- Companies that must safeguard your financial information
- What companies must do to protect your financial information
The federal Gramm-Leach-Bliley Act (GLB) requires financial institutions to adopt procedures to safeguard your personal information.
The following businesses are considered financial institutions and must adopt procedures to safeguard your personal information. They are all covered by the Federal Trade Commission's (FTC) Safeguards Rule:
- Debt collectors.
- Credit unions.
- Investment brokers.
- Retailers that extend credit by issuing credit cards to consumers.
- Check cashing businesses.
- Mortgage brokers.
- Consumer reporting agencies (credit bureaus).
3. What Companies Must Do to Protect Your Financial Information
Generally, companies are left on their own to develop security programs that are appropriate to their individual size and operations. Security under GLB translates to “guidelines” rather than strict rules for compliance. There are some things a financial institution must do. For example, financial institutions are required to:
- Develop a written security plan.
- Designate responsible employees.
- Assess risks to customer data.
- Test and monitor safeguards.
Other than these requirements, security procedures are generally left up to the financial institution. The FTC identified three areas as important to security: (1) employee management and training; (2) information systems; and (3) managing system failures. The FTC’s Safeguards Rule provides steps a company should take to secure information.
The Safeguards Rule only applies to “customers” of a financial institution. You are a “customer” if you have an “ongoing” relationship with the company. Supplying personal information alone is not enough to make you a customer.
For example, you may cash a check or make an ATM withdrawal from a bank where you do not have an account. To complete the transaction, you will probably have to supply your drivers’ license number or other identifying information.
It makes no difference whether these transactions are a one-time event or you cash your checks at the same place every week. If you do not have an ongoing relationship with the company that cashes your checks – meaning you don’t have an established account -- you are not a “customer” whose data is covered by the security requirements.