What is the GLB Act (GLBA)?

The act aims to ensure the privacy and security of sensitive financial data while enabling certain types of financial service integrations.

The three (3) main objectives of GLBA 501(b) are to:

• Ensure the security and confidentiality of customer records and information;
• Protect against any anticipated threats or hazards to the security or integrity of such records; and
• Protect against unauthorized access or use of such records or information which could result in substantial harm or inconvenience to any customer.

The GLBA applies broadly to banks, insurance companies, securities firms and other financial institutions. Non-compliance can lead to regulatory penalties and loss of customer trust. For cybersecurity professionals, GLBA compliance means ensuring that adequate controls and policies are in place to safeguard sensitive customer data.

In accordance with GLBA, almost any organization that works with consumers’ money is considered a financial institution. Some inclusions are obvious (e.g. bank, credit union or brokerage). However, there are many less obvious inclusions as well. Some examples from the FTC include:

• Preparers of income tax returns;
• Consumer credit reporting agencies and credit counseling services;
• Real estate transaction settlement services; and
• Debt collection agencies.