Gramm-Leach-Bliley Act (GLBA)
What is the Gramm-Leach-Bliley Act?
The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways financial institutions deal with the private information of individuals. The Act consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; and the Pretexting provisions, which prohibit the practice of pretexting or accessing private information using false pretenses. The Act also requires financial institutions to give customers written privacy policy notices that explain their information-sharing practices.
The GLBA repealed large portions of the Glass-Steagall Banking Act of 1933 and the Bank Holding Company Act of 1956. It amended the rules to permit banks, brokerage houses and insurance firms to merge. This created a new structural framework whereby a bank holding company could acquire full-service investment banks and insurance companies, while allowing the latter types of firms to form holding companies to acquire banks. As a consequence of GLBA, the U.S. Federal Reserve was granted expanded supervisory power to regulate these new types of financial structures.
What is the purpose of GLBA?
The standards established by GLBA complement data security requirements imposed by the Federal Deposit Insurance Corporation (FDIC). The purpose of the GLB Act is to ensure that financial institutions and their affiliates safeguard the confidentiality of personally identifiable information (PII) gathered from customer records in paper, electronic or other forms. The law requires affected companies to comply with strict guidelines that govern data security.
According to the law, financial institutions have an obligation to respect their customers' privacy and securely protect their sensitive personal information against unauthorized access.
GLBA compliance requires that companies develop privacy practices and policies that detail how they collect, sell, share and otherwise reuse consumer information. Consumers also must be given the option to decide which information, if any, a company is permitted to disclose or retain for future use.
A related requirement governs data storage and security as part of a comprehensive written information security policy. This objective addresses protections against "any anticipated threats or hazards" to data that could result in "substantial harm or inconvenience" to consumers.
GLBA's PII guidelines apply to any non-public personal information, which is defined as information a customer may provide to facilitate a transaction or which is otherwise obtained by the institution.
Data covered by GLBA
GLBA compliance is intended to decrease the likelihood an organization will have a data breach and face the resulting fallout, including significant financial and legal penalties and damage to its reputation. GLBA has become a top priority for chief information security officers and other IT professionals charged with managing corporate data.
Best practices have emerged, including internal risk assessments, periodic testing of internal controls and ensuring third-party compliance by business partners and service providers. Practical advantages of the law's requirements include an increased ability to identify critical data, eliminate data errors, locate dark data, improve consolidation and enhance data classification.
Data that falls under the requirements of GLBA includes the following:
- addresses;
- bank account and financial data;
- biometric and related data;
- birth dates;
- car dealers;
- credit history (including property records or purchasing history);
- education level and academic performance;
- employment data;
- inferences drawn from other data;
- internet and other electronic information;
- geolocation data;
- names;
- personal income;
- Social Security data; and
- tax information.
Organizations regulated by GLBA
The passage of GLBA coincided with the emergence of internet technologies for transacting business, which in turn generated reams of new data and new ways of accessing data. The law broadened the definition of companies classified as financial institutions.
GLBA regulates any institution significantly engaged in financial activities. Even organizations that do not disclose non-public personal information are required by GLBA to develop a policy to protect information against potential future threats.
In addition to banks, brokerage firms and insurers, GLBA applies to companies that process loans or otherwise assume credit risk. Any organization that falls within the scope of GLBA must comply with its provisions, although individual states have the power to enact more stringent privacy regulations, as is the case in California and Virginia.
Professions and businesses subject to GLBA's provisions include:
- accountants
- ATM operators
- car rental companies
- courier services
- credit reporting companies
- credit unions
- debt collectors
- financial advisory firms
- hedge funds
- non-bank mortgage lenders
- payday lenders
- property appraisers
- real estate firms
- retailers
- stockbrokers
- tax preparers
- universities
How GLBA compliance works
GLBA is broken into three main sections, each of which defines a subset of rules that govern compliance. The three sections include the following:
Financial Privacy Rule
This rule, often referred to as the Privacy Rule, places requirements on how organizations may collect and disclose private financial data. An organization must give "clear and conspicuous notice" of its privacy policy at the start of a customer relationship. Subsequently, customers must get an annual notice for the duration of the relationship, unless the organization meets certain criteria.
