The Gramm-Leach-Bliley Act (GLBA) also known as the Financial Modernization Act is a United States Federal Law enacted in 1999. At its core, the GLBA requires financial institutions to process due care in the protection of their customers’ private information. GLBA compliance requires organizations to not only protect customer information but also insists they communicate how they share it. The act also demands financial enterprises give clients the right to opt-out if they do not want their data shared with third parties.
The GLBA Demands Financial Institutions Protect Customer Data
At the core of the GLBA is the Safeguards Rule. It prescribes a set of controls that financial organizations need to implement to safeguard the customer data they collect. It requires enterprises to designate a responsible party to coordinate the information security program, identify and assess the risk to customer information, and design and implement a safeguards program. It also states that organizations need to regularly monitor and run security risk assessments and only deal with service providers that can offer the same information security standards.
Understanding the Difference Between Authentication and Access
In information technology, there is a distinct difference between authentication and access. Authentication is the process of verifying the identity of a user before allowing them entry to a particular system. Access control defines what the user can do once they have gained entry. There are multiple technology solutions that organizations can implement to provide secure authentication and access control. While the GLBA does not prescribe what technologies an organization must deploy, it does require them to install the relevant safeguards to protect their customers’ data.
Implementing Multi-Factor Authentication Reduces Password-Based Risks
When it comes to authentication, the traditional combination of a username and password has been the standard mechanism to verify user identity. However, this mechanism is no longer considered secure. The problem with this traditional credential combination is that most people use their email address as a username. The other issue is that people either reuse the same password across multiple sites or choose one that is easy to guess. Hackers leverage these poor security practices and use automated tools to gain unauthorized access to systems. The fact is if a username and password is the only mechanism standing between a hacker and sensitive customer data, the information is not secure. Even though the GLBA does not state it explicitly, financial organizations should protect their systems with Multi-Factor Authentication (MFA).
The GLBA states that organizations must protect customer data under their care. Since usernames and passwords are not secure, organizations need to bolster their security with MFA. By requiring a user to submit an additional verification factor when signing into their systems, financial enterprises add a layer of needed protection to their critical systems ensuring GLBA compliance. As a hacker would need access to the second verification factor, which is typically either a device in a user’s possession or something unique to the user like a biometric identifier, MFA is a useful measure that strengthens authentication and defends against password attacks.
Encryption Ensures Secure Access Control
Encryption is another technology that organizations can use to safeguard customer information under their care. By encrypting data that is either in transit or at rest, financial enterprises can prevent unauthorized access to data. Section 501(b) of the GLBA states that financial institutions must take the necessary measures to ensure the confidentiality and integrity of non-public customer information.
Like Multi-Factor Authentication, encryption is not an explicit GLBA requirement. However, encrypting sensitive data is an industry best practice even if other technical security measures protect it. By securing information in this way, should an individual gain unauthorized access to customer data, the information remains secure as they cannot view it. Encryption is a particularly useful measure to protect information in the event of a data breach. Should an incident occur and hackers manage to gain unlawful entry to an organization’s systems, they may be able to exfiltrate the data, but they will not be able to access it.
A Layered, Defense-in-Depth Approach Ensures GLBA Compliance
The GLBA demands that organizations put the necessary safeguards in place to protect their customers’ data. Although the act does not explicitly state that Multi-Factor Authentication and encryption are compliance requirements, putting these measures in place ensures organizations adhere to the spirit of the law. By deploying these technologies, financial institutions can prevent unauthorized access to customer data in today’s continually evolving threat landscape.