The Gramm-Leach-Bliley Act was enacted in 1999 to require financial institutions to explain their information-sharing practices and to safeguard sensitive nonpublic personal information (NPI). The FTC’s 2023 amendments to the Safeguards Rule significantly enhanced cybersecurity requirements, with core provisions effective June 2023 and breach notification requirements effective May 2024.
Who Must Comply
GLBA defines “financial institution” broadly to include entities significantly engaged in financial activities.
Traditional financial services covered include banks, credit unions, savings institutions, securities firms, broker-dealers, investment advisers, investment companies, and insurance companies including all underwriters and agencies.
Lending and credit entities covered include mortgage lenders and brokers, consumer finance companies, payday lenders, and retailers issuing credit cards.
Non-traditional entities covered include tax preparers, accountants providing financial advice, credit counselors and financial planners, check cashers and wire transfer services, real estate settlement services, and higher education institutions handling student financial aid data.
Three Core Rules
Privacy Rule
The Privacy Rule requires financial institutions to provide privacy notices explaining information-sharing practices and gives consumers the right to opt-out of certain information sharing with nonaffiliated third parties.
Privacy notices must include categories of NPI collected, categories of NPI disclosed, categories of affiliates and nonaffiliated third parties receiving NPI, policies for sharing information about former customers, how the institution protects confidentiality and security of NPI, and consumer opt-out rights and procedures.
Opt-out requirements mandate that customers must be given reasonable opportunity to opt-out before sharing NPI with nonaffiliated third parties. The opt-out notice must be clear and conspicuous and must provide reasonable means for opting out including toll-free number, return mail form, or electronic means.
Exceptions that do not require opt-out include processing or servicing transactions requested by the consumer, maintaining or servicing accounts, providing information to consumer reporting agencies, protecting against fraud or unauthorized transactions, and complying with legal requirements.
Annual notice exception applies if the institution only shares NPI under permitted exceptions with no opt-out triggers and privacy policies and practices have not changed since last disclosure. If exception does not apply, annual notices must be delivered for the duration of the customer relationship.
Safeguards Rule
The Safeguards Rule at 16 CFR 314 requires development, implementation, and maintenance of a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to the institution’s size and complexity.
Written information security program requirements include documentation in one or more readily accessible parts, administrative, technical, and physical safeguards, and appropriateness to the institution’s size, complexity, activities, and sensitivity of customer information.
Risk assessment requirements include written risk assessments with criteria for evaluation and categorization of identified security risks, assessment of confidentiality, integrity, and availability of information systems, descriptions of how identified risks will be mitigated or accepted, and periodic updates at minimum annually and after significant changes.
Access controls must be implemented and periodically reviewed to follow the principle of least privilege, limit authorized user access to what is needed for legitimate business purposes, prevent unauthorized access to customer information, and include periodic review of user access rights.
Encryption requirements mandate encryption of all customer information at rest, encryption of all customer information in transit over external networks, use of current cryptographic standards, and alternative compensating controls only if approved by the Qualified Individual and documented.
MFA requirements mandate multi-factor authentication for any individual accessing information systems containing customer information, must require two or more different categories of authentication factors, and equivalent or stronger controls may be approved by the Qualified Individual.
Secure development practices requirements for in-house software and applications include adopting secure development practices throughout the SDLC, implementing change management procedures for IT environments, conducting security testing of applications, and integrating security requirements into DevSecOps workflows.
Vendor management requirements include due diligence evaluating providers’ security capabilities before engagement, contractual requirements mandating appropriate safeguards and prohibiting unauthorized disclosure, and ongoing monitoring periodically assessing service providers based on risk.
Incident response requirements include written incident response plans with clear roles and responsibilities for response team, procedures for identification and escalation of security events, requirements for remediation of identified weaknesses, documentation and reporting of incidents, and post-incident evaluation and plan revision.
Testing requirements provide two options. Option 1 is continuous monitoring with real-time ongoing monitoring of information system security and detection of security threats, misconfigurations, and vulnerabilities. Option 2 is periodic testing with annual penetration testing of information systems with scope defined by risk assessment and vulnerability assessments at least every six months with additional assessments after material changes.
Pretexting Rule
The Pretexting Rule prohibits obtaining customer information through false pretenses, fraudulent statements, or impersonation. It requires institutions to implement safeguards against social engineering attacks and mandates employee training to recognize phishing and pretexting attempts.
