Both the GLBA privacy and safeguard requirements mandate ongoing monitoring and changes. Those responsible for GLBA compliance in a business should periodically update the written information security plan as necessary to keep up with any changes in the law, as well as potential data security threats, or its own business practices. GLBA Data Breach Notification Requirements. As of April 4, 2022 there is a security incident notification requirement. See Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers. Using their authority under the GLBA, the federal bank regulatory agencies issued the Interagency Guidelines regarding Response Programs that requires financial institutions to adopt policies and procedures regarding unauthorized access to protected personal information of customers. This includes notifying both the regulator and the customer when there has been an unauthorized access to “sensitive customer information.” In addition to nonpublic personal information of the customer, sensitive customer information generally includes a customer’s name, address, or telephone number combined with one or more of the following items of information about the customer: 1) social security number; 2) driver’s license number; 3) account number; 4) credit or debit card number; or 5) a personal identification number or password that would permit access to the customer’s account. GLBA Enforcement. GLBA is enforced by eight federal regulatory agencies, including the FTC and the federal banking agencies, as well as state insurance regulators and attorneys general. GLBA does not include a right for individuals to bring private actions. Potential Liability. GLBA has severe civil and criminal penalties for noncompliance including fines and imprisonment. If a financial institution violates GLBA the institution may be subject to a civil penalty of up to $100,000 for each violation. Officers and directors of the institution may be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation. Additionally, the institution and its officers and directors may be subject to criminal fines and imprisonment of up to
10
Made with FlippingBook - Online Brochure Maker