Gramm-Leach-Bliley Act of 1999 (GLB)


GLB was signed into law November 12th, 1999 with a goal to modernize the nation’s financial services industries, updating the ways financial companies are allowed to do business, and take advantage of advanced technologies. As a result of GLB, the need to protect the integrity and privacy of customer data were highlighted.

Title V of GLB focuses specifically on privacy and the protections of customer data. It requires specific privacy and security measures be in place at financial institutions by July 1, 2001. The act applies to all national banks and the federal branches of foreign banks that are subject to the supervision of the Federal Reserve System, the Office of Thrift Supervision, the Office of the Comptroller of the Currency, or the Federal Deposit Insurance Corporation.

Section 501 of Subtitle A of Title V, entitled Protection of Nonpublic Personal Information, limits the instances in which financial institutions may disclose nonpublic personal information about a customer to nonaffiliated third parties, requires them to disclose certain privacy policies and practices as well as establish safeguards to protect that information.

Subtitle A, Section 501a states: Each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.

Subtitle B, Section 501b states: Each agency shall establish appropriate standards for the financial institutions within their jurisdiction relating to administration, technical, and physical safeguards:

  • to insure the security and confidentiality of customer records and information;
  • to protect against any anticipated threats or hazards to the security or integrity of such records; and
  • to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

The Interagency Security Guidelines require each financial institution “Implement a comprehensive written information security program that includes administrative, technical, and physical safeguards.” The following are the basic elements every institution must apply in developing a comprehensive information security program.

  1. Involve the Board of Directors to approve and oversee the program.
  2. Identify and Assess risks to customer information.
  3. Manage and Control risk to customer information.
  4. Require service providers, by contract, to implement safeguards for customer information.
  5. Adjust the Program to reflect changing conditions.
  6. Report to the Board annually at a minimum.
  7. Implement these standards by July 1, 2001.

These guidelines emphasize that the security of customer information is not a discrete event, but an ongoing and dynamic process that must be maintained and adjusted.

Using Pivot Group to Assist with GLB Compliance

  • Policies, Processes, and Procedures Reviews and Improvement
  • Risk Assessments
  • Monitoring, Auditing, and Reporting
  • Technology Recommendations and Deployment
  • Security Best Practice Education

For more information about GLB, please refer to our Resource Guide.