Personal information that many citizens would consider to be private, such as their bank account numbers and bank account balances, is routinely exchanged for a price by banks and credit card companies. For this reason, the Gramm-Leach-Bliley Act (GLBA), or Financial Services Modernization Act of 1999, brought in some privacy protections against the sale of citizens’ private information of a financial nature. Also, the GLBA codified protections against pretexting, defined as the act of getting someone’s personal data through false means.
The purpose of the GLBA was to remove regulations that did not allow banks, insurance firms, and stock brokerage firms to merge. However, argued critics, if such regulations were removed, merged financial institutions would have access to a huge quantity of citizens’ personal information—with little or no restrictions on how the personal information could be used. Before the passage of the GLBA, an insurance company having citizens’ health records, for example, would be distinct from, say, a banking institution that had personal information on clients wanting a home mortgage. With the passage of the GLBA and following the merger of two such firms, they could not only pool the information they had on all of their clients but also sell it to interested third parties.
Because of these risks, the GLBA included three requirements to protect the personal data of individuals: (1) information had to be securely stored, (2) the merged institutions had to advise clients about the policy of sharing personal financial information with others; and (3) the institutions had to give consumers the right to opt out of the information-sharing schemes if they so desired.
On July 26, 2001, EPIC (the Electronic Privacy Information Center) and other advocacy groups filed a petition requesting an amendment to the GLBA to make sure that clients were given improved notice and a more convenient way of opting out of information-sharing schemes.
Because of a number of court cases arising from alleged violations of the GLBA, a number of companies and financial institutions are buying cyber-security insurance. Cyber insurance includes protection for a number of areas not typically found in business insurance—such as protection against damage caused by Denial of Service (DoS) attacks, crack attacks by outsiders and insiders, worms, and viruses, and electronic theft of personal information. According to Marsh, Inc., a leading risk and insurance services company, breaches of the GLBA have already resulted in lawsuits totaling more than $1 million per case.
Electronic Privacy Information Center. The Gramm-Leach-Bliley Act. [Online, March 30, 2004.] Electronic Privacy Information Center Website. http://www.epic .org/privacy/glba/; McAlearney, S. Where’s the CyberSecurity Coverage These Days? [Online, May 2, 2005.] TechTarget Website. http://searchsecurity.techtarget.com/originalContent/ 0,289142,sid14_gci1084419,00.html?track=NL-358&ad=513148.