What do Victoria's Secret, GLBA (Gramm-Leach-Bliley Act ), and Congress have in common?


Ironic that Victoria's Secret catalog was a catalyst for the GLBA (Gramm-Leach-Bliley Act) and one of the key reasons Congress included privacy protections regarding financial information when passing the Gramm-Leach-Bliley Act (GLBA). The GLBA sought to "modernize" financial services...that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use. (Victoria's Secret and Financial Privacy: Chris Jay Hoofnagle and Emily Honig)


It was Ed Markey (D-MA) that introduced the privacy protection amendment to the House Commerce Committee Members when they were adding changes to the GLBA (Gramm-Leach-Bliley Act) draft. The amendment called "Title V" provided individuals some control on how information would be shared. What had occurred prior is sensitive information such as Social Security numbers and financial information were being sold and in some cases to telemarketers who defrauded consumers.


One of the major opponents to Title V and the privacy protection were the banks and financial institutions. After testimonials from Representative John Dingell (D-MI), OCC Comptroller John Hawke, Representative Gene Green (D-TX), Representative Anna Eshoo (D-CA) and finally and the critical support for the amendment was from Joe Barton (R-TX). Barton began receiving Vitoria's Secret catalogs at his Washington home, and neither he nor his wife had purchased anything from Victoria's Secret. Barton was concerned because he didn't want his wife to think he was buying for women in Washington. His credit union where he kept an account had sold his information, which became the catalyst for his support for the Markey Amendment. Congress enacted the bill, and now individuals have the right to direct financial institutions not to sell personal information to third parties.



The GLBA (Gramm-Leach-Bliley Act)is also known as the Financial Services Modernization Act of 1999. The Gramm-Leach-Bliley Act only provides limited protection against the sale of your private financial information. Banks, credit card companies, and other financial institutions regularly buy and sell bank balances and account numbers. One primary goal of the GLBA was to end regulations that prevented the merger of banks, stocks brokerages, and insurance companies. Personally, that seems to be counter productive and leaving the barn door open or leaving the fox to guard the hen house overseeing an incredible amount of personal information. What had been previously separated as different business entities (insurance companies-banks- stockbrokerages) if merged would have access to an enormous amount of personal information to analyze and sell. It was because of these risks that the GLBA included three requirements to insure the protection of personal data.

* Banks, brokerage companies, and insurance companies must securely store personal financial information.

* Banks, brokerage companies, and insurance companies must advise you of their policies on the sharing of your personal financial information.

* Banks, brokerage companies, and insurance companies must give consumers the option to opt-out of some of the sharing of personal financial information.

Technology is only one component of GLBA compliancy; however, when it comes to protecting the "end user" of your business, here is what I recommend: the best-of-breed world class Enterprise grade level technology that meets GLBA compliancy.


Although sections of the Gramm-Leach-Bliley Act that may afford the consumer some protection when dealing with personal financial information, it seems to be counter productive to repeal sections of the acts that allow banks to engage in a wide range of financial services. The GLBA is rooted in the history of the separation of banks, brokerage companies, and insurance companies. It was Congress that passed the Glass-Steagall Act in 1933 prohibiting national and state banks from affiliating with securities companies. Congress also passed the Bank Holding Company Act in 1956 prohibiting banks from controlling a non-bank company and in 1982 further extended the act that prohibited insurance underwriting or agency activities. That is why it seems to be counter productive when the Gramm-Leach-Bliley Act repealed sections of these acts.


Knowing the importance of the European public became a concern regarding the need for the protection of personal financial information, it's bewildering how banks were increasingly cited as being at risk. Public opinion indicated their discontent of the banking industry's lack of concern for consumer privacy issues, that in 1995 the European Union (EU) passed the Data Protection Directive. The Directive essentially afforded International citizens' personal data would be accorded the same level of protection that their home countries would afford them. The international concerns were the self-regulatory approaches that the U.S. imposed upon the government and the lack of federal privacy legislation left the international community's private personal and financial information unprotected.


Banks engaged in the selling of consumer information which leads in some instances to credit fraud and identity theft. How is it that in November 1997, that Charter Pacific Bank of Agoura Hills, California was allowed to sell millions of credit card numbers to an adult website company, which then proceeded to bill customers for access to Internet porn sites? And then in 1998 National Bank shared customer information with its affiliate subsidiary Nations Securities. What took place next was the solicitation of the Nations Bank's customers who lost large sums of money, and well as the elderly who lost large portions of their life savings. It was because of these international and domestic events that prompted Congress to include Title V in its GLBA provision.


