Table of Contents
- GLBA Penalties and Enforcement: What Happens When You Violate GLBA?
- What Are GLBA Penalties and Violations?
- Who Enforces GLBA?
-
GLBA Enforcement Examples
- Inadequate Information Security Programs: Nationwide Mortgage Group (2004)
- Failure to Protect Customer Data: Blackbaud, Inc. (2024)
- Vendor Management Failures: Ascension Data & Analytics (2020)
- Pretexting Violations: FTC v. RCG Advances, LLC / Jonathan Braun (2023)
- Joint Federal-State Enforcement: FTC and Colorado v. Greystar (2025)
- How to Avoid GLBA Violations
- How to Simplify GLBA Compliance
- Key Takeaways
- GLBA Penalties and Enforcement FAQs
GLBA Penalties and Enforcement: What Happens When You Violate GLBA?
Violations to the Gramm-Leach-Bliley Act (GLBA) carry severe consequences for organizations subject to compliance, often in the form of civil penalties. For example, covered financial institutions face up to $100,000 per violation of the GLBA.
Today, GLBA enforcement involves multiple federal and state agencies, including the Federal Trade Commission (FTC), federal banking regulators, and state attorneys general. Unlike other privacy regulations, GLBA compliance failures can create institutional and individual liability, with civil and criminal charges.
Part of our GLBA compliance series, this guide covers the full GLBA penalty structure for institutions and individuals, explains which agencies enforce GLBA with real enforcement examples, and describes how to build a GLBA compliance program that proactively prevents violations.
For a complete overview of one of the most significant financial privacy laws in the US, see our GLBA guide.
What Are GLBA Penalties and Violations?
GLBA penalties are the civil fines, criminal sanctions, and regulatory enforcement actions imposed on financial institutions and individuals that fail to comply with the Gramm-Leach-Bliley Act. Penalties apply at both the institutional and individual level, with enforcement carried out by the FTC, federal banking agencies, and state attorneys general.
GLBA violations occur when a financial institution or covered individual fails to meet the requirements of the Privacy Rule, Safeguards Rule, or Pretexting Provisions.
GLBA penalties include civil fines up to $100,000 per violation for institutions and up to $10,000 per violation for individual officers and directors, with willful violations carrying up to 5 years of imprisonment.
GLBA is one of the few privacy regulations where individual executives face personal fines and imprisonment alongside institutional penalties. This dual liability structure means compliance failures create consequences at every level of the organization — from the institution itself to the officers and directors who authorized or participated in the violation.
Institutional Penalties
Civil penalties. Financial institutions face fines up to $100,000 per violation. Each day a violation continues can count as a separate offense, so penalties stack fast. A single compliance gap can become a multi-million dollar exposure.
Consent decrees. FTC enforcement actions typically result in consent orders requiring the institution to implement a comprehensive information security program, conduct third-party security assessments, and submit regular compliance reports, committing the institution to regulatory oversight for a decade or more.
Cease and desist orders. Regulators can order institutions to stop non-compliant practices immediately and implement corrective measures. For institutions still building out their compliance programs, this can mean halting core business operations until the gaps are closed.
Reputational damage. Enforcement actions are public record. FTC consent orders, federal banking agency enforcement actions, and state attorney general settlements are published and widely reported, meaning customers, partners, and other regulators can all see them. The reputational fallout can outlast the fine itself.
Individual Penalties
Civil fines. Individual officers and directors face fines up to $10,000 per violation. This is a personal liability, not covered by the institution, meaning executives can face financial consequences even if the organization itself settles.
Criminal penalties. Willful violations can result in imprisonment of up to 5 years. This applies to individuals who knowingly and willfully authorize or participate in GLBA violations, including pretexting violations under 15 U.S.C. Section 6823. For senior leaders, this means personal legal exposure sits alongside any institutional penalties.
Scope of liability. Personal liability extends to officers, directors, and employees who authorize or participate in violations, so the people making compliance decisions carry real personal risk.
