:PROPERTIES:
:ID:       4a2bc62b-3f21-4212-9cd9-f9add8fc0be1
:ID:       auto-glba
:CREATED:  [2026-05-23 Sat]
:END:
#+title: GLBA (Gramm-Leach-Bliley Act)
#+filetags: :passepartout:compliance:framework:glba:


US federal law governing financial institutions' handling of nonpublic personal
information (NPI). Requires privacy notices, opt-out rights, and a Safeguards
Rule requiring an information security program.

Who must comply: Banks, credit unions, insurance companies, securities firms,
financial advisers. ~20,000 institutions.

Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers
and directors personally liable.

Why it matters: The Safeguards Rule maps directly to gate stack access controls.
Every NPI access is gated; the proof log is the security program's evidence.
First-mover advantage is narrow (GLBA is well-understood) but the market is
large because every financial institution that dodges [[id:84fb5f8f-0527-4df0-b6b6-dbf3bcff8a7f][HIPAA]] still faces GLBA.