The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law passed in 1999 that governs how financial institutions have to protect consumer financial data.
RecordPoint empowers financial services companies to comply with the data privacy provisions of GLBA and other important laws.
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, was passed on November 12, 1999. It implemented several new rules related to the protection of consumer financial information for financial services companies like banks, credit unions, and insurance companies.
The GLBA is named for Senator Phil Gramm (R, Texas), Congressman Jim Leach (R, Iowa), and Congressman Thomas J. Bliley, Jr. (R, Virginia) – the three legislators most directly associated with the bill. GLBA did several things beyond implementing new rules related to protecting consumer financial information.
GLBA repealed large portions of the Glass-Steagall Banking Act of 1933 and the Bank Holding Company Act of 1956, allowing banks, brokerages, and insurance companies to merge. Part of getting the act passed meant adding the three new rules around protecting consumer financial information.
The purpose of the GLBA is to ensure that banks and other financial institutions protect consumer information with effective security programs, beyond enabling organizations that previously had to remain separate to merge. Regulatory updates have shifted standards for the GLBA in recent years. The Privacy Rule previously required notification of data breaches for incidents including 1,000 customers; it has since been dropped to incidents including 500 customers.
There are specific steps that financial services companies need to take to comply with GLBA, which include:
First, identify all the non-public information (NPI) you have and where it lives – cataloging and storing your data in in a secure and scalable, cloud-based data inventory makes it easier to monitor. Next, evaluate your security measures – banks must have a system in place for protecting NPI to ensure GLBA compliance.
There are many possible vulnerabilities that could put customer data at risk, which might include outdated systems that create tech debt, data encryption that lags standards, or weak access controls. A full evaluation ensures financial IT security groups can determine how likely a possible breach might be.
To comply with the Safeguards Rule, financial institutions need to create and document an information security program. That meets these standards:
Providing privacy notices is a key facet of GLBA compliance. Notices should explain how and why customer data is collected, as well as provide instructions for them to "opt out" of data sharing practices like disclosure to non-affiliated third parties. Opt-out rights are also governed by the Fair Credit Reporting Act (FCRA).
The most effective safeguards include:
Companies must test, monitor, and update the information security program regularly. Adopting a proactive mindset can take the shape of regular penetration tests and risk assessments, which is the best way to prevent breaches, respond faster to incidents, minimize downtime, and protect sensitive data.
RecordPoint can help U.S. companies facilitate their GLBA compliance with several key features, including:
Proactively dispose of data you don’t need with custom retention policies that make minimization effortless.
Use AI to classify data instantly, so you know exactly where sensitive data lives and how to protect it.
Automate compliance tasks with AI and machine learning models trained on your data.
Discover where all your data lives to get a comprehensive picture of your data estate, so you can better understand and protect it.
The penalties for non-compliance can be significant; companies can be fined $100,000 for each violation, and individuals charged and imprisoned for up to five years. That’s why leaders and key decision-makers must prioritize GLBA compliance.
Have another question? Looking for more details? Reach out to our friendly team who will be happy to help.
