What is the Gramm Leach Bliley Act?
The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the way financial institutions treat individuals' private information. The law consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which requires financial institutions to implement security programs to protect such information; and the Pretexting Provisions, which prohibit the practice of spoofing or gaining access to private information under false pretenses. The law also requires that financial institutions provide customers with written privacy notices that explain their information-sharing practices.
The GLBA repealed large portions of the Glass-Steagall Banking Act of 1933 and the Bank Holding Company Act of 1956. He changed the rules to allow banks, brokerage houses and insurance companies to merge. This created a new structural framework through which a bank holding company could acquire full-service investment banks and insurance companies, while the latter types of companies could set up holding companies to acquire banks. As a result of the GLBA, the Federal Reserve was given expanded supervisory powers to regulate these new types of financial structures.
What is the purpose of GLBA?
The standards established by GLBA complement the data security requirements imposed by the Federal Deposit Insurance Corporation (FDIC). The purpose of the GLB Act is to ensure that financial institutions and their affiliates respect the confidentiality of personal data (PII) from customer records in paper, electronic or other form. The law obliges affected companies to comply with strict data security guidelines.
According to the law, financial institutions are obliged to respect the privacy of their customers and to protect their sensitive personal data securely from unauthorized access.
GLBA compliance requires companies to develop privacy practices and policies that detail how they collect, sell, share, and otherwise reuse consumer information. Consumers must also have the ability to choose what information, if any, a business may disclose or retain for future use.
A related requirement regulates data storage and backup as part of comprehensive written informationsecurity policy. This objective addresses protection against "anticipated threats or dangers" to data that could cause "significant harm or inconvenience" to consumers.
GLBA's PII policies apply to all non-public personally identifiable information, which is defined as information that a customer may provide to facilitate a transaction or that is otherwise obtained by the institution.
Data covered by GLBA
GLBA compliance is designed to reduce the likelihood that an organization will suffer a data breach and face the consequences, including significant financial and legal penalties and damage to reputation. GLBA has become a top priority forChief Information Security Officersand other IT professionals tasked with managing corporate data.
Best practices have emerged, also internallyrisk assessments, regularly testing internal controls and ensuring third-party compliance by business partners and service providers. Practical benefits of regulatory requirements include an increased ability to identify, troubleshoot, and locate critical datadark data, improve consolidation and improve data classification.
Data that falls under the requirements of the GLBA include:
- The address;
- bank account and financial data;
- biometric and related data;
- dates of birth;
- Car dealer;
- credit history (including ownership records or purchase history);
- level of education and school achievements;
- employment data;
- conclusions from other data;
- Internet and other electronic information;
- geolocation data;
- personal income;
- social security data; and
- tax information.
Organizations regulated by GLBA
The passage of GLBA coincided with the advent of internet technologies for conducting business, which in turn created vast amounts of new data and new ways of accessing data. The law broadened the definition of entities classified as financial institutions.
GLBA regulates any institution that is significantly involved in financial activities. Even organizations that do not disclose non-public personal information are encouraged by GLBA to develop a policy to protect information from potential future threats.
In addition to banks, brokerage firms and insurers, GLBA applies to companies that process loans or otherwise take credit risks. Any organization that falls within the scope of GLBA must comply with its regulations, although individual states have the power to enact stricter data protection regulations, as is the case in California and Virginia.
Professions and businesses subject to the provisions of the GLBA include:
- ATM operators
- Car Rentals
- courier services
- credit bureaus
- credit unions
- debt collector
- financial advisory firms
- hedge funds
- non-bank mortgage lenders
- payday lenders
- real estate appraiser
- real estate companies
- tax consultant
How GLBA compliance works
GLBA is divided into three main sections, each of which defines a subset of rules governing compliance. The three sections include the following:
Financial Privacy Rule
As the name suggests, steps to ensure information security are at the heart of the GLBA protection rule. The Federal Trade Commission (FTC) enacted this rule in 2002 and continues to enforce it. The rule directs organizations to use administrative, physical, and technical safeguards as safeguards againstcyber attacks,E-Mail-Spoofing,PhishingSchemes and similar cybersecurity risks.
The rule also requires that an organization designate at least one person to be responsible for all aspects of the information security plan, including development and periodic testing. Dataencryptionand key management are recommended as best practices but are not FTC requirements according to the security rule.
