What is the Gramm-Leach-Bliley Act (GLBA)?
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a U.S. federal law that requires financial institutions to protect the privacy and security of consumers’ personal financial information. It governs how organizations collect, store, share, and safeguard nonpublic personal information (NPI).
The law also enables affiliations between banks, securities firms, and insurance companies — but its most lasting impact is on data privacy and protection obligations for the financial industry.
Who Must Comply with GLBA?
GLBA applies to a wide range of organizations that offer financial products or services to consumers, including:
Banks and credit unions
Mortgage lenders and brokers
Insurance companies and agencies
Investment firms and financial advisors
Auto dealers that provide financing
Fintech and payment service providers
Even third-party service providers that handle consumer financial data on behalf of these institutions may be subject to GLBA requirements.
Key Requirements of the GLBA
GLBA has three main components that drive data privacy and security obligations:
1. Safeguards Rule
Requires financial institutions to implement a comprehensive information security program that protects customer data from unauthorized access, misuse, or breaches.
Key obligations:
Assess risks to customer information
Design and implement safeguards to control those risks
Regularly monitor and adjust the security program
Oversee service providers with access to sensitive data
2. Privacy Rule
Mandates clear disclosure of privacy practices to consumers — including how their data is collected, used, and shared. It also gives consumers the right to opt out of certain data sharing with non-affiliated third parties.
3. Pretexting Protection
Prohibits the practice of pretexting (i.e., using social engineering or impersonation to gain access to personal financial data).
What is Considered NPI under GLBA?
Nonpublic Personal Information (NPI) includes:
Names, addresses, phone numbers
Social Security numbers
Income, credit history, or account balances
Payment information
Any data provided during financial transactions
NPI can exist in both structured systems and unstructured content like documents, emails, spreadsheets, or scanned forms — all of which must be secured under GLBA.
GLBA Compliance Challenges
Locating and securing NPI across file shares, endpoints, cloud apps, and email
Managing access controls for employees, contractors, and third parties
Maintaining audit trails for data handling and user behavior
Preventing unauthorized sharing or printing of sensitive documents
Responding to consumer opt-out requests and regulatory audits
How Fasoo Supports GLBA Compliance
Fasoo helps financial institutions meet GLBA requirements by securing sensitive data at the file level — across any environment or workflow.
With Fasoo, organizations can:
Encrypt and restrict access to NPI using Fasoo Enterprise DRM (FED)
Discover and classify financial documents with Fasoo Data Radar (FDR)
Monitor and log all document activity to support audits and reporting
Block unauthorized sharing, printing, or screen capture attempts with Fasoo Smart Print (FSP) and Fasoo Smart Screen (FSS)
Gain complete visibility across cloud and on-premises environments and manage security vulnerabilities with Fasoo DSPM
By protecting NPI throughout the document lifecycle — not just within databases — Fasoo helps institutions align with both the Safeguards Rule and Privacy Rule, reducing regulatory exposure and strengthening consumer trust.
Resources
Product Overview
Blog
Use Case
Fasoo Enterprise DRM
Meet with a
Compliance Specialist
Brochure
Learn more about
Fasoo Enterprise DRM
