Home / Definitions / What is the Gramm-Leach-Bliley Act (GLBA)?

What is the Gramm-Leach-Bliley Act (GLBA)?

Shelby Hiter
Last Updated March 9, 2022 11:45 am

The Gramm-Leach-Bliley Act (GLBA), passed in 1999, outlines regulations related to financial data protection that must be followed by financial institutions.

What does the GLBA do?

The proper name of the act is:

PUBLIC LAW 106–102 Gramm-Leach-Bliley Act of 1999

An act to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers, and for other purposes.

Where it had previously been limited by federal law, the GLBA now allows financial professionals to offer services in banking, investment, and insurance, while holding these professionals to certain ethics and standards related to personal and financial data.


Portions of this definition originally appeared on Datamation.com and are excerpted here with permission.

Not only did the GLBA allow consumers to work with only one financial institution or specialist for their financial needs, it gave financial institutions more flexibility to practice in multiple areas of finance simultaneously.

However, to protect the privacy of customers’ personal and financial information, the GLBA highlights two key rules regarding ethical data practices.

What are the GLBA data protection rules?

To protect customers’ nonpublic personal information (NPI), such as income, credit, loan history, bank and credit account numbers, and social security numbers, the GLBA mandates several measures related to the ethical use of data by finance professionals.


What do tech companies need to know about GLBA: Datamation takes a closer look.

Gramm-Leach-Bliley Act cover page.
The cover page of the Gramm-Leach-Bliley Act of 1999.

Safeguards Rule

The Safeguard Rule details the policies, procedures, employee management and training, and security measures financial institutions need in order to protect their customers’ personal data.

While it offers some specifics regarding types of safeguards and security tools, it is up to the organization to determine what protections are necessary to implement across all nodes and users in the corporate network.

Developing an Information Security Plan

To document their safeguarding methods, the GLBA instructs financial institutions to develop a written information security plan. This plan should include the steps they take to protect private financial information from security breaches, unauthorized internal access or use, and unauthorized distribution outside the organization.

Finance companies should include in their information security plan:

  • An employee or team to lead an internal information security program
  • A process for inventorying customer data and its locations that also identifies potential risks and response processes and that analyzes the effectiveness of current safeguards
  • A safeguards program that fits the organization’s data security needs and that monitors and updates safeguards as necessary
  • Training for employees on proper data security and privacy practices for customer data
  • Service providers that can maintain appropriate safeguards and that can understand and comply with your company’s safeguards requirements and infrastructure 
  • A strategy to ensure contracts with third-party service providers require them to maintain safeguards and allow you to oversee their handling of customer data
  • A plan to evaluate and adjust the program in light of relevant circumstances, including changes in the company’s business or operations or the results of security testing

Privacy Rule

The Privacy Rule requires companies to inform their customers of how their personal data can be used with an option to opt out of instances in which their personal data could be distributed. Financial practitioners are required to provide this information via a privacy notice and an opt-out notice as soon as the relationship begins.

The privacy notice should include what data is being collected, where it could be shared and how it could be used, and the protections the organization uses to keep the data safe. The opt-out notice usually accompanies this document.

The GLBA requires that both documents be distributed to all customers and that customers should be notified and given the chance to opt out if any changes are made to the privacy notice.

Where can I download the entire act?

The final text of the 145-page long act, along with extensive supporting information and subcommittee findings, is available at the U.S. Government Printing Office’s website.