What is the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act (GLBA), passed in 1999, outlines regulations related to financial data protection that must be followed by financial institutions.

What does the GLBA do?

The proper name of the act is:

PUBLIC LAW 106–102 Gramm-Leach-Bliley Act of 1999

An act to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers, and for other purposes.

Where it had previously been limited by federal law, the GLBA now allows financial professionals to offer services in banking, investment, and insurance, while holding these professionals to certain ethics and standards related to personal and financial data.

Portions of this definition originally appeared on Datamation.com and are excerpted here with permission.

Not only did the GLBA allow consumers to work with only one financial institution or specialist for their financial needs, it gave financial institutions more flexibility to practice in multiple areas of finance simultaneously.

However, to protect the privacy of customers’ personal and financial information, the GLBA highlights two key rules regarding ethical data practices.

What are the GLBA data protection rules?

To protect customers’ nonpublic personal information (NPI), such as income, credit, loan history, bank and credit account numbers, and social security numbers, the GLBA mandates several measures related to the ethical use of data by finance professionals.

What do tech companies need to know about GLBA: Datamation takes a closer look.

Gramm-Leach-Bliley Act cover page.
The cover page of the Gramm-Leach-Bliley Act of 1999.

Safeguards Rule

The Safeguard Rule details the policies, procedures, employee management and training, and security measures financial institutions need in order to protect their customers’ personal data.

While it offers some specifics regarding types of safeguards and security tools, it is up to the organization to determine what protections are necessary to implement across all nodes and users in the corporate network.

Developing an Information Security Plan

To document their safeguarding methods, the GLBA instructs financial institutions to develop a written information security plan. This plan should include the steps they take to protect private financial information from security breaches, unauthorized internal access or use, and unauthorized distribution outside the organization.

Finance companies should include in their information security plan:

  • An employee or team to lead an internal information security program
  • A process for inventorying customer data and its locations that also identifies potential risks and response processes and that analyzes the effectiveness of current safeguards
  • A safeguards program that fits the organization’s data security needs and that monitors and updates safeguards as necessary
  • Training for employees on proper data security and privacy practices for customer data
  • Service providers that can maintain appropriate safeguards and that can understand and comply with your company’s safeguards requirements and infrastructure 
  • A strategy to ensure contracts with third-party service providers require them to maintain safeguards and allow you to oversee their handling of customer data
  • A plan to evaluate and adjust the program in light of relevant circumstances, including changes in the company’s business or operations or the results of security testing

Privacy Rule

The Privacy Rule requires companies to inform their customers of how their personal data can be used with an option to opt out of instances in which their personal data could be distributed. Financial practitioners are required to provide this information via a privacy notice and an opt-out notice as soon as the relationship begins.

The privacy notice should include what data is being collected, where it could be shared and how it could be used, and the protections the organization uses to keep the data safe. The opt-out notice usually accompanies this document.

The GLBA requires that both documents be distributed to all customers and that customers should be notified and given the chance to opt out if any changes are made to the privacy notice.

Where can I download the entire act?

The final text of the 145-page long act, along with extensive supporting information and subcommittee findings, is available at the U.S. Government Printing Office’s website.

Shelby Hiter
Shelby Hiter
Shelby Hiter is a writer with more than five years of experience in writing and editing, focusing on healthcare, technology, data, enterprise IT, and technology marketing. She currently writes for four different digital publications in the technology industry: Datamation, Enterprise Networking Planet, CIO Insight, and Webopedia. When she’s not writing, Shelby loves finding group trivia events with friends, cross stitching decorations for her home, reading too many novels, and turning her puppy into a social media influencer.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.

Related Articles

Virtual Private Network (VPN)

A virtual private network (VPN) encrypts a device's Internet access through a secure server. It is most frequently used for remote employees accessing a...

Gantt Chart

A Gantt chart is a type of bar chart that illustrates a project schedule and shows the dependency between tasks and the current schedule...

Input Sanitization

Input sanitization is a cybersecurity measure of checking, cleaning, and filtering data inputs from users, APIs, and web services of any unwanted characters and...

IT Asset Management Software

IT asset management software (ITAM software) is an application for organizing, recording, and tracking all of an organization s hardware and software assets throughout...


ScalaHosting is a leading managed hosting provider that offers secure, scalable, and affordable...


Human resources information system (HRIS) solutions help businesses manage multiple facets of their...

Best Managed Service Providers...

In today's business world, managed services are more critical than ever. They can...