This rule is intended to prevent employees or business partners from collecting customer information under false pretenses, such asSocial DevelopmentTechniques. Although the GLBA has no specific requirements related to pretext, prevention typically involves building employee training to avoid pretext scenarios in the written information security document.
Who enforces the GLBA requirements?
State and federal bank authorities have different powers to enforce GLBA regulations. The FTC can take action in federal district courts against organizations that violate privacy laws. Section 5 of the GLBA gives the FTC authority to review privacy policies to ensure they are being developed and applied fairly.
Enforcement of the protection rule remains with the FTC, although theDodd-Frank-Act2010 New rulemaking powers delegated to the Office of Consumer Financial Protection (CFPB). Other federal agencies that have a role in GLBA enforcement include the Federal Reserve Board, the FDIC, the Office of Thrift Supervision, and the Office of the Comptroller of the Currency. Responsibility for regulating insurance providers rests with individual states.
To avoid compliance errors, a company may choose to hire independent consulting firms. These companies conduct a GLBA audit to assess an organization's informationsecurity situationand develop strategies to keep up with changing legal regulations.
Penalties for GLBA non-compliance
Failure to comply with the GLBA can have serious financial and personal consequences for managers and employees. A financial institution faces a fine of up to $100,000 for each violation. Its officers and directors can be fined up to $10,000, imprisoned for up to five years, or both. Businesses also face increased exposure and a loss of customer trust.
Increased awareness of security risks is one of the benefits companies can derive from GLBA compliance, especially as hackers develop more sophisticated tools to break into computer systems. Aside from improved brand reputation, a company can gain new insights from existing data and improve its data management capabilities.
Recent GLBA cases brought forward by the FTC include:
- Ascension data and analytics.In 2020, the Arlington, Texas-based company agreed to an undisclosed financial settlement after it was discovered that a vendor, OpticsML, had stored customers' financial information in plain text on insecure cloud storage.
- PayPal.The onlinepayment processoragreed to pay the state of Texas $175,000 in 2018 to resolve GLBA and Federal Trade Act violations that compromised the data security and privacy of customers using its peer-to-peer Venmo application.
- TaxSlayer.For several months in 2015, hackers were able to access almost 9,000 customer records from the Augusta, Georgia, online tax advisor. As part of the settlement with the FTC, the company is prohibited from violating the GLBA Privacy Rule and Security Rule for 20 years and is required to have its compliance assessed by a third party every two years for 10 years.
Learn more about privacy regulations and compliance
Examine the cloud industry's response to GDPR and CCPA compliance
How companies navigate the GDPR data management rules
4 GDPR strategy tips to whip IT processes into shape
6 business benefits of data protection and GDPR compliance
Criticisms, problems and GLBA revisions
Critics of the GLBA have claimed that the measure's enforcement violated the regulatory capabilities of the Health Insurance Portability and Accountability Act (HIPAA) and privacy laws as enacted in California. The GLBA gives individuals the responsibility to notify companies when they object to data collection. The limited opt-out rights allow for greater data sharing between larger companies, which is the opposite of what was intended, critics said.
Some economists blamed the GLBA for contributing to the 2008 financial recession. They argued that the repeal of the Glass-Steagall Act opened the doors for banks to speculative investing with short-term hedge funds and other high-yield, high-risk financial instruments.
Other financial experts claimed that the GLBA played only a marginal role in the economic crisis. They pointed to a spate of subprime mortgages owned by Fannie Mae and Freddie Mac that Congress has mandated to buy to create affordable housing in low-income neighborhoods.
GLBA and GDPR
GLBA and the European General Data Protection Regulation (GDPR) have different goals, but both define data security and consumer protection. While the GLBA sets data protection rules for financial institutions, the GDPR covers all organizations that process an individual's personal data in the course of conducting business.
Like GLBA, GDPR encourages companies to be more transparent about how they collect and handle sensitive information. This includes personally identifiable information about individuals and any metadata that can be used to identify or characterize them.
In 2021, the General Assembly of the Commonwealth of Virginia passed the Virginia Data Protection Act, becoming the second state to enact regulations that strengthen consumer protections. Virginia law reflects many provisions of the California Privacy Rights Act (CPRA). CPRA is an enhanced version of theCalifornia Consumer Privacy Act, which guarantees individuals the right to know all personal data that a company may collect. CPRA gives Californians and others broad powers to receive, delete, and limit the use of personal information. Any organization doing business in California may be subject to CPRA rules.