GLBA Penalty Structure
| Penalty Type | Who It Applies To | Maximum Penalty | When It Applies | How Regulators Enforce |
| Civil penalties | Financial institutions | Up to $100,000 per violation | Violations of the Privacy Rule, Safeguards Rule, or Pretexting provisions | Imposed through FTC actions, banking regulator enforcement orders, or settlements |
| Civil penalties | Officers and Directors | Up to $10,000 per violation | Individuals who participate in or authorize violations | Personal liability in enforcement actions |
| Criminal Fine | Individuals | Up to $10,000 fine and up to 5 years imprisonment | Willful violations, including pretexting or knowingly ignoring safeguards | Criminal prosecution under 15 U.S.C. §6823 |
| Consent Decree | Institutions | 10–20 years regulatory monitoring | Major security failures or systemic Safeguards Rule violations | FTC consent decrees requiring audits and compliance reporting |
| Cease and desist orders | Institutions | Immediate operational restrictions | Unsafe or non-compliant practices | Banking regulators can require corrective actions |
| Continuing violations | Institutions and individuals | Each day counted as a separate violation | Ongoing non-compliance with required safeguards | Penalties accumulate until remediation |
Who Enforces GLBA?
GLBA enforcement is split across multiple federal and state agencies. The specific regulator depends on institution type and regulatory charter.
| Enforcement Agency | Jurisdiction | Entity Types |
|---|---|---|
| FTC | Non-bank financial institutions | Higher education, auto dealers, tax preparers, mortgage brokers, payday lenders |
| OCC | National banks | National banks, federal savings associations |
| FDIC | State-chartered non-Fed banks | State banks not in the Federal Reserve System |
| Federal Reserve | State-chartered Fed banks | State banks in Federal Reserve System, bank holding companies |
| NCUA | Credit unions | Federal credit unions |
| State attorneys general | State consumer protection | All entities operating in the state |
| State insurance commissioners | Insurance | Insurance companies and agencies |
The Federal Trade Commission (FTC) is the primary enforcement authority for non-bank financial institutions, including higher education institutions processing Title IV financial aid, auto dealers arranging financing, tax preparers, mortgage brokers, and other entities classified as financial institutions under GLBA. The FTC has been the most active GLBA enforcer since the 2023 GLBA Safeguards Rule updates took effect.
The Office of the Comptroller of the Currency (OCC) examines and enforces GLBA requirements for national banks and federal savings associations.
The Federal Deposit Insurance Corporation (FDIC) covers state-chartered banks that are not members of the Federal Reserve System.
The Federal Reserve Board enforces for state-chartered banks that are members of the Federal Reserve System and bank holding companies.
The National Credit Union Administration (NCUA) covers all federal credit unions.
State attorneys general can bring enforcement actions under state consumer protection laws for GLBA-related violations.
State insurance commissioners enforce GLBA-equivalent requirements for insurance companies under state insurance codes, often through the NAIC Insurance Data Security Model Law.
Because GLBA enforcement follows the existing financial regulatory structure, organizations must comply with both GLBA requirements and the supervisory expectations of their primary regulator.
GLBA Enforcement Examples
Since 2005, the FTC has brought approximately 35 cases alleging GLBA violations. The below cases illustrate the types of violations regulators pursue and the consequences that follow.
Inadequate Information Security Programs: Nationwide Mortgage Group (2004)
Nationwide failed to assess risks to customer information, train employees on security, oversee loan officers’ handling of customer data, monitor its network for vulnerabilities, or provide customers with required privacy notices.
Outcome: The FTC issued an administrative complaint and consent order requiring a full ISP implementation and biennial independent audits for 10 years. The case established a pattern that the FTC has followed in nearly every Safeguards Rule enforcement action since: non-compliance results in long-term regulatory oversight, not just a one-time fine.
Failure to Protect Customer Data: Blackbaud, Inc. (2024)
Blackbaud allowed employees to use weak or identical passwords, failed to implement MFA, stored sensitive consumer data including Social Security and bank account numbers without encryption, and did not monitor its network for intrusions. A hacker gained access in early 2020 and went undetected for three months.
