Gramm-Leach-Bliley Act (GLBA)
Overview
The Gramm-Leach-Bliley Act (GLBA), enacted November 12, 1999, is the primary federal law governing financial privacy and data security for financial institutions. GLBA consists of three main rules enforced by the Federal Trade Commission (FTC), federal banking regulators, and other agencies:
- Financial Privacy Rule (16 CFR Part 313)
- Safeguards Rule (16 CFR Part 314)
- Pretexting Protection (15 USC 6821-6827)
Legislative Authority
- Statute: Pub. L. 106-102 (November 12, 1999)
- Codification: 15 USC 6801-6809 (privacy), 15 USC 6821-6827 (pretexting)
- Regulations: 16 CFR Part 313 (Privacy Rule), 16 CFR Part 314 (Safeguards Rule)
- Effective Date: November 12, 1999 (law); various effective dates for regulations
Applicability
GLBA applies to "financial institutions" - any company that engages in financial activities described in Section 4(k) of the Bank Holding Company Act:
Covered Entities
- Banks (commercial banks, savings banks, credit unions)
- Securities Firms (broker-dealers, investment advisors, investment companies)
- Insurance Companies (life insurance, property/casualty insurance, insurance agents/brokers)
- Mortgage Lenders and Servicers
- Payday Lenders
- Finance Companies
- Debt Collectors
- Credit Counseling Services
- Tax Preparation Services (if they offer RALs/RACs)
- Real Estate Appraisers and Settlement Services
- Check Cashing Services
- Wire Transfer Services
"Customer" vs. "Consumer"
- Customer: Individual with ongoing relationship with financial institution (e.g., deposit account, loan, insurance policy)
- Consumer: Individual who obtains financial product/service for personal, family, or household purposes (no ongoing relationship)
Financial Privacy Rule (16 CFR Part 313)
Privacy Notice Requirements
Financial institutions must provide clear and conspicuous privacy notices:
- Initial Privacy Notice: Provided when customer relationship established
- Annual Privacy Notice: Provided at least once every 12 months during customer relationship
- Revised Privacy Notice: Provided before changes to information sharing practices take effect
Privacy Notice Content
Must describe:
- Categories of nonpublic personal information collected
- Categories of nonpublic personal information disclosed
- Categories of affiliates and nonaffiliated third parties to whom information is disclosed
- Policies/practices for protecting confidentiality and security
- Categories of information disclosed (if any) and categories of third parties (if any) for Section 6802(e) exceptions
- Opt-out rights (if applicable)
Opt-Out Rights
Consumers have right to opt out of information sharing with nonaffiliated third parties (with exceptions).
Opt-Out Method:
- Must be "reasonable" (e.g., toll-free phone number, detachable form, check-off box, electronic means)
- Must have reasonable opportunity to opt out (minimum 30 days)
Exceptions (No Opt-Out Required):
- Disclosures necessary to effect, administer, or enforce transactions requested by consumer
- Disclosures to service providers performing services for financial institution (with contractual protections)
- Disclosures required by law or to law enforcement
Reuse and Redisclosure Limits
If financial institution receives nonpublic personal information from nonaffiliated third party under Section 6802(e) exception, it may:
- Disclose to affiliates
- Disclose to own service providers
- Disclose per Section 6802(e) exceptions
- NOT use for marketing own products/services (unless from joint marketing arrangement)
Safeguards Rule (16 CFR Part 314)
Information Security Program
Every financial institution must develop, implement, and maintain a comprehensive information security program that:
- Is appropriate to size, complexity, nature, and scope of activities
- Contains administrative, technical, and physical safeguards
- Protects customer information
2023 Safeguards Rule (Amendments Effective May 13, 2024)
The FTC significantly strengthened the Safeguards Rule in 2021, with final compliance deadline of May 13, 2024 for covered financial institutions.
Covered vs. Exempt Institutions
Covered Financial Institutions: Must comply with ALL requirements
- Institutions NOT qualifying for exemption (see below)
Exempt Institutions: Simplified compliance (Sec. 314.4(c))
- Collect information about fewer than 5,000 consumers
- May be exempt from certain prescriptive requirements
Core Requirements (All Financial Institutions)
1. Written Information Security Program (Sec. 314.4(a))
Must develop, implement, and maintain comprehensive written information security program.
