New Updates to the GLBA Safeguards Rule
The Gramm-Leach-Bliley Act deals with protecting the financial information of consumers. This law was enacted specifically to deal with financial organizations and the way they handle the financial and personal information of their clientele.
One of the main components under the GLBA is the Safeguards Rule. The FTC recently announced that they will be amending the Safeguards Rule and adding some updates. In this guide, we’ll break down what these changes entail and what they mean for those who fall under the law.
Understanding What The Gramm Leach Bliley Act Is
The Gramm-Leach-Bliley Act (commonly known as the GLBA) is a US Federal sectoral law requiring financial institutions to preserve their customers' personal information and keep them informed about where that information is shared.
The GLBA Financial Privacy Rule and the GLBA Safeguards Rule are two major regulations related to the GLBA that put important requirements on financial institutions (and other organizations) to preserve and maintain the privacy of their clients and consumers. In this blog, we'll solely discuss the Safeguards Rule in the context of detailing the GLBA's latest modifications.
What is the Safeguards Rule?
Financial institutions are responsible for safeguarding the personal information of clients entrusted to their care. Many firms that would not ordinarily define themselves as such fall under the category of a " financial institution." According to the FTC, the regulation applies to any organizations that are "significantly engaged" in providing financial goods or services, regardless of size. For the usage, access, collection, distribution, processing, protection, storage, use, transfer, destruction, or other treatment of customer information, covered companies must establish administrative, technological, or physical safeguards.
Under the GLBA Safeguards Rule, a documented security strategy must be in place that takes into account the covered entity's size and complexity, as well as the nature and extent of its operations and the sensitivity of the customer information it manages.
Covered organizations have the freedom to adopt measures that are tailored to their specific needs, but each firm must appoint one or more people to oversee its information security program. They must also identify and analyze the risks to consumer data in each relevant part of the business, as well as examine the efficacy of the present measures in place to mitigate these risks. Covered entities must also develop and execute a safeguards program, which must be monitored and tested on a regular basis. They also must partner with service providers that can maintain proper security and establish a contract with that partner that ensures they will uphold their side of this deal, and monitor how they handle consumer data.
The Safeguards Rule compels businesses to examine and handle consumer information security risks in all areas of their operations, including three areas that are particularly critical to information security, such as staff management, training, and information systems.
A financial institution is required to perform assessments to identify reasonably anticipated internal and external threats to the security, confidentiality, and integrity of client information under the GLBA Safeguards regulation.
A Financial Institution must also maintain control over service providers by taking reasonable measures to choose and retain service providers who are capable of maintaining suitable protections for the consumer information in question.
Recent FTC Updates to the Safeguards Rule
The Federal Trade Commission announced substantial changes to its Safeguards Rule on October 27, 2021. The Safeguards Rule, which was enacted in 2002 as part of the Gramm-Leach-Bliley Act, requires covered financial institutions to establish, execute, and maintain a comprehensive information security program that meets the Rule's standards. This new revision took effect in January 2022.
They are calling this new revision the "Final Rule”. The Final Rule alters the Safeguards Rule in five major areas, including the addition of the following provisions:
- The Final Rule includes additional information on establishing and implementing certain parts of an information security program.
- Under the new rules, financial institutions will be required to report on their information security program on a regular basis to their boards of directors or governing bodies.
- According to the amendment, financial institutions that gather information from less than a specific number of consumers are excluded from some Safeguards Rule obligations.
- The change broadens the definition of "financial institution" to encompass businesses engaged in activities deemed ancillary to financial operations by the Federal Reserve Board.
- The update will explain essential words and offer pertinent instances within the Safeguards Rule itself.
The Final Rule outlines the criteria that financial institutions must consider when conducting risk assessments, as well as the requirement that such evaluations be written. The Final Rule also mandates the implementation of particular protections by covered financial institutions.
Who Oversees GLBA Compliance?
Another major focus of the upgrade is accountability. Unlike the current Safeguards Rule, which mandates that covered financial institutions designate one or more employees to coordinate their information security program, the Final Rule mandates that financial institutions designate a single qualified individual to oversee, implement, and enforce their information security program.
While a previous version of the Final Rule referred to this person as the Chief Information Security Officer, the Final Rule does not specify any specific level of experience, education, or compensation for this person, nor does it mandate any specific duties other than overseeing the financial institution's information security program and complying with the Final Rule's other requirements.
GLBA’s Definition of Financial Institutions
The Final Rule broadens the definition of "financial institution" to encompass businesses engaging in activities deemed ancillary to financial operations by the Federal Reserve Board, bringing the FTC's Safeguards Rule in line with other federal agencies' safeguards regulations. Financial institutions with fewer than 5,000 clients are exempt from the Final Rule's written risk assessment, incident response plan, and annual reporting requirements.
Instead of integrating such words by reference from the FTC's related Privacy of Consumer Financial Information Rule, the Final Rule defines many terminologies and gives relevant examples in the Safeguards Rule itself.