Outcome: The FTC finalized a consent order requiring a comprehensive ISP and 20 years of oversight. Blackbaud separately paid $49.5 million to 49 state attorneys general and $3 million to the SEC for misleading breach disclosures.
The case shows that basic safeguard failures do not stay contained to one regulator. When encryption, MFA, and network monitoring are all absent, the exposure multiplies across enforcement bodies.
Read more about the Blackbaud case →
Vendor Management Failures: Ascension Data & Analytics (2020)
Ascension hired a vendor to perform text recognition scanning on mortgage documents. That vendor stored the documents, including names, Social Security numbers, and loan information, on a cloud-based server in plain text with no access controls or password protection. The server was accessed dozens of times before the exposure was identified.
Outcome: The FTC finalized a settlement requiring Ascension to strengthen its data security protections and increase oversight of its vendors to ensure third-party providers comply with the same safeguards. The case showed that if a vendor mishandles customer data, the institution is the one facing enforcement.
Read more about Ascension Data & Analytics, LLC case →
Pretexting Violations: FTC v. RCG Advances, LLC / Jonathan Braun (2023)
RCG Advances deceived small businesses about the terms of merchant cash advance agreements, making misrepresentations in transactions where consumers provided financial account information. The FTC alleged this constituted a violation of GLBA’s pretexting provisions under Section 521(a).
Outcome: A federal court entered a $20.3 million judgment against operator Jonathan Braun in the first-ever FTC jury trial on a GLBA pretexting claim. The case expanded how pretexting is understood under GLBA. Liability is not limited to identity theft schemes. Any misrepresentation made in the course of obtaining consumer financial information can trigger the pretexting provisions, and individual officers can be held personally liable.
Read the full FTC case record →
Joint Federal-State Enforcement: FTC and Colorado v. Greystar (2025)
Greystar, the nation’s largest multifamily rental property manager, advertised deceptive rental prices to collect consumers’ financial information through rental application inquiry forms. The FTC and Colorado Attorney General alleged this constituted a GLBA pretexting violation under 15 U.S.C. §6821.
Outcome: Greystar agreed to a $24 million settlement in December 2025. The case extended GLBA pretexting enforcement beyond traditional financial institutions and demonstrated how joint federal-state actions use GLBA to enable monetary relief in non-banking contexts.
For the specific technical requirements that these organizations violated, see the GLBA cybersecurity requirements guide.
How to Avoid GLBA Violations
Avoiding GLBA violations starts with building and maintaining a compliance program that addresses all 9 elements of the Safeguards Rule, plus the FTC’s breach notification requirement added in 2023.
| # | Safeguards Rule Element | Prevention Step | Key Action |
|---|---|---|---|
| 1 | §314.4(a) | Designate a Qualified Individual | Assign a responsible leader with authority and resources to oversee the information security program (ISP) |
| 2 | §314.4(b) | Conduct regular risk assessments | Perform written risk assessments at least annually and whenever operations, systems, or threats materially change |
| 3 | §314.4(c) | Implement required safeguards | Deploy controls such as encryption, MFA, access controls, secure development, logging, and data disposal |
| 4 | §314.4(d) | Test and monitor controls | Perform annual penetration testing and vulnerability assessments at least every six months |
| 5 | §314.4(e) | Security policies and personnel training | Implement written policies and procedures and provide security awareness and role-based training so personnel can operate and enforce the information security program |
| 6 | §314.4(f) | Assess service providers | Evaluate vendor safeguards and include security requirements in contracts |
| 7 | §314.4(g) | Adjust the security program | Periodically review and update safeguards based on testing results, operational changes, and emerging threats |
| 8 | §314.4(h) | Maintain an incident response plan | Document and test response procedures for security events affecting customer information |
| 9 | §314.4(i) | Report to the board annually | Provide a written report from the Qualified Individual describing program status and risks |
| 10 | §314.4(j) | Notify the FTC of certain security events | Report qualifying breaches involving 500+ consumers to the FTC within 30 days |
For full compliance requirements, see the GLBA compliance guide. For a step-by-step risk assessment process, see the GLBA risk assessment guide. Or, access the GLBA Safeguards Rule Requirements Crosswalk to map Safeguards Rule elements to other frameworks.