The Privacy Rule outlines which data will be collected, how it will be used and shared, who has access to it and the policies and procedures used to protect it. As required by the Fair Credit Reporting Act, customers are to be notified of the privacy policy annually, including the right to opt out of sharing information with unaffiliated third-party entities. If a customer agrees to share information, the organization must abide by the provisions of the original privacy notice.
Safeguard Rule
As the name implies, steps to ensure information security are the key focus of GLBA's Safeguard Rule. The Federal Trade Commission (FTC) issued this rule in 2002 and continues to enforce it. The rule instructs organizations to implement administrative, physical and technical protections as safeguards against cyber attacks, email spoofing, phishing schemes and similar cybersecurity risks.
The rule also requires an organization designate at least one person to be accountable for all aspects of the information security plan, including development and regular testing. Data encryption and key management are recommended as best practices, but they are not FTC requirements under the Safeguard Rule.
Pretexting Rule
This rule aims to prevent employees or business partners from collecting customer information under false pretenses, such as social engineering techniques. Although GLBA does not have specific requirements regarding pretexting, prevention usually entails building employee training to avoid pretexting scenarios into the written information security document.
Who enforces GLBA requirements?
State and federal banking agencies have varying degrees of authority to enforce GLBA provisions. The FTC can take action in federal district courts against organizations that fail to comply with the Privacy Rule. Section 5 of GLBA grants the FTC the authority to audit privacy policies to ensure they are developed and applied fairly.
Enforcement of the Safeguard Rule remains with the FTC, although the Dodd-Frank Act in 2010 transferred new rulemaking authority to the Consumer Financial Protection Bureau (CFPB). Other federal agencies that play a role in GLBA enforcement include the Federal Reserve Board, the FDIC, the Office of Thrift Supervision and the Office of the Comptroller of the Currency. The responsibility for regulating insurance providers falls to individual states.
To avoid making compliance mistakes, a company may choose to hire independent consulting firms. These companies conduct a GLBA audit to assess an organization's information security posture and develop strategies to stay abreast of changing legal regulations.
Penalties for GLBA noncompliance
Failure to comply with GLBA can have severe financial and personal consequences for executives and employees. A financial institution faces a fine up to $100,000 for each violation. Its officers and directors can be fined up to $10,000, imprisoned for five years or both. Companies also face increased exposure and a loss of customer confidence.
Heightened awareness of security risks is among the benefits companies may derive from GLBA compliance, especially as hackers develop more sophisticated tools to breach computer systems. Aside from enhanced brand reputation, a company can gain new insights from existing data and improve its data management capabilities.
Recent GLBA cases brought by the FTC include:
- Ascension Data and Analytics. In 2020, the Arlington, Texas, company agreed to an undisclosed financial settlement after a vendor, OpticsML, was found to have stored customer financial information in plain text in insecure cloud storage.
- PayPal. The online payment processor agreed to pay $175,000 to the state of Texas in 2018 to settle GLBA and Federal Trade Act violations that compromised data security and privacy of customers using its Venmo peer-to-peer application.
- TaxSlayer. Hackers were able to access nearly 9,000 of the Augusta, Ga., online tax preparer's customer records for several months in 2015. The FTC said it failed to implement a comprehensive security program, including providing a privacy notice to customers, as required under GLBA. Under the settlement with the FTC, the company is prohibited from violating the GLBA's Privacy Rule and the Safeguards Rule for 20 years and is required to have a third party assess its compliance every two years for 10 years.
Learn more about data privacy regulation and compliance
Examine the cloud industry's response to GDPR and CCPA compliance
How enterprises navigate GDPR data management rules
Criticism, problems and GLBA revisions
Critics of the GLBA have contended the measure's enforcement lacks the regulatory capabilities of the Health Insurance Portability and Accountability Act (HIPAA) and privacy regulations like those enacted in California. The GLBA places the responsibility on individuals to notify companies when they are opting out of data collection. The limited opt-out rights facilitate greater data sharing among larger entities, which is the opposite of what was intended, critics said.
Some economists blamed the GLBA for contributing to the 2008 financial recession. They argued the repeal of the Glass-Steagall Act opened the doors for banks to engage in speculative investments using short-term hedge funds and other high-yield, high-risk financial instruments.
