What is the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule?
The Gramm-Leach-Bliley Act (GLBA) was a regulation passed by Congress in 1999 to update and modernize the financial industry. One component of the GLBA, its Safeguards Rule, requires financial institutions to establish measures to keep their customers’ private information secure.
On December 9, 2022, certain specifications of the Federal Trade Commission’s amendments to the GLBA’s Safeguards Rule become effective. Under the FTC’s new amendments to the Safeguards Rule, those that bring together buyers and sellers of a product or service, are now governed by the Safeguards Rule and must comply with its heightened data protection requirements.
Who must comply with the Safeguards Rule?
The following list are examples of organizations considered to be “financial institutions” under the Safeguards Rule:
- Retailers extending a credit card
- Dealerships leasing a car long term — longer than 90 days
- Organizations appraising real estate or personal property
- Counselors helping individuals associated with a financial institution
- Businesses printing and selling checks on behalf of customers or wiring money
- Businesses engaging in cash checking services
- Income tax return preparers
- Travel agencies
- Real estate settlement services
- Mortgage brokers
- Colleges and universities accepting Title IV funds
What requirements do you need to be aware of?
Effective December 9, 2022, organizations classified as “financial institutions” must implement the following security practices and then review, and periodically update formal policies and procedures, including:
- Designating a qualified individual to oversee the information security program
- Developing, implementing, and maintaining a written information security program
- Completing a written information security risk assessment
- Design and implement safeguards to control the risks you identify through risk assessment
- Establishing continuous monitoring of information systems
- Engaging third-party penetration testing and vulnerability assessments
- Conducting security awareness training
- Assessing third-party service providers periodically
- Establishing a written information incident response program
- Providing the board or respective group with a written report periodically and at least annually from the qualified individual
Specific controls requirements regarding the implementation of safeguards include:
- Implementing and reviewing access control
- Inventorying the systems that handle customer information
- Identifying and managing data based on risk
- Encrypting data both in transit and at rest
- Securing software development practices
- Requiring the use of multifactor authentication for those accessing the information systems
- Establishing secure procedures for disposing data
- Developing change management procedures
- Implementing logging and monitoring procedures
While these elements must be implemented as part of your information security program, the revised rule is flexible enough to cover large and small "financial institutions" alike. Your specific safeguards must be appropriate for:
- The size and complexity of your organization and its operations
- The nature and scope of your activities involving customer information
- The sensitivity of the customer information you handle
That means you are permitted to implement different programs based upon the scope of your own operations and your assessment of security risks.
What can happen if you are not compliant?
The following is a list of potential penalties for noncompliance with the Safeguard Rule:
- Fines and penalties: Varying depending on the severity of non-compliance and the regulatory body governing the issue.
- Lawsuits: Stakeholders including customers, employees, vendors, and other affected parties might decide to file a lawsuit to collect damages.
- Regulatory scrutiny: Offending businesses can be subjected to costly regulatory audits for years to come.
- Imprisonment: In the worst cases of non-compliance, business owners, directors, and executives could go to prison for criminal negligence.
How Hammer IT Consulting Can Help?
Getting in compliance with the new requirements could be a substantial undertaking. Depending on the sophistication and maturity of your personnel and security infrastructure, you may need a comprehensive diagnostic assessment to evaluate compliance. Some requirements may need to be implemented once with ongoing maintenance, while others may require recurring assessments such as penetration tests, risk assessments, and training.
We offer Regulatory Compliance Services that protect your customer data and be audit-ready by ensuring that you are one step ahead of industry requirements and mandates. Our cybersecurity team has years of experience providing guidance in developing policies, procedures, and assessments as well as helping organizations identify gaps in the existing ones. Contact us today to learn how we can help with your GLBA Safeguards Rule gap assessment and remediation consulting.