Only financial institutions are regulated under the GLBA privacy's protection. These include businesses that are engaged in banking, insuring, stocks and bonds, financial advice, and investing. Under the Gramm-Leach-Bliley Act several privacy protections are provided for the consumer:


Financial institutions must develop precautions to ensure the customers' security, the confidentiality of their records, their information, and provide each customer with a notice of the financial institutions information sharing policies. The financial institution must inform the consumer of their policies on disclosing nonpublic personal information (NPI) to affiliates and non-affiliated third parties. Nonpublic personal information pertains to all information on applications to obtain financial services (credit cards or loan applications), account histories (bank or credit cards) and present or past customers. This interpretation of NPI makes names, addresses, telephone numbers, Social Security Numbers, and other data subject to the Gramm-Leach-Bliley Act's data sharing restrictions. The GLBA gives the consumer the right to opt-out from a limited amount of NPI sharing. The consumer can instruct the financial institution to not share information with unaffiliated companies. An affiliate is any company that controls, is controlled by, or is under common control with another company.


There are exceptions under the GLBA that can permit information sharing over the consumer's objection. When the financial institution feels it is necessary to engage the services of another company they can transfer personal information to that company because it is deemed essential in order for that company to perform their obligations. It is also permitted to transfer personal information to a marketing or sales company to sell new products (different stocks) or jointly offered products (co-sponsored credit cards). In addition the new unaffiliated third party can share this information within its "corporate family". However, the new affiliate is not permitted to transfer the personal information any further. Furthermore the financial institution can disclose your information to credit reporting agencies, financial regulatory agencies, as part of a sale of a business, to comply with laws or regulations, or as necessary for a transaction requested by the consumer.

Previously, a financial institution could transfer and disclose your credit card numbers, pins or other access codes to a non-affiliated third party for use in telemarketing, direct mail marketing and through electronic mail. Fortunately, they are now prohibited from doing this any longer.


A practice used by investigators, law enforcement agents, social workers, or potential employers was "Pretexting". Pretexting is a practice of collecting personal information under false pretenses. A method of manufacturing seductive stories that an individual had just won a sweepstakes or the beneficiary of an insurance policy in order to elicit personal information is prohibited. The practice of trying to obtain personal information using fraudulent or forged documents, false, fictitious, lost, stolen or counterfeit documents are prohibited. (EPIC Gramm-Leach-Bliley Act Page) Be sure to get the best managed security service that offers outstanding best-of-breed Enterprise grade level protection for your business while providing GLBA technology compliancy at the same time. Granted technology is only a component part of the GLBA compliancy; however, if you are not subject to the Gramm-Leach-Bliley Act you will certainly be interested in knowing more about how to help someone else, if not yourself, and learn more about manage security services.


A major concern of the Gramm-Leach-Bliley Act is that it really doesn't protect the consumer. Unless the consumer takes action to opt-out, which places the burden on the consumer, and most consumers won't and therefore the GLBA weakens the position of the consumer to control their financial information. Unfortunately, since the burden is upon the consumer and if they neglect to respond to the opt-out, it avails the institutions the freedom to disclose customers nonpublic personal information.


Have you ever read the Gramm-Leach-Bliley Act notices, providing you can follow the confusing text? The brochure should be accompanied with a magnifying glass, providing you can follow the confusing or even understand the lack of transparency of the information practices. If that doesn't frustrate the average individual, the complex set of legal definitions added to numerous exceptions to the law will certainly leave you less informed than when you started reading.

It's a bit aggravating how most privacy and opt-opt policies are so convoluted, confusing and misleading. There is a reason for that, it better serves the interest of those entities if the consumer becomes disinterested. If you read the information it becomes apparent that there are no specifics as to who will receive the information or how or for what purpose it will be used.


Another shortcoming of the GLBA is that the consumer has no control over the affiliate information sharing. In fact some banks may have as many as a thousand affiliates and some of which have no connection to any financial services. And on top of that even if you do opt-out, financial institutions can end run by exploiting the exceptions in the Gramm-Leach-Bliley Act that allow the financial institutions the service provider/joint marketing exemption which allows the financial institutions to share information with non-affiliated third parties despite a consumer's opted-out.

To add insult to injury there is little a consumer can do because the mechanism to enforce or assure or seek compensation are weak and inadequate due mainly because the federal government is solely responsible for the enforcement, leaving the individual consumer no private right of action.


You understand the old adage, "follow the money trail" and you'll find those benefiting from the marketing of your personal information. Why not develop a policy that demands marketers to opt-in for the use your personal information and you will minimize any unwanted or unknowing disclosure of your personal information and place the burden on those who profit from obtaining personal information without your consent.


Whether it is on-line or off-line the process to opt-out should be simple. The information should be easily accessible whether on-line or available at branch offices and easily comprehendible.

Consumers should be advised as to what information and how that information will be distributed to affiliates. Again, follow the money trail and who is benefiting from your personal information. Just because your personal information has become a commodity to others didn't mean that you agreed to have your personal information marketed from one entity to another without a choice to say, "no thank you". As a consumer you should be afforded statutory rights to access and learn more about industry practices.

Instead of relying on the Federal Government's authority to take action, States should be given more authority and concurrent jurisdiction to enforce the provisions of the Gramm-Leach-Bliley Act on behalf on the consumer and consumers should have the right of action and the right to protect their privacy and seek remedies and redress under the GLBA. How is a consumer to question or verify the accuracy or incomplete data if they are not given the opportunity to review their information being distributed or disclosed to unknown affiliates?