Other financial experts claimed the GLBA played only a marginal role in the economic crisis. They pointed to a glut of Fannie Mae- and Freddie Mac-owned subprime mortgages that Congress directed be bought to supply affordable housing in low-income neighborhoods.
The CFPB revised the GLBA in 2018 to exempt some companies from the requirement to deliver annual privacy notices to customers under certain conditions. In general, financial institutions are exempted in two ways: if they restrict information sharing and don't trigger a customer opt-out requirement or if there are no changes to the privacy policy previously delivered to the customer. The CFPB said the revision conforms with GLBA amendments established by Congress.
GLBA and GDPR
GLBA and Europe's General Data Protection Regulation (GDPR) have different goals, but both define data security and consumer privacy. Whereas GLBA sets data privacy rules for financial institutions, GDPR encompasses any organization that processes an individual's personal data in the course of transacting business.
Like GLBA, GDPR encourages companies to be more transparent in how they capture and handle sensitive information. That includes individuals' personal data and any metadata that may be used to identify or characterize them.
In 2021, the Commonwealth of Virginia General Assembly passed the Virginia Data Protection Act, becoming the second U.S. state to enact regulations that toughen consumer protections. Virginia's law mirrors many provisions in the California Privacy Rights Act (CPRA). CPRA is an expanded version of the California Consumer Privacy Act, which guarantees individuals the right to know all personal information a company may collect. CPRA gives Californians and others broad authority to obtain, delete and restrict the use of any personal data. Any organization that transacts business in California may be subject to CPRA provisions.
Illinois, New York, Oregon, Texas and Washington are updating existing security laws, and the National Association of Insurance Commissioners has developed a model law to enable states to develop laws that uniformly protect personal data.
History of GLBA
The Gramm-Leach-Bliley Act is named for the lawmakers who sponsored it: Sen. Phil Gramm (R-Texas), Rep. Jim Leach (R-Iowa) and Rep. Thomas Bliley (R-Va.). The U.S. Senate passed GLBA by a 54-44 margin in May 1999. The U.S. House of Representatives approved a version of the act in July 1999 with a 343-86 vote. A revised version of the bill passed both houses -- by votes of 90-8 in the Senate and 362-57 in the House -- on Nov. 4, 1999; President Bill Clinton signed GLBA into law on November 12.
GLBA emerged during a wave of government business regulation in the late 1990s. Congress passed HIPAA in 1996 and the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act in 2002.
Federal regulators had relaxed some Glass-Steagall prohibitions in the years leading up to the GLBA. These steps helped pave the way for commercial banks and securities investment firms to merge and sell integrated financial services. However, this development renewed data privacy concerns that had been simmering for several years.
The EU Data Protection Directive, a 1995 European law that imposed stricter requirements on U.S. firms, was emblematic of this concern. Any U.S. company providing products or services to EU citizens must afford them the same privacy protections as those imposed by data exchanges in their home countries. The European Union in 2016 approved the GDPR to replace the Data Directive law; the GDPR became effective in 2018.
In 1999, the year GLBA became law, U.S. Bancorp, based in Minneapolis, Minn., was sued by the state of Minnesota for peddling confidential customer data to a telemarketing firm that allegedly debited their accounts without permission. In 1999, Charter Pacific Bank, in Agoura Hills, Calif., was involved in a porn scam after selling access to a database of credit card accounts to a California-based business operation. According to the FTC, the company used fictitious names and fake merchant accounts to bill unsuspecting customers in excess of $40 million for access to porn websites. The FTC won a $37.5 million judgment against the owners of the business. Selling access to the credit card database was not illegal, so the bank escaped financial punishment.
Find out more about how the scramble to comply with a slew of new consumer data privacy laws and regulations is affecting IT and security processes.
Continue Reading About Gramm-Leach-Bliley Act (GLBA)
Dig Deeper on Risk management and governance
-
HHS, FTC Publish Warning Letters Sent to Healthcare Entities Over Third-Party Tracking Tech
-
HHS, FTC Warn Hospitals and Telehealth Providers About Third-Party Tracking Tech
-
FTC Proposes Settlement With Genetic Testing Company Over Unsecured Health Data
-
FTC Issues Health Breach Notification Rule Enforcement Action Against Fertility App