SecurePrivacy Logo

Gramm-Leach-Bliley Act (GLBA)

View Law Text
Maximum Fine
$100,000 per violation
Scope
Financial
Regulator
FTC
Enacted
1999

Need Help with Gramm-Leach-Bliley Act (GLBA) Compliance?

Get expert guidance on implementing GLBA requirements and ensuring ongoing compliance for your financial organization.

Get Expert Help

Overview

The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to customers and protect sensitive data.

Key Facts

  • Enacted in 1999
  • Enforced by Federal Trade Commission
  • Applies to financial institutions

GLBA Rules

Financial Privacy Rule

Requirements for collection and disclosure of customers' personal financial information.

Requirements

  • Privacy notice distribution
  • Opt-out rights implementation
  • Information sharing limitations
  • Third-party disclosure restrictions
  • Annual privacy notices

Examples

  • Initial privacy notices
  • Opt-out forms
  • Information sharing agreements
  • Customer consent records

Safeguards Rule

Standards for protecting customer information and requiring proper disposal of consumer information.

Requirements

  • Information security program
  • Risk assessment procedures
  • Employee management
  • Information systems security
  • Service provider oversight

Examples

  • Security policies
  • Access controls
  • Encryption protocols
  • Incident response plans

Pretexting Protection

Measures to prevent and detect attempts to gain customer information through false pretenses.

Requirements

  • Identity verification procedures
  • Staff training programs
  • Detection systems
  • Response protocols
  • Documentation requirements

Examples

  • Authentication procedures
  • Training materials
  • Incident reports
  • Security assessments

Compliance Requirements

Privacy Program Implementation

Establish and maintain a comprehensive privacy program for customer information.

Implementation Steps

  • Designate privacy officer
  • Develop privacy policies
  • Create customer notices
  • Implement opt-out procedures
  • Train employees

Required Documentation

  • Privacy policy manual
  • Notice templates
  • Training records
  • Opt-out records
  • Annual assessments

Information Security Program

Develop, implement, and maintain a comprehensive information security program.

Implementation Steps

  • Conduct risk assessment
  • Implement safeguards
  • Monitor systems
  • Test security measures
  • Update procedures

Required Documentation

  • Security policies
  • Risk assessments
  • Testing results
  • Incident reports
  • Review logs

Service Provider Oversight

Ensure service providers maintain appropriate safeguards for customer information.

Implementation Steps

  • Select qualified providers
  • Review security measures
  • Execute contracts
  • Monitor compliance
  • Conduct audits

Required Documentation

  • Due diligence records
  • Service agreements
  • Audit reports
  • Monitoring logs
  • Compliance reviews

Enforcement & Penalties

Federal Trade Commission Enforcement

The FTC has primary enforcement authority for GLBA compliance.

Penalty Categories

Civil Penalties
Up to $100,000 per violation
Per violation for financial institutions
Individual Liability
Up to $10,000 per violation
For officers and directors
Criminal Penalties
Up to $500,000 and 10 years
For knowing and intentional violations

Example Cases

Equifax
$575 million
2019 - Data breach affecting 147 million consumers
PayPal
$175 million
2020 - Venmo privacy and security violations

State Attorney General Enforcement

State authorities can enforce GLBA provisions within their jurisdiction.

Penalty Categories

State Civil Penalties
Varies by state
Additional state-specific penalties
Injunctive Relief
Varies
Court-ordered compliance measures
Consumer Restitution
Case-specific
Compensation for affected consumers

Example Cases

Capital One
$80 million
2020 - Data breach affecting 100 million customers
Morgan Stanley
$60 million
2020 - Improper decommissioning of data center equipment