Illinois, New York, Oregon, Texas and Washington are updating existing security laws, and the National Association of Insurance Commissioners has developed a model law that allows states to develop laws that protect personal information consistently.
History of the GLB
The Gramm-Leach-Bliley Act is named for the lawmakers who sponsored it: Sen. Phil Gramm (R-Texas), Rep. Jim Leach (R-Iowa), and Rep. Thomas Bliley (R-Va.). The US Senate passed GLBA in May 1999 by a vote of 54 to 44. The US House of Representatives approved a version of the law in July 1999 by a vote of 343 to 86. A revised version of the bill passed both houses on November 4, 1999 - by a vote of 90 to 8 in the Senate and 362 to 57 in the House of Representatives; President Bill Clinton signed GLBA into law on November 12.
GLBA emerged during a wave of government business regulation in the late 1990s. Congress passed HIPAA in 1996 and theSarbanes-OxleyPublic Enterprise Accounting Reform and Investor Protection Law of 2002.
Federal agencies had relaxed some Glass-Steagall bans in the years leading up to the GLBA. These moves helped pave the way for commercial banks and investment firms to merge and sell integrated financial services. However, this development renewed privacy concerns that had been smoldering for several years.
The EU Data Protection Directive, a 1995 European law that imposed stricter requirements on US companies, was emblematic of this concern. Any US company offering products or services to EU citizens must provide them with the same level of data protection as is imposed by data sharing in their home countries. The European Union approved the GDPR in 2016 to replace the Data Directive; The GDPR came into force in 2018.
In 1999, the year GLBA became law, the U.S. Bancorp, based in Minneapolis, Minnesota, is being sued by the state of Minnesota for sharing confidential customer information with a telemarketing company that allegedly charged their accounts without permission. In 1999, Charter Pacific Bank of Agoura Hills, California was involved in a porn scam after selling a California-based company access to a database of credit card accounts. According to the FTC, the company used fictitious names and fake merchant accounts to charge unsuspecting customers over $40 million for access to porn websites. The FTC won a $37.5 million judgment against the company's owners. Selling access to the credit card database was not illegal, allowing the bank to avoid financial penalties.
Learn more about how to comply with a range of new consumer privacy laws and regulationsEffects on IT and security processes.
What is the main purpose of the Gramm-Leach-Bliley Act? ›
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.Who does the Gramm-Leach-Bliley Act apply to? ›
GLBA became law in 1999. The law applies to many types of financial institutions. The law covers banks, savings and loans, credit unions, insurance companies and securities firms.What are the two significant parts of the Gramm-Leach-Bliley Act? ›
The GLBA requires companies that qualify as “financial institutions” to take several affirmative steps in order to prevent the unauthorized collection, use, and disclosure of NPI. It imposes these obligations under two “Rules”: (i) the Privacy Rule, and (ii) the Safeguards Rule.What is the Gramm-Leach-Bliley Act known as? ›
The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways financial institutions deal with the private information of individuals.What are the main privacy requirements of the GLBA law? ›
The GLBA privacy rules, as enforced by the various regulators, generally require: Clear and conspicuous notice of the financial institution's information-sharing policies and practices, including what information it collects and with whom it shares the information.What are the three main security goals of the Gramm-Leach-Bliley Act security requirements? ›
Protect the security and confidentiality of Covered Data; • Protect against anticipated threats or hazards to the security or integrity of Covered Data; and • Protect against unauthorized access to or use of Covered Data that could result in substantial harm or inconvenience to any Customer.Who is not covered by GLBA privacy Rule? ›
 GLBA also does not apply when a financial institution collects information from an individual that is not applying for a financial product.Which industry is most impacted by the Gramm-Leach-Bliley Act? ›
We find that the law has a differential impact across the financial services industry. All three industries have gained due to this law with commercial banks benefiting most, followed by the insurance industry.What disclosures are required by the Gramm-Leach-Bliley Act? ›
The regulation requires a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers).What is not covered by the right to financial privacy Act? ›
NOTE: RFPA does not apply to prohibit or limit the FDIC's disclosure of financial information to state authorities, including banking, law enforcement and other state agencies such as appraisal certification boards.
