external access, except in cases where the customer has provided written consent that you share it.
Protecting customer and third-party data via secure encryption can help your team comply with the regulations of GLBA, and avoid potential fines and penalties from the FTC, which regulates the act.
Beyond that, data breaches can also lead to individual or class action lawsuits from your customers, as well as criminal penalties from your state. For example, the 2017 Equifax data breach, which impacted 147 million people, led to over $575 million in penalties and settlement fees from a class action lawsuit.
And whether or not the data breach is on a severe scale, even minor negligence can lead to a loss of customer trust and reputational damage. If you’re in an industry where you’re entrusted with your customers’ confidential data, it’s important to take every possible step to ensure that that data is protected.
Building trust in your brand
Consumers and businesses have many choices for who to partner with for their financial needs. If you want to remain competitive in your industry, it’s important that you prioritize data protection on an ongoing basis, and make sure that your customers know the steps you’ve put in place.
Many organizations have strong protections in place in the office, but fail to safeguard data when employees are working remotely from their own devices. In order to combat this, you should build a strong workplace data protection training program to help your employees understand the protocols for accessing secure data, including using a secure app like iPlum for contacting customers and colleagues from their personal mobile devices and installing antivirus software on all of their devices.
Conduct periodic audits to score your organization on its compliance, so that you can conduct follow up training and put mitigation plans in place as necessary.
By taking these steps to keep your customers’ data secure, you can use your cybersecurity program as a competitive advantage.
Customers today understand the dangers of data breaches, and actively seek out organizations that showcase the initiatives they’ve put in place to keep their customers safe. Your organization should have clear privacy and data protection policies that your customers can read on your website, and should be able to opt in or opt out of various
By showcasing your compliance initiatives, you’ll be able to build customer trust in your brand, and generate more customer referrals because of your positive reputation as an organization that puts customer security first.
In order to comply with GLBA and other industry regulations that may impact your organization, you need to set up a comprehensive approach to information security at your organization that protects your customers’ data privacy at every level.
At the same time, your employees need the convenience to be able to work remotely and effortlessly shift between personal and professional communications across their own devices.
By using technology like iPlum to give employees the ability to compartmentalize their professional communications and encrypt SMS data when discussing customer information, they’ll be able to achieve the best of both worlds, while remaining in compliance with GLBA.