Any organization that extends credit or loans to US consumers
needs to protect their personal information by the December deadline or risk non-compliance
This article was originally published on the Delphix website here September 15, 2022.
Back in 1999, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, opened new markets for financial institutions by allowing them to consolidate and offer any combination of investment banking, commercial banking, and insurance services to consumers.
In 2021, the Act received an amendment and some swift and meaningful consequences for violations. Staying in compliance with data privacy regulations like the GLBA should be top of mind for organizations worldwide that process loans or assume credit risk for consumers in the U.S.
Some examples of industries that must be in compliance with the GLBA include:
Financial services (banks, brokerage firms, hedge funds, credit unions, real estate firms, credit reporting companies, non-bank mortgage lenders, accountancies)
Retailers extending a credit card
Colleges and universities accepting Title IV funds
The GLBA 2021 Amendment
A 2021 amendment to the Gramm-Leach-Bliley Act broadened the definition of financial institutions to encompass not only financial services and insurance, but also retail, higher education, and other industries that extend credit or loans. In addition to the existing regulations, stricter rules were put in place for protecting nonpublic consumer data.
Organizations that process consumer financial data have a December 9, 2022 deadline to comply with specific data security practices outlined by the GLBA Safeguards Rule including:
Periodic reports to boards of directors and governing bodies
Secure software development practices
Identify and manage data based on risk
Implement and review data access controls
Encrypt data both in transit and at rest
Establish secure procedures for disposing data
GLBA imposes fines, penalties, and possible prison time for privacy violations and holds organizations responsible for protecting personal information (PII) from unauthorized disclosure.
Penalties for non-compliance include:
Up to $100,000 fine for the organization per violation
Up to $10,000 fine for officers and directors per violation, license revocations, and up to 5 years in prison
To comply with GLBA, businesses must take reasonable action to ensure that non-public consumer information will not be exposed if a systems breach occurs.
The Delphix Continuous Compliance platform gives organizations the tools they need to stay in full global compliance with GLBA, the 2021 amendments, and the revised Safeguards Rule.
Protecting your non-production data should be top of the list to get in compliance, since non-production data stores used for DevOps test data management, reporting, and analytics contain up to 80% of an enterprise’s personal data, according to Delphix customers. These test environments can represent the single largest source of GLBA risk. Non-production data environments are 4-5 times larger than production and often much less secure.
How Delphix Addresses Data Privacy and GLBA Compliance
Delphix Continuous Compliance provides an API-first data platform that enables software development and testing teams to find and mask sensitive data for compliance with privacy regulations such as the GLBA.
Relevant Continuous Compliance features include:
Automatic discovery of PII and other sensitive data
Irreversible data masking that ensures data cannot be restored to its original, sensitive version
Referential integrity of masked data across sources and clouds
Identification and Assessment of GLBA Risks through data discovery
With Delphix Continuous Compliance, security teams can report on how data is being processed and shared by finding where the sensitive consumer data exists in non-production environments.
Delphix enables security teams to create enterprise-level masking policies for GLBA that define what data should be masked, where, and how. Users can then consistently deploy those policies across different data sources and locations.
Since Continuous Compliance enables security teams to mask out PII and other sensitive data subject to GLBA in the development pipeline, the need to expunge anything in those lower environments is eliminated. With robust data masking, the data simply cannot be traced back to an individual consumer, with the data being made completely blind and desensitized.
Continuous Compliance takes compliance one step further by irreversibly masking consumer data in DevOps test data management environments, ensuring the data is anonymized across all databases through referential integrity.
Unlike traditional solutions which take months to implement, Continuous Compliance can be implemented in days to get ahead of the December, 2022 deadline.
With Delphix Continuous Compliance, financial services, retail, insurance, and higher education organizations can help ensure compliance with GLBA’s strict definition for protecting consumers’ data.
Download our solution brief for more information on how Delphix can help with data compliance for the Gramm-Leach-Bliley Act (GLBA).