What is the Gramm-Leach-Bliley Act How does it apply to investigators? ›
The GLBA protects customers' nonpublic personal financial information held by banks and other financial institutions. The Act requires such entities to protect customer information, and the protection extends to Consumer Reporting Agencies (CRAs) such as private investigation agencies.What is the difference between Hipaa and GLBA? ›
HIPAA protects a patient's healthcare information, SOX protects financial information of public companies, and GLBA protects the data of financial institution customers.What is the main purpose of the Gramm-Leach-Bliley Act quizlet? ›
The GLBA's purpose was to remove legal barriers preventing financial institutions from providing banking, investment and insurance services together.What personal information is protected by the Privacy Act? ›
The Privacy Act of 1974, as amended to present, including Statutory Notes (5 U.S.C. 552a), Protects records about individuals retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol.What are the 6 privacy principles? ›
- Lawfulness, fairness and transparency. ...
- Purpose limitation. ...
- Data minimisation. ...
- Accuracy. ...
- Storage limitation. ...
- Integrity and confidentiality.
- Confidentiality: The degree of confidentiality determines the secrecy of the information. ...
- Authentication: Authentication is the mechanism to identify the user or system or the entity. ...
- Integrity: ...
- Non-Repudiation: ...
- Access control: ...
- Availability. ...
- Integrity. ...
- Confidentiality. ...
What are the 3 Principles of Information Security? The basic tenets of information security are confidentiality, integrity and availability. Every element of the information security program must be designed to implement one or more of these principles. Together they are called the CIA Triad.What is considered non public information under the Gramm-Leach-Bliley Act? ›
(A)The term “nonpublic personal information” means personally identifiable financial information— (i)provided by a consumer to a financial institution; (ii)resulting from any transaction with the consumer or any service performed for the consumer; or (iii)otherwise obtained by the financial institution.What is considered non public personal information? ›
means personally identifiable financial information (1) provided by a consumer to a financial institution, (2) resulting from any transaction with the consumer or any service performed for the consumer, or (3) otherwise obtained by the financial institution.
Can a bank disclose customer information? ›
A banker is under a statutory obligation to disclose the information relating to his customer's account when the law specifies required. The banker would, therefore, be justified in disclosing information to meet the following statutory requirements: Under the income tax act. Under the company acts.Why was the Gramm-Leach-Bliley Act controversial? ›
There was a broad belief that separation would lead to a healthier financial system. It became more controversial over the years and in 1999 the Gramm-Leach-Bliley Act repealed the provisions of the Banking Act of 1933 that restricted affiliations between banks and securities firms.What are the four types of disclosure? ›
- Health Disclosure Form.
- Property Disclosure Form.
- Seller Disclosure Form.
- Agency Disclosure Form.
- Financial Disclosure.
Protecting Consumers' Financial Privacy
The FTC is one of the federal agencies that enforces provisions of Gramm-Leach Bliley, and the law covers not only banks, but also securities firms, and insurance companies, and companies providing many other types of financial products and services.
Notes to the financial statements disclose the detailed assumptions made by accountants when preparing a company's: income statement, balance sheet, statement of changes of financial position or statement of retained earnings.Which type of information is not protected by privacy regulations? ›
The Privacy Rule does not protect individually identifiable health information that is held or maintained by entities other than covered entities or business associates that create, use, or receive such information on behalf of the covered entity.What transactions would not require a privacy notice? ›
If the financial institution does not intend to share a consumer's nonpublic personal information with nonaffiliated third parties, no initial notice is required. There are, however, some limited situations in which the regulation allows a bank to delay delivery of initial privacy notices.What are the exceptions to the Privacy Act? ›
Information compiled in reasonable anticipation of a civil action or proceeding. Material reporting investigative efforts pertaining to the enforcement of criminal law, including efforts to prevent, control or reduce crime or to apprehend criminals.Which of the following best describes the Gramm-Leach-Bliley Act quizlet? ›
Which of the following best describes the Gramm-Leach-Bliley Act? The Gramm-Leach-Bliley Act requires financial institutions to ensure the security and confidentiality of customer data.What type of information does the GLBA protect quizlet? ›
ensure that financial institutions, including mortgage brokers and lenders, protect nonpublic personal information of consumers.
What is required to be disclosed on the privacy notice? ›
The Contents of the Privacy Notice
Your notice must accurately describe how you collect, disclose, and protect NPI about consumers and customers, including former customers. Your notice must include, where it applies to you, the following information: Categories of information collected.
What is risk? Risk is the chance or probability that a person will be harmed or experience an adverse health effect if exposed to a hazard. It may also apply to situations with property or equipment loss, or harmful effects on the environment.