885 B
885 B
US federal law governing financial institutions' handling of nonpublic personal information (NPI). Requires privacy notices, opt-out rights, and a Safeguards Rule requiring an information security program.
Who must comply: Banks, credit unions, insurance companies, securities firms, financial advisers. ~20,000 institutions.
Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers and directors personally liable.
Why it matters: The Safeguards Rule maps directly to gate stack access controls. Every NPI access is gated; the proof log is the security program's evidence. First-mover advantage is narrow (GLBA is well-understood) but the market is large because every financial institution that dodges HIPAA still faces GLBA.