What is GLBA?

The GLBA, or Gramm-Leach-Bliley Act, is a United States federal law enacted in 1999 regulating the handling of personal data by financial institutions. (The act is also known as the Financial Services Modernization Act of 1999.)

The GLBA includes provisions to protect consumers’ personal financial information held by financial institutions and requires that these institutions communicate their information-sharing practices to their customers.

The GLBA consists of three main pillars:

  • The Financial Privacy Rule. This rule requires financial institutions to provide each consumer with a privacy notice when the consumer relationship is established and annually after that. The privacy notice must explain the following:

    • The information collected about the consumer;
    • Where that information is shared;
    • How that information is used;
    • How that information is protected; and
    • How the consumer can opt out of having their information shared with unaffiliated parties under the provisions of the Fair Credit Reporting Act.

  • The Safeguards Rule. This rule requires that financial institutions must implement security programs to protect such information. These programs must:

    • Be regularly monitored and updated to ensure the security and confidentiality of customer records and information;
    • Protect against any threats or hazards to the security or integrity of the data; and
    • Protect against unauthorized access to the records.

  • Pretexting Protection. Pretexting occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This section of the GLBA requires financial institutions to implement measures to protect consumers from individuals and entities that may attempt to obtain their personal financial information fraudulently.

The GLBA applies to financial institutions, which include banks, securities firms, insurance companies, and companies providing financial products and services such as lending, brokering, or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; collecting consumer debts; and an array of other activities.

MergeBase and GLBA

MergeBase is not a financial institution and does not process financial personal data. As a result, the GLBA does not apply to MergeBase.

How Can MergeBase Help You Comply with the GLBA?

MergeBase can help businesses comply with the Gramm-Leach-Bliley Act (GLBA) by enhancing the security of their software applications, particularly in the management and protection of customer financial information.

In particular:

  • MergeBase’s Software Composition Analysis (SCA) platform can help ensure that the software applications handling customer financial data are free from known vulnerabilities, reducing the risk of data breaches and unauthorized access to sensitive information.

  • We provide continuous monitoring and management of software vulnerabilities, which is a critical aspect of an effective information security program. By identifying and addressing vulnerabilities in software components, MergeBase helps maintain the integrity and confidentiality of customer information as required by the Safeguards Rule.

  • MergeBase’s platform minimizes false positives and focuses on true vulnerabilities, enabling institutions to prioritize and address the most critical security issues. This targeted approach helps efficiently use resources to protect customer information, in accordance with GLBA requirements.

  • By securing software applications against vulnerabilities that attackers could exploit, MergeBase reduces the risk of unauthorized access to sensitive customer information, thereby supporting institutions’ efforts to protect against pretexting and other social engineering attacks.