Protect Your Privacy and opt-out of information sharing from all your financial entities, brokerage, and insurance companies, the latter link will connect you to a site that will provide you with detailed opt-out information including sample letters to send to financial institutions. Stop giving out personal information by phone, mail, or Internet unless you have initiated the contact and especially Social Security Numbers unless it is for tax purposes, employment or opening a new bank account. Remember "Pretexters" will pose as representatives of some institution to deceive or con you out of your personal or identifying information.

Other good practices to follow are to keep your personal information in a safe place, shred everything you want to dispose of that contains personal information, be aware of your billing cycles in case some statements don't arrive when scheduled, review your statements for any discrepancies and report immediately, add passwords to your credit cards, bank, or phone accounts, check your credit report periodically for mistakes and possible fraud before an identity thief can wreak havoc on your personal finances.

Here is how to opt-out of those pre-approved credit card offers by calling 1-888-5OPTOUT (1-888-567-8688), and be sure to request that you want to be permanently removed (you will have to request a form and fill it out) or after two (2) years you will be placed back on the recipient list. And don't be lured into marketing schemes that promise better offers on products and services in exchange for personal data. The only products that you will receive are more solicitations, telemarketers, junk mail and greater chances for identity theft and fraudulent practices.


As I asked in the description..."Could you explain the GLBA (Gramm-Leach-Bliley Act) to your friend and what is required so they wouldn't get into trouble"? Here's a simple explanation. If you are one of the entities that are governed by the GLBA there are several steps that need to be taken in order to be compliant. These steps vary widely because the term "best practices, have been vague, not well defined and left for the financial institutions to interpret and establish policy as to what is meant by best practices.

First understand that a "financial institution" is not determined by the number of employees. If you are in the business of engaging in financial activities your business is included in the definition of "financial institution" even as a sole proprietor.

Digital Security is a crucial part of protecting consumers' personal nonpublic information that is processed electronically. As pointed out in the Act's Safeguards Rule, they must:

-Ensure security and confidentiality of customers' information.

- Protect against anticipated threats of hazards to security or integrity of information.

- Protect against unauthorized access to or use of the customer information.

The organization's Executive management must be involved and must provide a comprehensive written Information Security Plan. The "Plan" will provide the recommended steps necessary for the development and implementation and the ongoing risk assessment necessary to assure best practices. Provide a written information security plan that includes policies and procedures.

A vulnerability management and policy compliance solution will provide additional key security elements to satisfy the GLBA Safeguards Rules with regular ongoing risk assessments.

Meet GLBA security guidelines by managing devices and applications, identifying and remediate security vulnerabilities, measure and manage security exposure and risk, and provide internal and external policies that meets compliancy standards. Employ training and periodic testing with regulatory updates.

In summary you want to:

* Access risk:

>Identify external and internal threats to customers' information

>Anticipate and access the likelihood of potential damages

>Determine status and adequacy of your current controls

>Establish a written security program and assign a manager to oversee its implementation and to administer the policies and procedures.

>Management will oversee the program and be held accountable

* Manage and control risk and anticipated risks:

>Develop an appropriate comprehensive program in line with the size and scope of the operations

>Provide ongoing and adequate training for employees

>Regularly test both key controls and physical controls

>Technology safeguards, encryption protection of customers data both while in transit and storage

>Ongoing backup of critical data, easy retrieval of any specific records and maintain reasonable safeguards against loss, alteration, or destruction

* Oversee service providers: control information of 3rd parties

* Make necessary adjustments

* Report and provide recommendations to a committee

* Implement recommendations to meet compliance

When you think about it is fairly basic what is expected. The GLBA requires you to establish appropriate professional standards and safeguards to insure the security and confidentially to those customers' information and protect their records against anticipated threats, hazards or unauthorized access which would result in their harm or inconvenience.

If you are part of the financial industry and subject to the regulations of the GLBA you have a duty to maintain confidentially and the safeguard of your clients information. The real test as to whether or not you have provided sufficient safeguards and ample confidentially is when you are before the judge and a court of law and can declare that you have done as much or more to protect your client's personal information as you have done to protect yours. And remember close is not good enough when it comes to compliance and the protection of your clients personal information. However, if you have followed the "best practices" and provided a number of security measures, the conclusion may be that you had fulfilled your duty of reasonable care.

Gramm-Leach-Bliley Act back to Home Page

Contact David

Please note that all fields followed by an asterisk must be filled in.

Please enter the word that you see below.


Share this page:
Enjoy this page? Please pay it forward. Here's how...

Would you prefer to share this page with others by linking to it?

  1. Click on the HTML link code below.
  2. Copy and paste it, adding a note of your own, into your blog, a Web page, forums, a blog comment, your Facebook account, or anywhere that someone would find this page valuable.