2. Qualified Individual (Sec. 314.4(a))
Must designate qualified individual to:
- Oversee, implement, and enforce information security program
- Report to board of directors or governing body at least annually
3. Risk Assessment (Sec. 314.4(b))
Must conduct periodic risk assessments identifying:
- Reasonably foreseeable internal and external threats
- Likelihood and potential damage
- Sufficiency of existing policies, procedures, controls, systems
4. Safeguards Design and Implementation (Sec. 314.4(c))
Design and implement safeguards to control identified risks, including:
Access Controls (Sec. 314.4(c)(1)):
- Authenticate and permit access only to authorized individuals
- Distinguish users and their privileges
Customer Information Identification (Sec. 314.4(c)(2)):
- Identify and inventory customer information systems and categorize by sensitivity
Encryption (Sec. 314.4(c)(3)) [
MAJOR 2023 CHANGE]:
- Encrypt customer information at rest (with limited exceptions for legacy systems)
- Encrypt customer information in transit
Multi-Factor Authentication (Sec. 314.4(c)(4)) [
MAJOR 2023 CHANGE]:
- Require multi-factor authentication for any individual accessing customer information system
- Exception: effective compensating controls
Secure Development (Sec. 314.4(c)(5)):
- Develop applications using secure development practices
- Regularly test and monitor effectiveness
Change Management (Sec. 314.4(c)(6)):
- Implement change management for information systems
Response and Recovery (Sec. 314.4(c)(7)) [
MAJOR 2023 CHANGE]:
- Maintain incident response plan
- Maintain business continuity and disaster recovery plan
Testing and Monitoring (Sec. 314.4(c)(8)) [
MAJOR 2023 CHANGE]:
- Continuous monitoring or periodic penetration testing
- Annual penetration testing OR vulnerability assessments at least every 6 months
5. Security Awareness Training (Sec. 314.4(d)) [MAJOR 2023 CHANGE]
- Security awareness training for all personnel
- Updated as necessary
6. Service Provider Oversight (Sec. 314.4(e))
- Select service providers capable of maintaining appropriate safeguards
- Require service providers by contract to maintain safeguards
7. Information Security Program Evaluation (Sec. 314.4(f))
- Monitor and log activity in customer information systems
- Regularly review and adjust program based on:
- Testing and monitoring results
- Material changes to operations or business arrangements
- Any other circumstances affecting security
8. Reporting to Board (Sec. 314.4(g))
- Report at least annually to board or governing body
- Report includes: overall status, compliance, material matters, sufficiency
Data Breach Notification (Sec. 314.4(h)) [NEW 2023]
Notification to Customers: Financial institutions must notify affected customers "as soon as practicable" after discovery of unauthorized acquisition of unencrypted customer information.
Triggers:
- Unauthorized acquisition of unencrypted customer information
- Reasonably likely to result in substantial harm or inconvenience
Content: Notification must describe:
- Incident in general terms
- Type of information subject to unauthorized access
- Actions taken to protect customer information
- Telephone number to get more information
- Reminder to remain vigilant for incidents of identity theft and fraud
Pretexting Protection (15 USC 6821-6827)
Criminal Prohibitions
GLBA criminalizes pretexting - obtaining or attempting to obtain customer information from financial institution through:
- False pretenses
- Fraudulent statements or representations
- Fraudulent or stolen documents
Criminal Penalties
Civil Penalties: Up to $100,000 per violation
Criminal Penalties:
- Violation: Up to $100,000 fine and 5 years imprisonment
- Violation while violating another law: Up to $100,000 fine and 10 years imprisonment
- Violation by organization: Up to $500,000 fine
- Sale/transfer of information: Up to $100,000 fine and 15 years imprisonment (enhanced penalty)
Enforcement
Primary Regulators by Institution Type
- Federal Trade Commission (FTC): Non-bank financial institutions (mortgage lenders, payday lenders, debt collectors, etc.)
- Office of the Comptroller of the Currency (OCC): National banks, federal savings associations
- Federal Reserve Board: State member banks, bank holding companies, savings and loan holding companies
- Federal Deposit Insurance Corporation (FDIC): State non-member banks, state savings associations
- National Credit Union Administration (NCUA): Federal credit unions
- Securities and Exchange Commission (SEC): Broker-dealers, investment companies, investment advisors
- State Insurance Regulators: Insurance companies (states enforce under state insurance law)
- Commodity Futures Trading Commission (CFTC): Futures commission merchants, commodity trading advisors, commodity pool operators
FTC Enforcement Actions
The FTC has brought numerous enforcement actions for GLBA violations:
Notable Cases:
- Dwolla (2016): $100,000 civil penalty - failed to implement reasonable data security (Safeguards Rule)
- PayPal (2015): $25,000 civil penalty - failed to implement authentication controls
- Franklin's Budget Car Sales (2015): Failed to properly dispose of credit reports containing customer information
- Cbr Systems (2013): Failed to implement safeguards for customer information
Civil Penalties (FTC Act Sec. 5(m))
2025 Inflation-Adjusted Penalties (effective January 13, 2025):
- Up to $53,088 per violation (adjusted annually for inflation)
- No statutory maximum on aggregate penalties
Compliance Timeline
| Date | Requirement |
| ------ | ------------ |
| November 12, 1999 | GLBA enacted into law |
| May 24, 2000 | Privacy Rule promulgated (16 CFR 313) |
| May 23, 2002 | Safeguards Rule effective (16 CFR 314) |
| December 9, 2022 | 2023 Safeguards Rule amendments effective (most requirements) |
| June 9, 2023 | Additional requirements effective (annual reporting to board) |
| May 13, 2024 | FINAL compliance deadline for 2023 Safeguards Rule amendments |
Key Differences: GLBA vs. 201 CMR 17.00 (Massachusetts)
Massachusetts financial institutions must comply with BOTH GLBA and 201 CMR 17.00. Where requirements differ, apply the MORE STRINGENT requirement:
| Requirement | GLBA Safeguards Rule | 201 CMR 17.00 | More Stringent |
| ------------ | --------------------- | --------------- | ---------------- |
| Encryption at Rest | Required (with exceptions) | Required | Equal |
| Encryption in Transit | Required | Required | Equal |
| Multi-Factor Authentication | Required | Not explicitly required | GLBA |
| Annual Penetration Testing | Required | Not explicitly required | GLBA |
| Written Information Security Program | Required | Required | Equal |
| Risk Assessment | Periodic | Required | Equal |
| Incident Response Plan | Required | Required | Equal |
| Vendor Management | Required (contracts) | Required (contracts) | Equal |
| Scope | Customer information only | Personal information of MA residents | 201 CMR 17.00 (broader) |
Compliance Strategy: Massachusetts financial institutions should implement BOTH sets of requirements. Implement GLBA for "customer information" and 201 CMR 17.00 for all "personal information" of Massachusetts residents.