How to Simplify GLBA Compliance
Every enforcement example in this guide follows the same pattern: the institution lacked structured, defensible evidence that safeguards were in place. Isora GRC is the GRC Assessment Platform that gives security teams one connected workspace to run assessments, manage vendors and assets, track risks, and prove compliance — closing the gaps that trigger enforcement.
Assessment Management
Organize, distribute, and track GLBA risk assessments across departments, systems, and vendors from one place. Group assessments by Safeguards Rule element or compliance goal so multi-framework programs do not require separate tracking systems. Findings flow directly into the risk register with full lineage from questionnaire to control to framework, eliminating the manual assembly that makes evidence indefensible.
Inventory Management
Maintain a complete, current record of vendors, IT assets, and applications linked directly to assessments and risk findings. Inventory stays current because it is updated through the assessment workflow itself, not maintained as a separate task. When a regulator asks which third parties handle consumer financial data — the exact question at the center of the Ascension enforcement action — the answer is a filter query against live data, not a research project.
Reports & Scorecards
Assessment results automatically score and visualize without manual formatting or compilation. Compare performance across departments, vendors, or Safeguards Rule elements in a single view to identify where attention is needed. Board and leadership reporting — including the Qualified Individual’s annual report required under §314.4(i) — becomes a real-time export rather than a quarterly project.
See how Isora GRC helps maintain GLBA compliance →
Key Takeaways
GLBA penalties are severe: up to $100,000 per violation for institutions, $10,000 per violation plus up to 5 years imprisonment for individuals. Multiple agencies enforce GLBA depending on institution type, and the FTC has significantly increased enforcement activity since the 2023 Safeguards Rule updates took effect. The best defense is a comprehensive compliance program addressing all 10 Safeguards Rule elements.
For a complete overview of the Gramm-Leach-Bliley Act, see our What Is GLBA? guide. For a step-by-step compliance process, see our GLBA compliance guide.
See how Isora GRC simplifies GLBA compliance →
GLBA Penalties and Enforcement FAQs
What are the penalties for GLBA violations?
Financial institutions face civil penalties up to $100,000 per violation, with each day of a continuing violation constituting a separate offense. Individual officers and directors can be fined up to $10,000 per violation and face up to 5 years of imprisonment for willful violations. The FTC also imposes consent orders requiring compliance monitoring for 10 to 20 years.
Who enforces the Gramm-Leach-Bliley Act?
GLBA is enforced by the Federal Trade Commission (FTC) for non-bank financial institutions including higher education. Federal banking regulators include the Office of the Comptroller of the Currency (OCC) for national banks, the Federal Deposit Insurance Corporation (FDIC) for state-chartered non-Fed banks, the Federal Reserve Board for state-chartered Fed banks, and the National Credit Union Administration (NCUA) for credit unions. State attorneys general handle consumer protection enforcement, and state insurance commissioners oversee insurance companies.
Can individuals be held personally liable for GLBA violations?
Yes. GLBA creates personal liability for officers, directors, and employees who knowingly and willfully authorize or participate in violations. Individual penalties include fines up to $10,000 per violation and imprisonment up to 5 years. For example, an IT director who knowingly approves the use of an unencrypted system to store customer financial data, despite being aware of the Safeguards Rule requirement, could face personal criminal liability, not just the institution.
What are examples of GLBA enforcement actions?
The FTC has taken enforcement action against organizations for failing to implement a written information security program, skipping or inadequately documenting risk assessments, storing customer data without encryption, failing to enforce multi-factor authentication, maintaining weak access controls, and not monitoring or vetting third-party service providers. In most cases, outcomes included long-term consent orders requiring independent security audits and full program remediation.
How much can the FTC fine a company for GLBA non-compliance?
The FTC can impose civil penalties up to $100,000 per violation for financial institutions. Because each day of a continuing violation can constitute a separate offense, total penalties for systemic failures can accumulate to millions of dollars.
This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.
