Identify, control and audit the flow of documents to ensure confidentiality of nonpublic personal information to demonstrate GLBA compliance

The Financial Services Modernization Act, or the Gramm-Leach-Bliley Act (GLBA) allowed commercial and investment banks to consolidate. GLBA included rules to govern the collection, disclosure, and protection of consumers’ nonpublic personal information (NPPI) and personally identifiable information (PII).

Key information privacy rules in GLBA include Financial Privacy, Pretexting, and Safeguards Protection. The Financial Privacy Rule requires firms to establish a privacy agreement with its customer concerning the protection of the customer's NPPI (e.g. a consumer's name, address, social security number, account number, status as a customer, credit history, etc.). The Pretexting rule pushes institutions to guard against pretexting or "social engineering" breaches, such as impersonating authorized persons or phishing. The Safeguards Rule requires financial institutions to create a written information security plan describing how the company protects current and former client NPPI.

Financial institutions must put in place a policy to protect consumer information from foreseeable threats to security and data integrity, and scrutinize how they manage private data with risk analysis on their current processes. Noncompliance can lead to fines of up to $100,000 per violation and imprisonment.

GLBA Compliance Applications

NextLabs' solution is a set of applications which include a comprehensive set of pre-built policy libraries and pre-built reports required to support GLBA compliance. Policy sets can be easily customized to the environment or used as templates to create new policies. The NextLabs GLBA Compliance Solution can:

• Identify personal data and protect it from unauthorized disclosure and loss.
• Prevent accidental destruction of personal information, and securely destroy personal data when required.
• Identify and warn personnel of documents containing personal information to alert them of policies and procedures for proper handling of private information.
• Manage entitlements that limit users' data access based on their need-to-know.
• Automate information handling to prevent loss and reduce procedural errors.
• Establish information barriers to ensure information will be restricted to its disclosed purposes and communicated only for its intended purpose, by intended persons, in intended locations, and during intended times.
• Prevent the export of personal information to third parties or affiliates when the customer did not approve distribution to third parties.
• Enforce persistent privacy policies upon customer personal information when information is distributed to business partners, agents, affiliates and contractors.
• Report on any potential information risks and discover gaps in compliance with personal data protection regulations.