Financial Privacy

What is GLBA?

The federal law that governs how financial institutions handle customer information — and the framework behind the FTC Safeguards Rule that is actively being enforced against small businesses in 2026.

The Short Version

GLBA — the Gramm-Leach-Bliley Act of 1999 — set national rules for how financial institutions protect customer financial information. It has three parts: the Privacy Rule (what you can share), the Safeguards Rule (how you protect it), and the Pretexting Provisions (prohibiting obtaining customer info under false pretenses).

The term "financial institution" under GLBA is much broader than most people assume. It includes accountants, tax preparers, mortgage brokers, auto dealers offering financing, insurance agencies, investment advisors, check cashers, and more. If you take money, extend credit, or give financial advice, GLBA likely applies to you.

Who Needs to Comply?

  • Banks, credit unions, and thrift institutions
  • Investment advisors and broker-dealers
  • Insurance companies and agencies
  • Mortgage brokers and lenders
  • Accountants and tax preparation services
  • Auto dealers offering financing or leasing
  • Check cashers, payday lenders, and money transmitters
  • Collection agencies and debt management services
  • Finders, real estate appraisers, and career counselors (if consumer financial data is handled)
  • Service providers to any of the above (through contract flow-down)

The FTC's Safeguards Rule is what puts teeth in GLBA for FTC-supervised institutions — and the FTC expanded it significantly in December 2021, with full effect by June 2023.

What GLBA Requires From Your IT

Under the updated Safeguards Rule, a compliant information security program must have:

  • Qualified Individual: A designated person responsible for the program (does not need to be an employee — can be an MSP or vCISO)
  • Written risk assessment: Documented, periodic, covering foreseeable risks to customer information
  • Access controls: Role-based access, terminated accounts deprovisioned promptly
  • Data inventory and classification: Know where customer information lives
  • Encryption: Customer information encrypted at rest and in transit
  • Multi-factor authentication: Required for any individual accessing customer information
  • Secure disposal: Customer information destroyed no later than two years after last need
  • Change management: Procedures for evaluating the impact of changes on security
  • Monitoring and testing: Continuous monitoring or annual penetration testing plus semi-annual vulnerability scans
  • Security awareness training: For all personnel
  • Service provider oversight: Written contracts, periodic assessment
  • Incident response plan: Written, tested, with defined roles
  • Annual report: Qualified Individual reports to Board of Directors annually

What Happens When You Don't Comply?

  • FTC civil penalties: Up to $100,000 per violation for institutions
  • Officer penalties: Up to $10,000 personal liability for officers and directors
  • Criminal penalties: Up to five years imprisonment for willful violations
  • Breach notification: As of May 2024, notify FTC within 30 days of any security event affecting 500+ consumers
  • Consent orders: FTC frequently imposes 20-year consent decrees with ongoing audit requirements
  • State regulator overlap: State banking, insurance, and attorney general enforcement adds to the federal exposure
  • Private litigation: Many states permit private action for breaches of personal financial data

How Digital Armor Helps

We implement and maintain the Safeguards Rule program end-to-end for small and mid-size financial businesses:

  • Qualified Individual function — we serve as or support the designated role
  • Annual written risk assessment with findings and remediation plan
  • Access controls, MFA, and quarterly user reviews
  • Encryption at rest and in transit across email, storage, and backups
  • Vulnerability scanning and penetration testing coordination
  • Secure disposal procedures and retention policy enforcement
  • Service provider inventory and contract review
  • Incident response plan, tabletop exercises, and FTC 30-day notification playbook
  • Annual board report preparation

Is Your Firm Actually Safeguards-Compliant?

The FTC has been unusually active on this rule since June 2023. Small financial businesses are being pulled into enforcement actions — and the answer to "do you have a written information security program?" has to be yes, with documentation to prove it.

Book Your Assessment