This article provides an overview of the Gramm–Leach–Bliley Act (GLBA) and explores its relevance to faxing, emphasizing the need for organizations, including those outside the financial sector, to comply with its data-sharing practices and safeguard sensitive information.
The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requires financial institutions, – including many organizations that aren’t traditionally viewed as such, – to explain their information-sharing practices to their customers and to safeguard sensitive data. GLBA applies to any organization that is “significantly engaged” in providing financial products or services to consumers.
In practice, that definition has been broadly interpreted to include check cashing businesses, payday lenders, mortgage brokers, debt collectors, non-bank lenders, personal property or real estate appraisers, retailers that issue branded credit cards, professional tax preparers, and even courier services. GLBA also applies to companies that receive information about customers of other financial institutions, including credit reporting agencies and ATM operators. Similar to the way that the HIPAA Privacy Rule applies in the healthcare sector, GLBA requires covered organizations to develop their own safeguards, and also to take the necessary steps to ensure that business associates and service providers also safeguard customer information that is shared with them. This includes cloud-based software providers. Properly implementing faxing into your organization to provide secure, real-time electronic delivery of financial data is critical to ensuring that your organization is in full compliance with this mandate.
If your organization is ever found to be in violation of GLBA, you could be fined up to $100,000 per violation. In addition, officers, directors, and other individuals may personally face fines of up to $100,000 per violation, — and could even face up to 5 years of prison time.
The primary data protection measures in GLBA are encompassed by the Safeguards Rule, which in many respects is analogous to HIPAA’s Privacy Rule. In addition, the Federal Trade Commission (FTC) has issued the Privacy of Consumer Financial Information Rule(also known as the Financial Privacy Rule, for short).
GLBA safeguards non-public “personally identifiable information” (PII). That can include names, addresses, phone numbers, social security numbers, bank and credit card account numbers, credit or debit card purchases, court records from a consumer report, or any other personal financial information that arises from a consumer’s business relationship with a financial services firm.
It's important to note that GLBA rules cover “customers” and “consumers”, – and that those two terms are not used interchangeably. GLBA protections do not merely apply to organizations and individuals with whom you do business directly; they also apply to third-party data that is entrusted to you. If a consumer’s PII is entrusted to you, then you are responsible for safeguarding it.
Whenever anyone in your organization transmits or receives PII via fax, that information should be fully encrypted both “in transit” (that is when it is in the process of being transmitted) and “at rest” (that is when a copy of the information is stored so that it can be retrieved and viewed later.) It’s important that the encryption technology used to protect PII be fully up-to-date, employing the latest and most secure methods of securing consumers’ data.
At WestFax, we take security very seriously. In fact, thousands of customers rely on us to maintain the highest possible security standards for their fax communications. We use the latest encryption standards and security best practices, including TLS 1.2+ protocols for in-transit faxes and AES 256-bit encryption for fax documents stored in the cloud.
WestFax systems are deployed in secure SOC 2 compliant data centers, staffed 24×7 with security guards and further protected by video surveillance. WestFax data is stored and managed in dedicated servers deployed in access-controlled server cages, with biometric control measures and logged, audited access. Our security standards meet or exceed a wide range of compliance standards, including GLBA, HIPAA, PCI-DSS Level 1, SOC 2 Type II, and SOC 3.
WestFax has built a fax network that serves the enterprise faxing needs of financial organizations every day. We are a leading secure cloud fax provider, based in the United States and serving our customers proudly since 1999. With over 20 years of experience, we have the background and knowledge to ensure your PII and fax data is secure and that your organization remains in full compliance with GLBA, HIPAA, and other privacy and security regulations.
If your organization is seeking a best-in-class cloud fax service that meets the highest security standards, contact us to learn how WestFax can help you.
Sending or receiving credit card information using fax technology one must ensure that they have proper security measures in place to protect against data breaches and ensure PCI compliance.
Dropbox is a popular service for storing and sharing files. Covered entities subject to HIPAA should approach Dropbox cautiously, though, just as they would with any other technology platform.