Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
GRC Fundamentals

Gramm-Leach-Bliley Act (GLBA)

A federal data protection law governing how financial institutions collect, disclose, and protect nonpublic personal information — reinforced by the FTC's updated Safeguards Rule.

Go to the SCF Download Page
Included Laws, Regulations & Frameworks
Go to the SCF Download Page
Included Laws, Regulations & Frameworks

Gramm-Leach-Bliley Act (GLBA)

A federal data protection law governing how financial institutions collect, disclose, and protect nonpublic personal information — reinforced by the FTC's updated Safeguards Rule.

Name

Gramm-Leach-Bliley Act (GLBA)

Type

Statutory (Law)

Authoritative Source

GLBA (Public Law 106-102)

Certification Available

No. There is no official certification for GLBA. However, the SCF Conformity Assessment Program (SCF CAP) can provide a path to demonstrate conformity with GLBA through a third-party conformity assessment.

LAW OVERVIEW

GRC-Focused Overview of GLBA

In the dawn of the Internet in the 1990s, recognizing the need for formal protections over consumer financial data, the US Congress enacted the Gramm-Leach-Bliley Act (GLBA) in 1999. GLBA is fundamentally a data protection law and gained renewed urgency in the face of ransomware, data breaches, and regulatory scrutiny.

This page provides a cybersecurity-focused summary of GLBA from a GRC practitioner's perspective, including: the history of the law; the consequences of non-compliance; practical compliance strategies; high-profile enforcement actions; and the role of high-quality documentation in audit readiness and breach resilience.

Name

Gramm-Leach-Bliley Act (GLBA)

Type

Statutory (Law)

Authoritative
Source

GLBA (Public Law 106-102)

Enacted

November 12, 1999

Enforced By

FTC (non-bank institutions); Federal Reserve, OCC, FDIC, NCUA (federally regulated entities)

Applies To

Financial institutions and companies "significantly engaged" in financial activities

Certification
Available

No. There is no official certification for GLBA. However, the SCF Conformity Assessment Program (SCF CAP) can provide a path to demonstrate conformity through third-party assessment.

TL / DR — Too Long / Didn't Read

GLBA applies to financial institutions and companies that are "significantly engaged" in financial activities (e.g., banks, check cashing, payday loans, tax preparation services, etc.). GLBA was recently updated by the FTC's "Safeguards Rule" to provide more granular requirements from a cybersecurity perspective.

ORIGINS & HISTORY

GLBA — Origins and Purpose

GLBA, also known as the Financial Services Modernization Act of 1999, was signed into law on November 12, 1999. The act had three primary objectives: repeal the Glass-Steagall Act's separation of commercial banking, investment banking, and insurance services; allow financial institutions to consolidate into larger, diversified entities; and establish safeguards for the collection, disclosure, and protection of nonpublic personal information (NPI) held by financial institutions.

GLBA is composed of several titles, but the sections most relevant to cybersecurity and data protection are: The Financial Privacy Rule (15 U.S.C. §§ 6801–6809): Requires financial institutions to provide consumers with privacy notices explaining information-sharing practices; The Safeguards Rule (16 CFR Part 314): Mandates the development, implementation, and maintenance of a comprehensive information security program; and The Pretexting Provisions: Prohibit accessing private financial information under false pretenses (social engineering).

2021 Safeguards Rule Modernization

The Federal Trade Commission (FTC) issued significant amendments to the Safeguards Rule in December 2021, with full compliance deadlines taking effect in June 2023. These updates codify several best practices into regulatory requirements:

Multi-Factor Authentication (MFA)

MFA is now mandatory for any individual accessing customer information through a customer-facing web application or internal system, removing prior ambiguity about when MFA was required.

Encryption Requirements

Encryption of customer data is required both in transit and at rest, with specific attention to portable media and transmission over external networks.

Continuous Monitoring or Annual Penetration Testing

Institutions must implement either continuous monitoring of information systems or conduct annual penetration tests and biannual vulnerability assessments.

Incident Response Planning and Board Reporting

Institutions must maintain a formal incident response plan and provide an annual written report to the board of directors (or equivalent governing body) summarizing the overall status of the information security program.

NON-COMPLIANCE

Ramifications of Non-Compliance with GLBA

Non-compliance with GLBA, particularly with its Safeguards Rule, can result in significant financial, reputational, and legal consequences. These risks have escalated in recent years as regulators have stepped up enforcement, particularly in light of growing cyber threats.

Financial Penalties

Violations of the Safeguards Rule can result in civil penalties from the FTC. Under Section 5 of the FTC Act, the agency can seek monetary penalties for unfair or deceptive practices, which include failing to adequately secure consumer data. The FTC may also pursue injunctive relief, mandating operational changes, independent audits, or other corrective measures. For federally regulated entities, additional enforcement may come from the Federal Reserve, OCC, FDIC, or NCUA.

Civil Liability and Class Action Exposure

Although GLBA itself does not provide for a private right of action, data breaches resulting from GLBA non-compliance often lead to lawsuits under state consumer protection laws, negligence, or breach of contract. These cases can be extremely costly to defend, and settlements frequently include multi-million-dollar payouts.

