Protecting personal and financial information is critical in today’s digital age. Where data has its own intrinsic value and where data breaches and cyberattacks are a risk for every business, the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) provides financial institutions, including those in the accounts receivable management industry, with guidance on how to safeguard customer information.
The existing Safeguards Rule provided financial institutions with much flexibility and discretion when determining what kinds of safeguards were best for their organizations and risks. With the amendments which go into effect on June 9, 2023 financial institutions now have a more prescriptive recipe for what those safeguards need to be.
What is the Gramm-Leach-Bliley Act (GLBA)?
The Gramm-Leach-Bliley Act, or GLBA, is a federal regulation to control how financial institutions collect, store, and transmit consumer information. Although GLBA was enacted by the Federal Trade Commission (FTC) in 1999, changes have been anticipated for the last few years.
In October 2021, the FTC announced new amendments coming to the Standards for Safeguarding Customer Information, known as the “Safeguards Rule,” and an issuance of a final rule, referred to simply as the “Final Rule.” Originally set to go into effect in 2022, financial institutions—a designation that has also been updated—now need to prepare for the changes or risk non-compliance and its consequences before they go into effect on June 9, 2023.
What is the Safeguards Rule?
The Safeguards Rule took effect January 10, 2021, and its requirements were first set to go into effect beginning December 9, 2022, but the FTC announced it would extend the deadline for financial institutions to develop, implement, and maintain a comprehensive information security program by June 9, 2023.
There are five overarching modifications to the existing Safeguards Rule:
- Provides covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program
- Improves the accountability of these security programs, such as requiring financial institutions to designate a qualified individual responsible for overseeing, implementing and enforcing the program
- Exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the board of directors
- Expands the definition of “financial institution” within the scope of the Safeguards Rule – see the expanded definition in the next section below
- Includes several other definitions and related examples in the amended Safeguards Rule itself in an effort to make it more self-contained and to enable readers to understand its requirements without referencing the FTC’s Privacy of Consumer Financial Information Rule
Along with these updates to the Safeguards Rule, let’s examine a few other specifications of the updates.
What are other updates to the Safeguards Rule?
The expanded scope of financial institutions that are subject to the Safeguards Rule is significant. Under the new Final Rule, “financial institutions” now include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, such as:
It is important to note that the Final Rule does not apply to national banks, savings and loan institutions, and federal credit unions, as these institutions are not subject to the FTC’s jurisdiction.
The Final Rule requires these covered financial institutions to comply with specific new requirements, such as:
- Encrypt all customer information held or transmitted in transit over external networks and at rest
- Multi-factor authentication for any individual accessing any information system, unless the use of reasonably equivalent or more secure access controls has been approved in writing by a qualified individual at the financial institution
- Conduct periodic written risk assessments, and the results of such risk assessments should drive the information security program
- Create procedures for evaluating, assessing or testing the security of externally developed applications used to transmit, access or store customer information
- Set procedures for secure disposal of customer information no later than two years after the last date the information is used
- Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users
- Provide personnel with security awareness training, and provide information security personnel with training to address relevant security risks; and that key information security personnel take steps to maintain knowledge of changing information security threats and countermeasures
- Written incident response plan designed to promptly respond and recover from any security event affecting the confidentiality, integrity, or availability of customer information
- Qualified individual to regularly, and at least annually, report in writing to an organization’s governing body (e.g., board of directors) regarding the status and material matters of the information security program
- Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, and conduct required penetration testing annually and vulnerability assessments at least every six months and whenever there are material operational or business changes
Given the expanded definition of “financial institutions,” some of these organizations may be unfamiliar with the extent of these requirements, and even those familiar with GLBA previously must be ready to comply or face the consequences.
What are the penalties for non-compliance with GLBA?
Whether it’s GLBA, Regulation F, or any of the numerous state laws, companies can face serious penalties for compliance failures—monetary, reputational, and even criminal. When it comes to GLBA, non-compliance penalties include:
Section 5 of GLBA grants the FTC the authority to audit policies to ensure they are developed and applied fairly—all the more reason to follow the Safeguards Rule’s provisions of self-audits and testing.