15 U.S. Code Subchapter I
The Gramm-Leach-Bliley Act (GLBA) is both an information security and a privacy law.
The law applies to financial institutions, but the definition is very broad and includes banks, insurance companies, securities firms, non-bank mortgage lenders, auto dealers, and tax preparers.
There is a Security Rule and a Privacy Rule. The Security Rule (16 CFR Part 314) requires organizations to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” (15 USC §6801 (a))
Penalties and enforcement:
Penalties for violation could exceed $1 million. There is also the possibility of termination of FDIC insurance, which could mean the end of the business for a financial firm.
How to comply with the GLBA:
The methods to achieve compliance are set out in the “Interagency Guidelines Establishing Information Security Standards” (12 CFR Appendix B to Part 30) (see also Federal Reserve Regulations).
These rules were later the basis for rules established under the Federal Information Security Management Act of 2002 (FISMA), and in the HIPAA Security Standards issued by the Department of Health and Human Services. The Security Rule is similar to many recognized cybersecurity frameworks. It requires financial institutions to do the following: Read more >>
- Involve the board of directors
- Conduct a risk assessment
- Apply risk management and controls
- Conduct regular staff training
- Obtain oversight of service providers
- Implement a written security incident response plan
- Apply periodic reviews and updates
The law also institutes a Privacy Rule. The Privacy Rule (12 CFR 1016) requires financial institutions to undertake certain activities to protect consumer rights.
Enforcement of the GLBA depends on the type of financial institution that is being regulated and on what is being regulated: the Security Rule or the Privacy Rule. For the former, banks are regulated by federal banking regulators including Federal Reserve, Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and National Credit Union Administration (NCUA).