THE GRAMM-LEACH-BLILEY ACT (GLBA)
The Gramm-Leach-Bliley Act (GLBA) is a U.S. law from 1999 that requires financial institutions to protect the privacy of consumers' non-public personal information (NPI) and to implement security measures to safeguard that data. It also repealed parts of the Glass-Steagall Act and Bank Holding Company Act, allowing banks, securities firms, and insurance companies to merge. Key requirements include providing customers with a privacy notice, giving them the right to opt out of having their information shared with non-affiliated third parties, and developing a comprehensive information security program.
Key provisions of the GLBA
- Financial Privacy Rule: Mandates that financial institutions provide customers with a privacy notice explaining what information they collect, how it's used, and with whom it's shared.
- Opt-out Right: Gives consumers the right to prevent their financial information from being shared with third parties, with some exceptions.
- Safeguards Rule: Requires financial institutions to develop, implement, and maintain a comprehensive security program with administrative, technical, and physical safeguards to protect customer data.
- Pretexting Prevention: Addresses the collection of customer information under false pretenses through measures like employee training.
Repeal of previous laws
- The GLBA repealed parts of the Glass-Steagall Act of 1933, which had separated commercial and investment banking.
- It also repealed sections of the Bank Holding Company Act of 1956, allowing for the integration of banking, securities, and insurance activities.
Who it applies to
- The GLBA applies to a wide range of organizations "significantly engaged" in financial services, including banks, lenders, mortgage brokers, insurance companies, and tax preparers.
Amendments and updates
- New amendments to the Safeguards Rule went into effect in 2023. These require more detailed requirements for information security programs, and adding a mandatory notification requirement for certain security events where 500 or more individuals are affected.