Compliance Checklist
Financial Privacy Rule Compliance
- [ ] Privacy Notice Program:
- [ ] Initial privacy notice provided when customer relationship established
- [ ] Annual privacy notice provided at least once every 12 months
- [ ] Revised privacy notice provided before changes take effect
- [ ] Privacy notice contains all required elements
- [ ] Consumers can opt out of information sharing with nonaffiliated third parties
- [ ] Reasonable opt-out method provided (e.g., toll-free number, form)
- [ ] Minimum 30-day opt-out period before information sharing begins
- [ ] Reuse/Redisclosure Limits:
- [ ] Limits on reuse of information received from nonaffiliated third parties
Safeguards Rule Compliance
- [ ] Written Information Security Program:
- [ ] Comprehensive written program documented
- [ ] Appropriate to size, complexity, nature, and scope
- [ ] Qualified Individual:
- [ ] Designated qualified individual oversees program
- [ ] Reports to board/governing body at least annually
- [ ] Periodic risk assessments conducted
- [ ] Internal and external threats identified
- [ ] Likelihood and potential damage assessed
- [ ] Authentication required for access
- [ ] User privileges distinguished
- [ ] Encryption [2023 REQUIREMENT]:
- [ ] Customer information encrypted at rest (with documented exceptions)
- [ ] Customer information encrypted in transit
- [ ] Multi-Factor Authentication [2023 REQUIREMENT]:
- [ ] MFA required for customer information system access (or documented compensating controls)
- [ ] Testing and Monitoring [2023 REQUIREMENT]:
- [ ] Annual penetration testing OR vulnerability assessments every 6 months
- [ ] Continuous monitoring or periodic testing
- [ ] Security Awareness Training [2023 REQUIREMENT]:
- [ ] Training provided to all personnel
- [ ] Training updated as necessary
- [ ] Incident Response [2023 REQUIREMENT]:
- [ ] Incident response plan documented and maintained
- [ ] Business continuity and disaster recovery plans maintained
- [ ] Service Provider Oversight:
- [ ] Service providers selected based on ability to maintain safeguards
- [ ] Contracts require service providers to maintain safeguards
- [ ] Data Breach Notification [2023 REQUIREMENT]:
- [ ] Process for notifying affected customers "as soon as practicable"
- [ ] Notification contains required elements
Pretexting Protection Compliance
- [ ] Policies prohibit pretexting
- [ ] Employee training on pretexting prohibitions
- [ ] Verification procedures for information requests
Related Frameworks
- 201 CMR 17.00 (Massachusetts): State data security law requiring safeguards for personal information
- HIPAA Privacy Rule/Security Rule: Healthcare-specific privacy and security (financial institutions may also be HIPAA covered entities/business associates)
- PCI DSS: Payment card security (financial institutions handling payment cards)
- NIST Cybersecurity Framework: Voluntary framework for cybersecurity risk management
- SOX Section 404: Internal controls over financial reporting (public company financial institutions)
- FFIEC Cybersecurity Assessment Tool: Federal banking regulators' cybersecurity assessment guidance
Resources
Official Sources
- FTC GLBA Page: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
- 16 CFR Part 313 (Privacy Rule): https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-313
- 16 CFR Part 314 (Safeguards Rule): https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314
- 15 USC 6801 (GLBA Privacy): https://uscode.house.gov/view.xhtml?req=granuleId:USC-prelim-title15-section6801&num=0
- Federal Reserve GLBA: https://www.federalreserve.gov/supervisionreg/topics/glba.htm
- FDIC Compliance Manual: https://www.fdic.gov/resources/supervision-and-examinations/consumer-compliance-examination-manual/
- OCC Privacy Guidance: https://www.occ.gov/topics/consumers-and-communities/consumer-protection/privacy/index-privacy.html
Massachusetts-Specific
- 201 CMR 17.00: https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the
- MA Division of Banks: https://www.mass.gov/orgs/division-of-banks
- MA Division of Insurance: https://www.mass.gov/orgs/division-of-insurance