Kayne McGladrey on What Businesses other than Banks Need to Know about Gramm-Leach-Bliley [Podcast]


By Adam Turteltaub

The Gramm-Leach-Bliley Act (GLBA) is typically referred to in the context of financial institutions. It requires offerers of consumer financial products to explain how they share information and protect sensitive data.

It’s not, however, only banks that fall under GLBA’s umbrella. New rules will affect retailers offering credit terms to their customers, higher education institutions that administer federal student aid and others a well, explains Kayne McGladrey, Field CISO for Hyperproof.

The FTC, has set June 2023 as the deadline for compliance with the revised GLBA Safeguards Rule. It requires that affected organizations:

  • Have a qualified individual to implement and enforce an information security plan
  • Conduct a periodic cybersecurity risk assessment
  • Implement cybersecurity controls to manage those risk
  • Document who has access to customer data
  • Assess the risks of applications that can access the data
  • Securely destroy old data
  • Periodically test the controls to verify their effectiveness

In addition, staff needs to be trained, there must be a written incidence response plan and ongoing testing.

It is a considerable commitment, Kayne points out, but since it overlaps with the requirements of the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), many organizations may already have significant structures in place.

Even so, it’s important to conduct a gap analysis, he advises, to ensure all the requirements are being met.

Listen in to learn more about what Gramm-Leach-Bliley now requires for your organization.