Gramm-Leach-Bliley Act (GLBA)
GLBA requires financial institutions to protect customer data through comprehensive information security programs and transparent privacy practices.
GLBA requires financial institutions to protect customer data through comprehensive information security programs and transparent privacy practices.
Continue your mission
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requires financial institutions to explain their information-sharing practices and to safeguard sensitive customer data. The act's Safeguards Rule, updated significantly in 2023, mandates that financial institutions develop, implement, and maintain a comprehensive information security program. GLBA applies broadly to entities 'significantly engaged' in financial activities, including banks, securities firms, insurance companies, mortgage brokers, tax preparers, and even automobile dealers that extend credit.
GLBA has three principal components. The Financial Privacy Rule requires institutions to provide privacy notices explaining what data they collect, how it is shared, and how it is protected. The Safeguards Rule mandates a written information security program with a designated qualified individual overseeing it, regular risk assessments, access controls, encryption of customer information in transit and at rest, multi-factor authentication for anyone accessing customer information systems, activity monitoring and logging, secure development practices, and vendor management programs. The updated rule requires periodic penetration testing and vulnerability assessments, incident response planning, and annual reporting to the board of directors. The Pretexting Rule prohibits using false pretenses to obtain customer financial information. Enforcement is shared among the FTC, federal banking regulators, state insurance regulators, and the SEC depending on the type of institution.
GLBA violations can result in fines up to $100,000 per violation for institutions and $10,000 per violation for individuals, plus potential imprisonment. The 2023 Safeguards Rule updates significantly raised the bar for cybersecurity programs at financial institutions. For organizations in financial services, GLBA compliance requires robust technical controls, documented security programs, qualified security leadership, and regular board-level reporting on security posture.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.