In 1999, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, opened up new markets for financial institutions by allowing them to consolidate and offer any combination of financial banking services. investment, commercial banking and consumer insurance. .
In 2021, the law received a quick and significant amendment and consequences if violated. Staying compliant with data privacy regulations such as the GLBA should be a priority for organizations around the world that process loans or assume credit risk for consumers in the United States.
Here are some examples of industries that must comply with the GLBA:
- Financial services (banks, brokerage firms, hedge funds, credit unions, real estate companies, credit reporting companies, non-bank mortgage lenders, accounting)
- Insurance companies
- Retailers extending a credit card
- Colleges and Universities Accepting Title IV Funds
The 2021 GLBA Amendment
A 2021 amendment to the Gramm-Leach-Bliley Act expanded the definition of financial institutions to encompass not only financial services and insurance, but also retail, higher education and other industries that grant credits or loans. In addition to existing regulations, stricter rules have been put in place to protect non-public consumer data.
Organizations that process consumer financial data have a deadline of December 9, 2022 to comply with specific data security practices outlined by the GLBA Safeguard Rule, including:
- Periodic reports to boards and governing bodies
- Secure software development practices
- Identify and manage data according to risk
- Implement and revise data access controls
- Encrypt data in transit and at rest
- Establish secure procedures for data disposal
The GLBA imposes fines, penalties, and possibly jail time for privacy violations and holds organizations accountable for protecting personal information (PII) from unauthorized disclosure.
Penalties for non-compliance include:
- Up to $100,000 fine for organization per violation
- Fines of up to $10,000 for officers and directors per violation, revocation of license and up to 5 years in prison
To comply with the GLBA, companies must take reasonable steps to ensure that nonpublic consumer information will not be exposed in the event of a systems breach.
The Delphix Continuous Compliance Platform gives organizations the tools they need to stay in full global compliance with the GLBA, 2021 Amendments, and Revised Safeguard Rule.
Protecting your non-production data should be at the top of the list to be compliant, as non-production data stores used for DevOps test data management, reporting and analysis contain up to 80% of personal data of a company, according to Delphix customers. These test environments can represent the greatest source of GLBA risk. Non-production data environments are 4-5 times larger than production and often much less secure.
How Delphix Approaches Data Privacy and GLBA Compliance
Delphix Continuous Compliance provides an API-based data platform that enables software development and testing teams to find and hide sensitive data to comply with privacy regulations such as GLBA.
Relevant continuous compliance features include:
- Automatic discovery of PII and other sensitive data
- Irreversible data masking that ensures that data cannot be restored to its original, sensitive version
- Referential integrity of masked data across sources and clouds
- GLBA Risk Identification and Assessment through Data Discovery
With Delphix Continuous Compliance, security teams can report on how data is processed and shared by finding where sensitive consumer data exists in non-production environments.
Delphix enables security teams to create enterprise-level masking policies for GLBA that define what data should be masked, where, and how. Users can then deploy these policies consistently across different data sources and locations.
Because continuous compliance allows security teams to mask PII and other sensitive data submitted to GLBA in the development pipeline, the need to remove anything in these lower environments is eliminated. With robust data masking, the data simply cannot be traced back to an individual consumer, with the data being rendered completely blinded and desensitized.
Continuous Compliance takes compliance a step further by hard-masking consumer data in DevOps test data management environments, ensuring data is anonymized across all databases through referential integrity.
Unlike traditional solutions that take months to implement, Continuous Compliance can be implemented in days to advance the December 2022 deadline.
With Delphix Continuous Compliance, financial services, retail, insurance and higher education institutions can help ensure compliance with GLBA’s strict definition for consumer data protection.
Download our solution brief for more information on how Delphix can help with data compliance for the Gramm-Leach-Bliley Act (GLBA).