Qualified Individual Requirement
The Qualified Individual requirement specifies that organizations must designate a qualified individual to oversee and implement the information security program. This may be an employee or third-party service provider. No specific education, experience, or certification is required by the rule, but the individual must have appropriate knowledge and authority for the institution’s complexity.
Board Reporting Requirements
Annual written reports to the Board of Directors or equivalent governing body must include overall status of the information security program, compliance status with the Safeguards Rule, and material matters including risk assessment results, risk management and control decisions, service provider arrangements, testing results, security events and management responses, and recommendations for program changes.
Note that board reporting is only required for institutions maintaining information on 5,000+ consumers.
Small Business Exemptions
Financial institutions maintaining customer information on fewer than 5,000 consumers are exempt from written risk assessment requirement, incident response plan requirement, annual board reporting requirement, and continuous monitoring or annual penetration testing and semi-annual vulnerability assessments.
Small businesses remain subject to all other Safeguards Rule requirements including written information security program, Qualified Individual designation, access controls and encryption, MFA implementation, employee training, and vendor management.
FTC Breach Notification
Effective May 13, 2024, financial institutions must notify the FTC within 30 days of discovering a security event affecting 500 or more consumers. Notification must be submitted through the FTC’s online portal at ftc.gov/glb-notification.
Enforcement and Penalties
FTC enforcement authority covers non-bank financial institutions. Since 2005, the FTC has brought approximately 35 cases alleging GLBA violations.
Penalty framework includes institutional penalties up to $100,000 per violation, individual penalties up to $10,000 per violation for directors and officers, and inflation-adjusted maximums currently approximately $51,744 per violation. Penalties can accumulate rapidly as each day of non-compliance or each affected consumer may constitute a separate violation.
State attorneys general are increasingly active in privacy enforcement. Multiple states have amended privacy laws to remove GLBA entity-level exemptions including Connecticut and Montana effective October 2025.
Recent enforcement cases include the Blackbaud settlement finalized by FTC in May 2024 for security failures leading to data breach affecting millions, requiring deletion of unnecessary data and implementation of comprehensive security program. New York AG actions in 2024 resolved allegations against 12 companies imposing financial penalties exceeding $14 million focused on privacy and cybersecurity breaches.
Compliance Timeline
Key compliance dates include June 9, 2023 for core Safeguards Rule requirements effective including MFA, encryption, Qualified Individual, risk assessment, access controls, secure development, and vendor management. May 13, 2024 marked the effective date for FTC breach notification requirement with 30-day notification for incidents affecting 500+ consumers. October 1, 2025 is when Connecticut and Montana remove GLBA entity-level exemptions under state privacy laws.
Ongoing requirements include initial privacy notice at account opening, annual privacy notice unless exception applies, annual penetration testing if not using continuous monitoring, annual risk assessment review and update, annual board or governing body report for 5,000+ consumers, annual employee security awareness training, semi-annual vulnerability assessments if not using continuous monitoring, 30-day FTC notification for breaches affecting 500+ consumers, continuous monitoring as alternative to periodic testing, periodic service provider assessments, and secure disposal of customer information not needed for business purposes with 2 year maximum retention.
Compliance Checklist
Administrative safeguards require designating Qualified Individual, developing written information security program, conducting and documenting risk assessments, establishing incident response plan, implementing vendor management program, providing annual board reports if 5,000+ consumers, and maintaining comprehensive documentation.
Technical safeguards require implementing MFA for systems with customer information, encrypting customer information at rest and in transit, implementing access controls following least privilege, adopting secure development practices, deploying continuous monitoring or conducting periodic testing, and implementing secure data disposal procedures.
Physical safeguards require controlling physical access to systems containing customer information and secure disposal of physical records.
Privacy compliance requires providing initial privacy notices, providing annual privacy notices if required, implementing opt-out mechanisms, and documenting information sharing practices.
Training and awareness requires conducting annual security awareness training, training employees on social engineering recognition, and updating training based on risk assessment findings.
GLBA compliance requires ongoing attention as the regulatory landscape evolves. Organizations that invest in comprehensive security programs aligned with the updated Safeguards Rule requirements are better positioned to protect customer information and avoid enforcement actions.