What is the GLBA?

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, was enacted in 1999. The GLBA regulates how financial institutions handle consumers' personally identifiable information (PII). The law requires that financial institutions disclose how they share personal information and have information security programs in place to protect consumer data.

Institutions that Must Follow GLBA Regulations

  • Accountants
  • Banks & credit unions
  • Brokerage firms
  • Credit reporting companies
  • Debt collectors
  • Financial advisory firms
  • Mortgage lenders
  • Insurers
  • Payday lenders
  • Real estate firms & appraisers
  • Retailers
  • Tax preparers
  • Universities

Data Protected Under the GLBA

  • Addresses
  • Bank account and financial data
  • Biometric and related data
  • Birth dates
  • Credit history (including property records or purchasing history)
  • Education records
  • Employment data
  • Income
  • Geolocation data
  • Names
  • Social Security data
  • Tax information

Achieving GLBA Compliance

The GLBA is comprised of three components, the Privacy Rule, The Safeguards Rule, and the Pretexting Rule. Institutions need to meet the requirements of all three to be compliant. GLBA audits are conducted annually.

Safeguards Rule

The GLBA Safeguards Rule requires institutions to have an information security program in place that protects consumer data. An updated version of the rule takes effect in June 2023. The latest version of the rule is comprised of the following nine elements that organizations need to meet.

Element 1: Requires institutions to designate a qualified individual responsible for overseeing and implementing the information security program.

Element 2: Conduct a risk assessment that identifies internal and external risks to customer data security, confidentiality, and integrity.

Element 3: Design and implement security controls to address the risks identified in the assessment.

Element 4: Regularly test and monitor the effectiveness of your controls.

Element 5: Provide employees with security training that reflects your organization’s safeguard controls.

Element 6: Monitor potential risks from third-party vendors.

Element 7: Keep your information security program current. Update security controls based on the results of assessments, monitoring, penetration and vulnerability assessments, and the emergence of new threats.

Element 8: Establish an incident response plan.

Element 9: Your organization’s Qualified Individual must provide a report (in writing) to the Board of Directors or a senior officer at least once a year detailing the status of the information security program.

Financial Privacy Rule

The GLBA Financial Privacy Rule places requirements on how institutions may collect and handle consumers’ nonpublic personal information (NPI). NPI is defined as:

  • Any information an individual provides to get a financial product or service (name, address, income, Social Security number, etc.)
  • Any financial information from a transaction involving financial products or services (account numbers, payment history, loan or deposit balances, credit or debit card purchases, etc)
  • Any information about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report)

Information that is publicly available through federal, state, and local government records is not considered NPI. Data that is distributed through media such as phonebooks, newspapers, and websites accessible to the general public is also exempt.

Privacy Notices

Institutions must provide consumers with a privacy notice that is "clear and conspicuous," whether it is on paper or on a website. The notice must be easy to read and designed to gain the reader’s or visitor’s attention. An online notice should be placed on a page that consumers use often, or it should be linked directly from a transactions page.

Your privacy notices must include all the following information that is applicable to your organization:

  • Categories of info collected
  • Categories of info disclosed
  • Categories of third parties to whom you disclose the information
  • If your institution discloses NPI to nonaffiliated third parties
  • Your organization’s security measures to protect NPI

Opt-out Rights

Institutions that share NPI with nonaffiliated third parties must give consumers an "opt-out notice" that clearly and conspicuously describes their right to opt out of the information being shared. An opt-out notice must be delivered with a privacy notice, and it can be included in the privacy notice.

The notice must describe a "reasonable means" for opting out. A toll-free telephone number or a detachable form with a check-off box and mailing information qualify as “reasonable means” for opting out. Requiring a written letter is not considered “reasonable means.” Institutions must give consumers a sufficient amount of time to opt out before disclosing their NPI to these nonaffiliated third parties.

Pretexting Rule

Pretexting is a type of social engineering where the bad actor uses a story to try to trick a victim into giving up personal information (a phishing attack is an example of pretexting). The GLBA requires institutions to have policies and procedures in place to detect social engineering scams. Examples of pretexting security measures include requiring customers to provide large amounts of information in order to access their accounts and requiring employees to complete in-depth training on recognizing social engineering attempts.

Risks of GLBA Noncompliance

Failure to comply with the GLBA can be severe, with penalties as large as $100,000 per violation for institutions. Officers and directors could face a $10,000 fine along with up to five years in prison.

Multiple federal and state agencies have authority to enforce GLBA regulations, most notably the Federal Trade Commission (FTC). The Consumer Financial Protection Bureau (CFPB), the Federal Reserve Board, the FDIC, the Office of Thrift Supervision, and the Office of the Comptroller of the Currency also have some degree of enforcement authority.

How We Can Help

At CompliancePoint, we have a wealth of industry experience and knowledge to design, implement, and manage information security and privacy programs that will keep your organization GLBA-compliant. We can help during every step of the GLBA journey by providing risk assessments, penetration testing, vulnerability scanning, privacy assessments, Virtual CISO services, Virtual Privacy services, and more.

Our assessors and consultants are experts on GLBA compliance. Our comprehensive assessments let you identify areas of risk and implement defined security controls to meet all aspects of the law.

Frequently Asked Questions

The three components of the GLBA are the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Rule.

The Financial Privacy Rule of the GLBA restricts how institutions collect and handle consumer data. It also requires that institutions provide privacy and opt-out notices.

The GLBA applies to personally identifiable information (PII), specifically in the possession of financial institutions. Examples of PII include addresses, account information, social security numbers, credit history, employment data, and more.