Reputational Damage and Customer Attrition

The financial industry operates on trust. When consumers lose confidence in a firm's ability to protect their personal and financial data, the damage is often long-term. Breaches tied to GLBA violations tend to receive media scrutiny, which amplifies the operational and reputational fallout.

Operational Disruption

Enforcement actions typically include mandatory remediation steps such as implementation of new technologies (e.g., encryption, access controls), organizational changes (e.g., new security leadership roles), and third-party audits and reporting obligations.

IMPLEMENTATION

Common Methods to Achieve and Maintain GLBA Compliance

While GLBA leaves some flexibility in how institutions implement safeguards, the amended 2021 Safeguards Rule outlines specific requirements that, in effect, function as a minimum viable cybersecurity program.

Develop and Maintain a Written Information Security Program (WISP)

A WISP is the cornerstone of GLBA compliance. It must be approved by executive leadership, tailored to the institution's size, complexity, and data sensitivity, and subject to periodic review and revision.

Conduct Risk Assessments

A risk-based approach is central to GLBA's philosophy. Risk assessments must be conducted regularly and updated when conditions change, documented with specific findings, and used to guide security control selection.

Implement Administrative, Technical, and Physical Safeguards

Institutions are expected to demonstrate not only that controls exist, but that they are functional and effective: access controls (role-based access and least privilege), authentication (MFA), data protection (encryption at rest and in transit; secure data disposal), monitoring (continuous monitoring, logging, and regular testing), and training (security awareness and role-specific training).

Oversee Service Providers

Institutions must conduct due diligence before onboarding vendors, require contractual assurances that vendors implement appropriate safeguards, and periodically assess vendor performance and security posture.

Establish and Test an Incident Response Plan (IRP)

The plan must define detection, containment, and eradication procedures; notification obligations to regulators and customers; roles and responsibilities of the incident response team; and coordination with legal counsel and executive stakeholders.

Annual Reporting to the Board of Directors

For institutions with a defined board, the Safeguards Rule requires a written report summarizing the overall status of the security program, material risks identified, incidents and responses, and recommendations for improvement.

REAL-WORLD ENFORCEMENT

Public Examples of GLBA Enforcement Actions

Numerous enforcement actions underscore the FTC's commitment to enforcing the Safeguards Rule. While not all include published fines, several stand out as cautionary tales.

Morgan Stanley Smith Barney — $35M Penalty (2022)

The SEC and FINRA found that Morgan Stanley failed to properly decommission data center equipment containing customer PII, including social security numbers and account numbers. The data from tens of millions of customers was inadequately wiped before being sold to a third party. Morgan Stanley paid a $35 million civil penalty to settle SEC charges related to these failures.

Drizly FTC Consent Order (2022)

The FTC found that Drizly, an alcohol delivery platform, failed to implement basic security safeguards despite being aware of known vulnerabilities, allowing a 2020 breach that exposed data on 2.5 million customers. While not a traditional financial institution, the FTC applied a GLBA-adjacent analysis and the order required Drizly to destroy unnecessary data and implement a comprehensive information security program.

Lifelock $100M FTC Settlement (2015)

LifeLock, a consumer identity protection service, paid $100 million to settle FTC charges that the company violated a 2010 consent order by continuing to make deceptive claims about its protection services and failing to implement security safeguards. This case was significant because LifeLock was handling sensitive consumer financial information and was subject to GLBA obligations.

This is some text inside of a div block.

Understanding The Value of Quality Cybersecurity Documentation in GLBA Success

One of the most underappreciated aspects of GLBA compliance is the role that documentation plays — not just in satisfying regulatory requirements, but in actually reducing risk and improving response capability. Quality documentation serves multiple functions in a GLBA compliance program.

Documenting Risk Assessments

The Safeguards Rule explicitly requires documented risk assessments. These records demonstrate that the institution followed a structured process and justify the security controls that were (or were not) implemented. During regulatory reviews and audits, documented risk assessments are one of the first things examiners request.

Maintaining Security Policies

A Written Information Security Program (WISP) is a GLBA requirement, but its value goes beyond compliance. Well-written policies drive consistent behavior, reduce ambiguity during incidents, and make it easier to onboard employees and contractors to security expectations. Policies should be reviewed and updated annually or when material changes occur.

Training Records

GLBA's Safeguards Rule requires security awareness training for all personnel with access to customer data. Documenting who was trained, what was covered, when training occurred, and whether employees acknowledged the content creates an audit trail that demonstrates compliance and helps identify gaps in the security culture.

Vendor Due Diligence Records and Incident Response Logs

Service provider oversight is a specific GLBA Safeguards requirement. Retaining vendor due diligence questionnaires, contract security addenda, and periodic review results is essential to demonstrating compliance. Similarly, incident response logs — including timelines, actions taken, and notifications made — provide critical documentation in the event of a breach or regulatory inquiry.

GET STARTED

See GLBA Mapped in the SCF

GLBA — and 80+ more laws, regulations, and frameworks — is mapped to specific SCF controls in the Common Controls Framework™. Download it free.

Go to the SCF Download Page
Included Laws, Regulations & Frameworks
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap