Is Your Financial Information Safe?


  1. Introduction
  2. Companies that must safeguard your financial information
  3. What companies must do to protect your financial information
  4. Pretexting

1. Introduction

The federal Gramm-Leach-Bliley Act (GLB):

  • Requires financial institutions to adopt procedures to safeguard your personal information.
  • Prohibits other people from using false pretenses (known as pretexting) to obtain your personal financial information.

2. Companies That Must Safeguard Your Financial Information

The following businesses are considered financial institutions and must adopt procedures to safeguard your personal information. They are all covered by the Federal Trade Commission's (FTC) Safeguards Rule:

  • Debt collectors.
  • Banks.
  • Credit unions.
  • Investment brokers.
  • Retailers that extend credit by issuing credit cards to consumers.
  • Check cashing businesses.
  • Mortgage brokers.
  • Non-depository lenders.
  • Consumer reporting agencies.

3. What Companies Must Do to Protect Your Financial Information

Generally, companies are left on their own to develop security programs that are appropriate to their individual size and operations. Security under GLB translates to “guidelines” rather than strict rules for compliance. There are some things a financial institution must do. For example, financial institutions are required to:

  • Develop a written security plan.
  • Designate responsible employees.
  • Assess risks to customer data.
  • Test and monitor safeguards.

Other than these requirements, security procedures are generally left up to the financial institution. The FTC identified three areas as important to security: (1) employee management and training; (2) information systems; and (3) managing system failures. The FTC’s Safeguards Rule provides steps a company should take to secure information.

The Safeguards Rule only applies to “customers” of a financial institution. You are a “customer” if you have an “ongoing” relationship with the company. Supplying personal information alone is not enough to make you a customer.

For example, you may cash a check or make an ATM withdrawal from a bank where you do not have an account. To complete the transaction, you will probably have to supply your drivers’ license number or other identifying information.

It makes no difference whether these transactions are a one-time event or you cash your checks at the same place every week. If you do not have an ongoing relationship with the company that cashes your checks – meaning you don’t have an established account -- you are not a “customer” whose data is covered by the security requirements.

4. Pretexting

Pretexting occurs when someone gains access to your personal information through false pretenses. Another person may want your personal financial information for any number of reasons. Another term for pretexting is “social engineering.” Here are just some of the ways your information could be used against you:

  • Your bank account could be depleted.
  • Your information could be sold to a data broker.
  • The information could be used by an identity thief.
  • The information could be used against you in court or for an investigation.

GLB prohibits fraudulent access to your financial information. For example, it is unlawful for someone to call you and trick you into giving personal information, or call someone else such as your bank. It also prohibits someone from using a forged or stolen document to get your information.

The law includes civil as well as criminal penalties for one who uses false pretenses to get your personal financial information.

No one is immune from pretexting. However, there are certain life situations in which you could be more vulnerable than others to pretexting. Here are a few questions you can ask to assess your risk level:

  • Am I a public figure such as a politician or entertainer?
  • Am I a spokesperson for a highly controversial public policy issue?
  • Do I have considerable personal wealth?
  • Am I engaged in a high-stakes court battle or a nasty divorce where significant sums of money and/or child custody are involved?
  • Am I an executive or researcher of a company in a highly competitive environment, one that is involved in developing cutting-edge products or services?

If you’ve answered “yes” to any of these scenarios, you could be more vulnerable to pretexting.

There are a number of steps that you can take to reduce the chance that you could become a victim of pretexting:


  • Don't give out personal information on the phone or online unless you've initiated the contact or know whom you're dealing with. Pretexters may pose as representatives of survey firms, banks, internet service providers, and even government agencies to get you to reveal your Social Security number, mother's maiden name, financial account numbers, and other identifying information. Legitimate organizations with which you do business already have the information they need and will not ask you for it.
  • Pay attention to your statement cycles. Review your statements carefully and promptly. Report any discrepancies to your institution immediately in writing.
  • Alert family members to the dangers of pretexting. Explain that only you, or someone you authorize, should provide personal information to others.
  • Keep items with personal information in a safe place. Shred any documents containing sensitive information.
  • Use unique and complex passwords on all of your online accounts. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your Social Security number or your phone number, or a series of consecutive numbers.
  • Be mindful about where you leave personal information in your home, especially if you have roommates or are having work done in your home by others.