The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect consumer financial privacy. The Safeguards Rule mandates an information security program, including an incident response plan. When unauthorized access to sensitive customer data occurs, this plan must be activated. A key component is assessing the risk and, if misuse of information is reasonably possible, notifying the affected customers. This notification allows customers to take steps to protect themselves from potential identity theft or fraud. The institution must also take immediate action to safeguard the data and prevent further unauthorized access.

A. Ignoring any breach of protected data is a direct violation of the GLBA Safeguards Rule, which mandates a response program for all such incidents. B. Sharing sensitive customer data with third parties without a valid legal or business reason and proper controls violates GLBA's privacy provisions. C. While notifying law enforcement is a crucial step, GLBA guidelines also require notifying affected customers if their data is at risk.

1. Federal Trade Commission. (2002). Financial Institution Letters: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. FIL-27-2005. Retrieved from FDIC official publications. The guidance states

"When the institution becomes aware of an incident of unauthorized access to sensitive customer information

the institution should conduct a reasonable investigation... If the institution determines that misuse of its information about a customer has occurred or is reasonably possible

it should notify the affected customer as soon as possible."

2. Gramm-Leach-Bliley Act

15 U.S.C. §§ 6801-6809

Section 501(b) (Safeguards Rule). This section mandates that financial institutions establish appropriate standards for protecting the security and confidentiality of customers' nonpublic personal information.