Data is not only an incredibly powerful tool used by a wide variety of industries, it’s also a necessary tool for global functionality. Legal professionals, real estate companies, marketing agencies, DAAS corporations, financial institutions, law enforcement, and more all need data to perform certain business operations, from legal research to skiptracing to consumer due diligence and list generation. In fact, 53% of North American companies reported using big data analytics in 2017.
Today, data services like Endato’s public and private records database provide professionals with quick access to billions of datasets aggregated from thousands of sources. While the increased accessibility of data makes it easier than ever to search and gather the data you need for your business, it also means there is a greater need for regulations regarding how data can be collected and used. Using data ethically requires a balancing act between private and public information, which is why laws regarding data usage exist.
One of the most important laws that regulate the use of data is the Gramm-Leach-Bliley Act of 1999 (GLBA). Here’s what the GLBA is, the history of the GLBA, what GLBA compliance is, and how Endato maintains GLBA compliance.
The Gramm-Leach-Bliley Act of 1999 (GLBA), also called the Financial Services Modernization Act, is a law that ended regulations preventing banks, stock brokerage companies, and insurance companies from merging to allow them to provide more financial services. Along with ending these regulations, the GLBA also included three rules in Title V that regulate the use of personal information by financial institutions:
- The GLBA Financial Privacy Rule regulates the collection and disclosure of private financial information.
- The Safeguards Rule stipulates that financial institutions must implement security programs to protect such information
- Pretexting provisions prohibit the practice of pretexting (accessing private information using false pretenses).
These laws prohibit financial institutions and databases that buy information from the financial institutions from disclosing nonpublic personal information about a consumer to nonaffiliated third parties unless the institution satisfies various notice and opt-out requirements and the consumer has not elected to opt out of the disclosure. However, the exception to this rule is that these businesses can disclose information to people with permissible use. The permissible use exceptions are:
- Fraud prevention or detection.
- Legal compliance.
- Transactions authorized by the consumer.
- Institutional risk control.
- Law enforcement purposes.
- Use by a person holding a legal or beneficial interest
- Use by a person acting in a fiduciary or representative capacity on behalf of the consumer.
Together, these provisions work to protect consumer information privacy amongst the greater freedom provided with the end of certain financial institution regulations.
As a response to the Great Depression, Congress passed the Glass-Steagall Act of 1933, which prohibited financial institutions, like banks, from affiliating with security companies and acting as brokers to reduce stock market volatility. These regulations were furthered in 1956 by the Bank Holding Company Act, which prohibited banks from controlling non-bank businesses. However, in 1999, there was a push to end these regulations and allow financial institutions to provide more services — leading to the repeal of the Glass-Steagall Act with the passage of the GLBA.
While the push to end certain regulations would allow for greater opportunity in the financial services industry, it also brought issues and concerns about privacy to the forefront. Not only was there a greater public concern about lack of privacy in bank standards, there were also a series of cases in which consequences occurred because banks sold customers’ personal information.
One case occurred in 1997, when the Charter Pacific Bank of Agoura Hills, California sold millions of credit card numbers to an adult website company, which then proceeded to bill customers for access to Internet adult websites and other services they did not request. In 1999, NationsBank was fined millions for securities law violations because it shared customer information with its affiliate subsidiary Nations Securities. The subsidiary then convinced low risk customers to buy low-risk investments.
In response to these events and general public concern, Congress included certain consumer information privacy provisions in the GLBA. These restrictions remain today and are the main laws that regulate the use of personal information by financial institutions and companies (like Endato) that receive information from financial institutions.
- The GLBA was passed to repeal the Glass-Steagall Act and provide financial institutions with more freedom to provide services.
- The move to greater freedom for financial institutions, as well as a variety of privacy violations by banks, brought a heightened concern about financial information privacy.
- To address these concerns and issues with privacy, Congress added consumer information protection rules to the GLBA, which regulates financial institutions today.
If financial institutions do not comply with privacy protections included in GLBA, they can face huge penalties — like fines of $100,000 for each violation. So what do businesses covered by the GLBA do to ensure they maintain compliance?
- Under the Financial Privacy Rule, financial institutions or companies that offer consumers financial products or services are required to provide a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information.
- Businesses covered under the Safeguards rule are required to develop a written information security plan describing its processes and procedures for protecting clients NPI. These businesses must construct a thorough risk analysis on each department handling the nonpublic information, as well as develop, monitor, and test a program to secure the information.
- Under the pretexting provisions, financial institutions are encouraged to identify ways in their information security program, required under the Safeguards Rule, to monitor, detect, and prevent pretexting from occurring. One way they can do this is by training employees on how to detect social engineering attempts, such as someone who is impersonating the account holder through the phone or email.
- Data providers must maintain compliance with the GLBA by verifying people’s permissible use for accessing data.
If permissible use exceptions weren’t in place, data providers like Endato couldn’t provide nonpublic information to users unless the consumer specifically didn’t opt out of having their information shared. These exceptions give Endato users the power to access up-to-date and comprehensive information they may not be able to find elsewhere, which is an incredibly valuable tool for many different professionals. However, this power also comes with a responsibility to use information in a compliant way. To ensure compliance with GLBA privacy laws, Endato uses credentialing, which is the process of verifying a user’s permissible use before allowing the individual to set up an account.
To get credentialed, people will have to provide information to verify that they’re a valid person with a certified business use for the information (like for legal compliance, fraud prevention, or risk control.) This can include a valid bar association number (for attorneys) or another business license, as well as up-to-date professional contact information. Endato then thoroughly vets the user and verifies the provided information to ensure that the individual has a valid business use. If there is reason to believe a user does not have the permissible use they claim, Endato will not allow them to access nonpublic personal data.
Endato credentialing process is designed to both protect information from misuse and also ease the effort of compliance for users. With credentialing, Endato takes on some of the responsibility of compliance by confirming an individual’s GLBA-compliant certification of use before providing protected information to that person — allowing users to take full advantage of Endato’s comprehensive data while helping to maintain compliance with GLBA regulations.
Endato maintains GLBA compliance by requiring applicants to get credentialed before they can set up an account with Endato. To get through the credentialing process, applicants have to provide their reason for use, up-to-date professional contact information, and a business license or valid bar number. Endato then verifies all this information to help ensure the users have permissible use and are maintaining GLBA compliance while accessing data.
Getting familiar with how to use Endato’s search and API products is very helpful in deciding what products you’ll want to use. We’ve created this quick start guide to walk new users through how to use Endato. Happy searching!