Data Privacy for Financial Services: The Importance of GLBA & NYDFS Compliance


Join our newsletter!

Receive the latest data collection news in your inbox.

Financial services organizations collect massive amounts of personal information from customers on a daily basis. Without close attention to data privacy, these organizations are at risk of data breaches and noncompliance, both of which can lead to serious consequences.

With this in mind, financial companies such as investment banks, mortgage companies, brokerage firms, insurance companies, and others are held to a specific standard of data privacy under a variety of laws and regulations worldwide. In this blog, we’ll be discussing the Gramm-Leach-Bliley Act (GLBA) and the New York Department of Financial Services (NYDFS) Cybersecurity Act.

The Gramm-Leach-Bliley Act (GLBA)

The GLBA, enacted in 1999, is a federal law that applies to organizations that provide financial services or products to customers. The law applies to financial organizations like banks and insurance companies, but it also applies to higher education institutions, car dealerships, and other institutions that are “significantly engaged” with financial data.

The GLBA protects “nonpublic personal information,” or NPI, which can include credit card numbers, account numbers, Social Security numbers, and any other type of personal data that is collected by applicable institutions. The law includes separate rules for data management, including:

  • The Financial Privacy Rule: This rule requires financial institutions to be transparent about how customers’ data is being used and protected. Institutions must provide privacy notices with this information, and they must also explain consumers’ rights to opt out of data sharing.
  • The Safeguards Rule: This rule details how sensitive data and personal information should be protected by financial organizations, with specific requirements focused on data security programs and procedures.

In order to remain GLBA compliant, it’s important for financial institutions to pay special attention to employee management and training, information systems, and security management. Companies that fail to comply may face $100,000 fines per violation, while individuals who fail to comply may face $10,000 fines per violation plus prison time. By remaining GLBA compliant, your organization will not only be able to avoid these fines, but you’ll also gain greater customer trust and loyalty as you safeguard information.

The NYDFS Cybersecurity Regulation

The NYDFS Cybersecurity Regulation is a combination of several different cybersecurity requirements that apply to financial institutions. Under this law, regulated institutions in New York are held responsible for developing robust cybersecurity plans to protect sensitive financial data.

If this regulation applies to your organization, you must have these measures in place, among others:

  • Extensive cybersecurity plans and policies, including disaster recovery plans
  • An information security officer on staff
  • A system for reporting all cybersecurity incidents and threats
  • Cybersecurity defense to protect against all threats
  • An incident response plan with prompt notices in the event of a breach
  • Data encryption and multi-factor authentication
  • Annual cybersecurity reports, audit trails, and certifications
  • Proper access controls for sensitive data

In a March 2019 addition to the NYDFS Cybersecurity Regulation, new rules were created for financial institutions that use third-party services to collect and manage sensitive data. The rules require thorough risk evaluation, regular security assessments, and process documentation of all third-party services.

Stay compliant with FormAssembly

FormAssembly is an all-in-one online form builder and data collection platform that helps organizations in all industries collect and manage their data more effectively. With our drag-and-drop form builder, high standards of security and compliance, and robust integrations, we make it easy to securely collect the data you need to succeed.

Our Enterprise plan offers compliance with GLBA, NYDFS, and PCI DSS standards, making it perfect for organizations that collect and manage sensitive financial information. Dive deeper into data security and privacy regulations we offer with our GLBA Compliance Checklist.

Don’t just collect data
— leverage it