GLBA Financial Privacy Compliance Assessment

Evaluate Gramm-Leach-Bliley Act compliance for financial institutions and healthcare organizations handling payment information, covering privacy notices, safeguards, and pretexting protection

FinanceHealthcareInsurance20 minutes20 questions

1. Privacy Rule Compliance

Do you provide initial privacy notices to customers at account opening?*

16 CFR 313.5: Initial notice of privacy practices before establishing customer relationship

Do you provide annual privacy notices to customers?*

16 CFR 313.8: Annual notice unless exception applies (no info sharing)

Do privacy notices clearly explain information sharing practices and opt-out rights?*

16 CFR 313.6: Notice must describe categories of info collected, disclosed, and security

Do you provide opt-out mechanisms before sharing nonpublic personal information (NPI)?*

16 CFR 313.7: Opt-out required before disclosing NPI to non-affiliates

2. Safeguards Rule - Administrative

Have you designated a qualified individual to oversee information security?*

16 CFR 314.3(a): CISO or equivalent with authority and accountability

Do you conduct periodic risk assessments of customer information systems?*

16 CFR 314.4(b): Identify reasonably foreseeable internal and external risks

Is an information security program documented and board-approved?*

16 CFR 314.3(b): Written information security program (WISP) required

Do you provide security awareness training to all personnel?*

16 CFR 314.4(e): Train staff on security threats and safeguarding customer info

Is there an incident response plan for security events affecting customer information?*

16 CFR 314.4(i): Plan to respond to and recover from security incidents

3. Safeguards Rule - Technical

Is customer information encrypted in transit and at rest?*

16 CFR 314.4(c): Encryption of NPI during transmission and storage

Is multi-factor authentication (MFA) implemented for all system access?*

16 CFR 314.4(d): MFA or equivalent authentication for accessing customer info

Do you maintain secure development practices for information systems?*

16 CFR 314.4(g): Secure development, testing, and change management

Are systems continuously monitored for unauthorized access or anomalies?*

16 CFR 314.4(h): Monitor activity to detect and respond to security events

4. Safeguards Rule - Physical

Are physical access controls in place for facilities storing customer information?*

16 CFR 314.4(a): Restrict physical access to authorized personnel

Is customer information securely disposed of when no longer needed?*

16 CFR 314.4(a): Secure disposal prevents unauthorized access (shredding, wiping)

5. Pretexting Protection

Do you have procedures to detect and prevent pretexting (social engineering)?*

15 USC 6821: Pretexting Protection - verify customer identity before disclosure

Are employees trained to recognize and report social engineering attempts?*

Pretexting awareness: Phishing, vishing, impersonation tactics

6. Vendor Management

Do you assess and select service providers capable of maintaining GLBA safeguards?*

16 CFR 314.4(d): Service provider due diligence and security capability

Are contracts with service providers binding them to GLBA security requirements?*

16 CFR 314.4(d): Contractual obligation to protect customer information

Do you periodically review and assess service provider security practices?*

16 CFR 314.4(d): Ongoing oversight of vendor safeguards

Please answer all required questions to see your results