The Gramm-Leach-Bliley Act (GLBA) plays a vital role in safeguarding nonpublic personal information (NPI) within the financial sector. The revised Safeguard Rule going in effect June 9 2023 has laid out a fairly detailed set of recommendations in setting up an information security program and also to protect customer data.
Conforming to GLBA cannot be accomplished with one tool. It requires a fairly comprehensive Information security program, akin to SOC2, ISO 27001 or HIPAA. Polymer DLP for SaaS is designed to secure customer data stored and transacted in high collaborative SaaS platforms without creating too much friction for end users and security teams.
In this blog post, we will explore the key aspects of GLBA compliance, including the definition of NPI, implementation suggestions for GLBA, and how a solution like Polymer DLP for SaaS can automate the protection of NPI data in platforms like Google Drive, Slack, Jira & others.
What is GLBA?
The Gramm-Leach-Bliley Act, enacted in 1999, aims to protect the privacy and security of consumer financial information held by financial institutions. GLBA compliance extends to a broad range of entities, including banks, credit unions, insurance companies, securities firms, and other financial institutions that handle NPI. Compliance with GLBA is essential for these entities to ensure the confidentiality and integrity of customer data.
What is NPI?
NPI refers to personally identifiable financial information obtained by financial institutions in the course of providing financial products or services. It encompasses various types of information, including personally identifiable information (PII), financial account information, transaction information, and personal information provided during the process of obtaining financial services. The table below summarizes the types of information considered NPI under GLBA:
|Type of Information
|Personally identifiable information (PII)
|Information that can be used to identify an individual, such as their name, address, social security number, date of birth, driver’s license number, and any other unique identifiers.
|Financial account information
|Information related to an individual’s financial accounts, including bank account numbers, credit or debit card numbers, account balances, transaction history, and other information pertaining to the financial relationship.
|Details of financial transactions conducted by the customer, such as payments, transfers, deposits, withdrawals, and any other financial activities associated with the customer’s accounts.
|Personal information provided for financial services
|Additional personal information that the customer provides to the financial institution during the process of applying for or obtaining financial products or services.
What is the implementation onus for GLBA compliance?
GLBA Article 314.4 lays out fairly detailed instructions on the information security plan. The following table synthesizes key areas of focus and also highlights where Polymer DLP for SaaS can be address the requirement.
|Key takeaways from GLBA standards for safeguarding customer data
|1. Designate a qualified individual responsible for overseeing and implementing your information security program
|Dashboard and SOC alerts
|2. Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information
|3. Design and implement safeguards to control the risks you identity through risk assessment
|4. Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy
|5. Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest. To the extent you determine that encryption of customer information, either in transit over external networks or at rest, is infeasible, you may instead secure such customer information using effective alternative compensating controls
|Redaction in Slack and sharing restriction in Google Drive
|6. Adopt secure development practices for in-house developed applications
|Bitbucket and GitHub integrations
|7. Implement multi-factor authentication
|8. Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service
|9. Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls,
|Real-time, continuous monitoring
|10. Providing your personnel with security awareness training
|Point-of-violation training and nudges
|11. Requiring your service providers by contract to implement and maintain such safeguards
|12. Establish a written incident response plan
Polymer features that streamline GLBA implementation
Polymer DLP has a variety of unique features that can be customized for organizations to satisfy certain cumbersome GLBA requirements typically mandated by auditors.
- Information classification: Polymer DLP allows you to classify and tag customer-related information stored in Google Drive or SaaS file storage systems. By applying specific labels or metadata, you can easily identify and distinguish NPI data associated with different customers, enabling better management and protection of sensitive information.
- Customer information disclosure reporting: Polymer DLP provides reporting capabilities that track and report any instances of customer information disclosure. It helps monitor and identify potential unauthorized access or sharing of NPI data within the SaaS environment, ensuring compliance with GLBA requirements and enabling prompt incident response.
- Access event monitoring and audits: Polymer DLP monitors and audits all access events within Google Drive or SaaS file storage systems. It tracks who accessed customer-related files, when the access occurred, and from which devices or IP addresses. This helps maintain a comprehensive audit trail for compliance purposes and aids in detecting any unauthorized access attempts.
- Download/print event monitoring and audits: Polymer DLP tracks and audits all download or print events of customer-related files. It provides visibility into who downloaded or printed sensitive information, when it happened, and the destination or printer used. This monitoring ensures that any potential data breaches or unauthorized sharing of NPI data can be identified and addressed promptly.
- Link expiration: Polymer DLP enables you to set expiration periods for public file links shared through Google Drive or other SaaS file storage systems. This feature helps mitigate the risk of NPI data being accessed or shared beyond the intended timeframe, enhancing control over the exposure of sensitive information.
- Access restriction: Polymer DLP allows you to restrict access to sensitive customer files stored in Google Drive or SaaS file storage systems. It ensures that only authorized domains or users can access and interact with NPI data, preventing unauthorized access or accidental sharing with external parties.
- Search and reporting: Polymer DLP offers search and reporting capabilities to identify and generate reports on files associated with both active and inactive customers. This enables efficient monitoring and management of NPI data across the SaaS environment, supporting compliance with GLBA requirements and facilitating data governance practices.
By utilizing these Polymer DLP features, organizations can enhance the protection of NPI data stored in Google Drive or other SaaS file storage systems, meeting GLBA requirements and safeguarding sensitive customer information.
As with other compliance protocols, GLBA compliance does leave a lot of room for interpretation. However the implementation guidelines for securing customer data is fairly well documented. Any organization using SaaS platforms have a fairly clear roadmap in the latest updates to GLBA in protecting customer data.