GLBA Explained in 7 Easy Points


The GLBA Act or Graham-Leach-Bailey Act is a 1999 law that permitted monetary administrations organizations to offer both investment and commercial banking, which had been prohibited since the Great Depression. The overall public might generally be mindful of the Graham-Leach-Bailey Act regarding debates concerning whether it helped cause the year 2008 subprime contract emergency. However, it’s vastly improved for IT experts known for the data privacy and security commands it forces on a wide scope of organizations and companies, even past the financial business.

In this article let us look at:

  1. Definition
  2. Compliance requirements
  3. Compliance Checklist
  4. Risk Assessment
  5. GLBA Audit
  6. GLBA Enforcement
  7. Penalties

1. Definition

GLBA is otherwise called the Financial Modernisation Act of 1999. It is a US federal law that requires financial organizations to clarify how they protect and share their clients’ private data. To be Gramm-Leach-Bliley Act consistent, financial establishments should impart to their clients how they share the clients’ touchy information, illuminate clients regarding their entitlement to quit on the off chance that they favor that their information not be imparted to outsiders, and apply explicit protections to clients’ private information by a composed data security plan made by the organization.

The essential data protection ramifications of the Gramm-Leach-Bliley Act are laid out its Safeguards Rule, with extra security, and privacy necessities gave by the FTC’s Privacy, made under the Gramm-Leach-Bliley Act to drive execution of Gramm-Leach-Bliley Act prerequisites. The Gramm-Leach-Bliley Act is upheld by the FTC, the federal banking organisations, and other bureaucratic administrative specialists, just as state insurance oversight offices.

2. Compliance requirements

It might appear to be somewhat peculiar from the start that a financial administrations law significantly affects data and IT security. In any case, the designers of the law effectively anticipated that by slackening existing financial GLBA regulation, they were making way for the formation of enormous, rambling firms offering a variety of administrations going from financial records to top of the line investments and that these organisations would approach immense measures of client data. The law’s data privacy and security parts were incorporated to ease fears that this data would be exploited or misused.

Regarding data privacy and security GLBA compliance prerequisites under the Gramm-Leach-Bliley Act, there are three primary arrangements of guidelines. Each called a Rule in guideline talk that IT needs to stress over: Pretexting Rule, the Safeguard Rule, and the Financial Privacy Rule.

  • Privacy Rule

The rule of privacy is moderately clear. Financial organisations need to give clients composed data clarifying what data is gathered about them, how that data is utilised, where and with whom it is shared, and how it is ensured. The more established Fair Credit Reporting Act, the rule of privacy, necessitates that organisations enable customers to deny the financial organisation from imparting their data to unaffiliated outsiders.

  • Safeguard Rule

The safeguard principle necessitates that any organizations covered by the GLBA ensure, through physical, technical, and administrative methods, the security, integrity, and confidentiality of any non-public individual data that the organization holds.

  • Pretexting Rule

The third significant data security part of the GLBA is the rule of pretexting. Rule of pretexting is a type of social engineering where an aggressor attempts to persuade a casualty to surrender important data or admittance to a system or service.

3. Compliance Checklist

GLBA compliance checklists are:

  • Comprehend the guidelines.
  • Guarantee that successful controls are set up to moderate risks.
  • Lead a risk evaluation.
  • Shield yourself from insider threats.
  • Affirm that you’re meeting the rule of privacy.
  • Ensure your service providers are compliant with GLBA.
  • Set up a composed data security plan.
  • Update your business continuity and disaster recovery plans.
  • Report to the board.
  • Revise, review, and improve.

4. Risk Assessment

GLBA assessment risk is a significant piece of the threat modelling measure that numerous infosec groups do as per usual.

5. GLBA Audit

Individuals may be alluding to when they talk about a GLBA audit. If associations don’t feel that they are capable of surveying their compliance and preparedness or need a fair appraisal from an outcast, they can pay an outsider association to audit their consistency.

6. GLBA Enforcement

GLBA enforcement is led by a few government offices, including the State Insurance Oversight Agencies, the Consumer Financial Protection Bureau, the Federal Banking Agencies, and the Federal Trade Commission, against any culpable organizations that may fall under their domain.

7. Penalties

Some non-compliance GLBA penalties include:

  • People in control found in infringement face fines of USD 10,000 for every infringement.
  • Financial organisations found in infringement face fines of USD 1,00,000 for every infringement.
  • People found in infringement can be put in jail for up to 5 years.


The principal focal point of the GLBA is to tighten and expand buyer data restrictions, safeguards and privacy. The essential concern identified with the GLBA of IT experts and financial establishments is to ensure and secure clients’ financial and private data secrecy. Keeping up GLBA consistency is basic for any financial establishment, as infringement can be both detrimental and costly to proceed with operations.

So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.


Related Articles

Please wait while your application is being created.
Request Callback