How Delphix Helps Ensure Gramm-Leach-Bliley Act (GLBA) Compliance

Back in 1999, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, opened new markets for financial institutions by allowing them to consolidate and offer any combination of investment banking, commercial banking, and insurance services to consumers.

The GLBA has three primary sections: The Financial Privacy Rule, regulating the collection and disclosure of private financial information; the Safeguards Rule, which regulates how financial companies collect, disclose, and protect consumers’ private financial information; and the Pretexting Rule, which prohibits accessing private information using false pretenses. The GLBA also requires financial institutions to give customers written privacy policy notices that detail their information-sharing practices.

In 2021, the Act received an amendment and some swift and meaningful consequences for violations. Staying in compliance with data privacy regulations like the GLBA should be top of mind for organizations worldwide that process loans or assume credit risk for consumers in the U.S.

Some examples of industries that must be in compliance with the GLBA include:

• Financial services (banks, brokerage firms, hedge funds, credit unions, real estate firms, credit reporting companies, non-bank mortgage lenders, accountancies)

• Insurance companies

• Retailers extending a credit card

• Colleges and universities accepting Title IV funds

The GLBA 2021 Amendment

A 2021 amendment to the Gramm-Leach-Bliley Act broadened the definition of financial institutions to encompass not only financial services and insurance, but also retail, higher education, and other industries that extend credit or loans. In addition to the existing regulations, stricter rules were put in place for protecting nonpublic consumer data.

Organizations that process consumer financial data have a December 9, 2022 deadline to comply with specific data security practices outlined by the GLBA Safeguards Rule including:

• Periodic reports to boards of directors and governing bodies

• Secure software development practices

• Identify and manage data based on risk

• Implement and review data access controls

• Encrypt data both in transit and at rest

• Establish secure procedures for disposing data

GLBA imposes fines, penalties, and possible prison time for privacy violations and holds organizations responsible for protecting personal information (PII) from unauthorized disclosure.

Penalties for non-compliance include:

• Up to $100,000 fine for the organization per violation

• Up to $10,000 fine for officers and directors per violation, license revocations, and up to 5 years in prison

To comply with GLBA, businesses must take reasonable action to ensure that non-public consumer information will not be exposed if a systems breach occurs.

The Delphix Continuous Compliance platform gives organizations the tools they need to stay in full global compliance with GLBA, the 2021 amendments, and the revised Safeguards Rule.

Protecting your non-production data should be top of the list to get in compliance, since non-production data stores used for DevOps test data management, reporting, and analytics contain up to 80% of an enterprise’s personal data, according to Delphix customers. These test environments can represent the single largest source of GLBA risk. Non-production data environments are 4-5 times larger than production and often much less secure..

How Delphix Addresses Data Privacy and GLBA Compliance

Delphix Continuous Compliance provides an API-first data platform that enables software development and testing teams to find and mask sensitive data for compliance with privacy regulations such as the GLBA.

Relevant Continuous Compliance features include:

• Automatic discovery of PII and other sensitive data

• Irreversible data masking that ensures data cannot be restored to its original, sensitive version

• Referential integrity of masked data across sources and clouds

• Identification and Assessment of GLBA Risks through data discovery

With Delphix Continuous Compliance, security teams can report on how data is being processed and shared by finding where the sensitive consumer data exists in non-production environments.

Delphix enables security teams to create enterprise-level masking policies for GLBA that define what data should be masked, where, and how. Users can then consistently deploy those policies across different data sources and locations.

Since Continuous Compliance enables security teams to mask out PII and other sensitive data subject to GLBA in the development pipeline, the need to expunge anything in those lower environments is eliminated. With robust data masking, the data simply cannot be traced back to an individual consumer, with the data being made completely blind and desensitized.

Continuous Compliance takes compliance one step further by irreversibly masking consumer data in DevOps test data management environments, ensuring the data is anonymized across all databases through referential integrity.

Unlike traditional solutions which take months to implement, Continuous Compliance can be implemented in days to get ahead of the December, 2022 deadline.

With Delphix Continuous Compliance, financial services, retail, insurance, and higher education organizations can help ensure compliance with GLBA’s strict definition for protecting consumers’ data.

Download our solution brief for more information on how Delphix can help with data compliance for the Gramm-Leach-Bliley Act (GLBA).