Explore UAB

What is GLBA?

GLBA stands for the Gramm-Leach-Bliley Act.

GLBA is a law enacted in 1999 that requires financial institutions to protect the privacy of consumer information. It also mandates that companies provide consumers with privacy statements that describe in detail the companies’ information-sharing policies and practices. The GLBA’s Safeguards and Privacy rules are designed to protect the non-public personal information (NPI) of consumers. NPI is defined as any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.

This type of information is gathered regularly by universities in the form of student financial aid and grant information, payment history, student loan information, etc. Examples of NPI protected by GLBA include:

  • Any information an individual gives the institution in order to get a financial product or service (for example, name, address, income, Social Security Number, or other information on an application)
  • Any information an organization receives about an individual from a transaction involving a financial product or service (for example, the fact that an individual is a consumer or customer of the company, account numbers, payment history, loan or deposit balances, and credit or debit card purchases)
  • Any information the company gets about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

Requirements

Any such data collected, processed, transmitted, and/or stored are protected by GLBA’s Safeguards and Privacy rules. Compliance with GLBA requirements is mandatory. UAB’s policies and security controls are also required as GLBA data is classified as Restricted/PHI data.

The Safeguards Rule requires the development and operation of a comprehensive information security program whose aim is to provide administrative, technical, and physical security controls to protect GLBA data. At a high level, the Safeguards Rule defines the following objectives:

  1. Ensure the security and confidentiality of customer information
  2. Protect against any anticipated threats or hazards to the security or integrity of such information
  3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer

As a part of this information security program, the FTC states that each compliant organization must:

  • Designate one or more employees to coordinate its information security program
  • Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks
  • Design and implement a safeguards program, and regularly monitor and test it
  • Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information
  • Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring

Additional Resources

This page provides a high-level overview of the GLBA, but additional resources are required to fully understand its requirements and application of those requirements.