Understanding the GLBA Safeguards Rule, 2023 Complete Guide

TL;DR:

The GLBA is a federal regulation to control how financial institutions (including Title IV accredited higher education institutions) collect, store and transmit consumer information. Changes are coming to the GLBA, including updates to the Safeguards Rule, which go into effect June 9, 2023. Financial institutions need to prepare for the changes or risk non-compliance.

Cyberattacks on financial institutions continue to grow in frequency and severity. In response to the uptick in cyber threats, government, and industry governing bodies are quickly implementing new regulations and requirements to protect consumers.

One such federal regulation is the Gramm-Leach-Bliley Act (GLBA), a federal law to control how financial institutions collect, store and transmit consumer information.

The Gramm-Leach-Bliley Act (GLBA) is a federal regulation to control how financial institutions collect, store and transmit consumer information.

Although the Federal Trade Commission (FTC) enacted the GLBA in 1999, updates to the regulation are coming in 2023–and financial institutions need to prepare for the changes or risk non-compliance.

This guide covers everything there is to know about the GLBA and, more specifically, the Safeguards Rule, which contains new updates that go into effect June 9, 2023.

Updates to the GLBA Safeguards Rule go into effect June 9, 2023.

With this information, organizations can begin implementing the appropriate measures to comply with the new requirements before the deadline.

What is the Gramm-Leach-Bliley Act (GLBA)?

TL;DR:

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to consumers and safeguard sensitive data. It contains three sections: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting provisions.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to consumers and safeguard sensitive data.

The GLBA requires financial institutions to explain their information-sharing practices to consumers and safeguard their sensitive data.

Financial institutions offer consumers financial products or services, including loans, investments, financial advice, or insurance.

The GLBA contains three sections:

• The Financial Privacy Rule regulates the collection and disclosure of private financial information.
• The Safeguards Rule requires financial institutions to implement security programs to protect customer information.
• The Pretexting provisions prohibit pretexting or accessing private information under false pretenses.

What is the Safeguards Rule?

TL;DR:

The Safeguards Rule took effect in 2003 and ensures that financial institutions maintain safeguards for protecting the security of customer information. The FTC recently issued final regulations to amend the Safeguards Rule with significant modifications. The effective date for the changes is June 9, 2023.

In this guide, we’ll take a closer look at the Standards for Safeguarding Customer Information (the Safeguards Rule), which took effect in 2003 and ensures that financial institutions maintain safeguards for protecting the security of customer information.

Most recently, the Federal Trade Commission issued final regulations to amend the Safeguards Rule (the Final Rule) in December 2021. The changes expand on existing minimum information security requirements already in place at participating institutions and their third-party service providers.

Changes to the Safeguards Rule expand on existing information security requirements at participating financial institutions and their third-party service providers.

The Final Rule contains the following significant modifications:

• It provides additional guidance for financial institutions to develop and implement an information security program.
• It exempts financial institutions that collect less customer information from specific requirements.
• It defines various terms and provides examples.

The effective date for the changes is June 9, 2023. Although the FTC has provided additional time to meet these requirements, financial institutions should implement them as soon as possible.

Even if the original Safeguards Rule didn’t cover your organization, your business operations have likely changed significantly in the last few years. As your operations transform, regularly consult the FTC’s definition of a “financial institution” to determine whether your organization is covered.

What are the GLBA Safeguards Rule requirements?

Under the Safeguards Rule, financial institutions and service providers must develop, implement, and maintain a written, comprehensive information security program.

Financial institutions and service providers must develop, implement, and maintain a written, comprehensive information security program that contains administrative, technical, and physical safeguards.

It should contain administrative, technical, and physical safeguards appropriate for the organization’s size and complexity, the nature and scope of activities, and the sensitivity of the information.

The three objectives of the standards for safeguarding customer information are to:

• Ensure the security and confidentiality of consumer information;
• Protect against threats or hazards to the security or integrity of that information; and
• Protect against unauthorized access to or use of that information resulting in harm or inconvenience to any customer.

Who needs to comply with the GLBA Safeguards Rule?

“Financial institutions” must comply with the GLBA Safeguards Rule–but this category includes many more organizations than just banks, including Title IV accredited higher education institutions.

A financial institution is any company that offers financial products or services to consumers.

According to the GLBA, a financial institution is any company that offers financial products or services like loans, financial or investment advice, or insurance to consumers.

More specifically, entities required to comply with GLBA include, but are not limited to:

• Mortgage lenders and mortgage brokers
• “Payday” lenders
• Finance companies
• Account services
• Check cashers
• Wire transferors
• Travel agencies operated in communication with financial services
• Collection agencies
• Credit counselors and other financial advisors
• Tax preparation firms
• Non-federally insured credit unions
• Investment advisors not required to register with the Securities and Exchange Commission (SEC)
• Finders, or companies that bring together buyers and sellers, and then the parties themselves negotiate and consummate the transaction

If you are still determining whether or not your business is considered a financial institution under GLBA, see 16 CFR 314.2 (h). Additionally, if your organization maintains customer information for fewer than 5,000 customers, you may be exempt from certain provisions.

Whom does the GLBA Safeguards Rule protect?

The Safeguards Rule protects “customer information,” or information obtained from providing a financial service to a consumer–past or present.

The Safeguards Rule protects information obtained from providing a financial service to past and present customers.

The security and privacy benefits of the GLBA Safeguards Rule for customers include:

• Protection of private information from unauthorized access
• Notification of private information sharing between financial institutions and third parties with the ability to opt out
• Tracking of user activity, including attempts to access protected records.

GLBA compliance also puts financial institutions at lower risk of reputational damages or financial penalties caused by the loss or unauthorized sharing of private consumer data. Companies that are compliant with the GLBA Safeguards Rule are better positioned to strengthen customer trust and reliability by assuring consumers that their private information is safe and secure.

What happens if I’m not GLBA compliant?

If a GLBA non-compliance allegation is proven, the ramifications can be business-altering, and in some cases, life-altering.

GLBA non-compliance ramifications can be business-altering and life-altering.

GLBA non-compliance penalties include:

• Fines of USD$100,000 per violation for financial institutions found in violation
• Fines of USD$100,000 per violation for individuals found in violation
• Criminal penalties including imprisonment for up to 5 years for individuals found in violation

Here are some past examples of GLBA non-compliance allegations:

• In 2004, the FTC enforced the GLBA Safeguards Rule against a number of mortgage companies that failed to protect customers’ personal information. The settlement barred future violations of the Safeguards Rule and required biennial audits of the companies’ information security programs by a qualified, independent professional for 10 years.
• In 2018, the FTC announced a settlement with PayPal, Inc., operating as Venmo following allegations around the app’s disclosures to consumers about funds availability, its privacy practices, and its data security practices. As part of the settlement, Venmo is prohibited from violating the Privacy Rule and the Safeguards Rule and is required to obtain biennial third-party assessments of its compliance with these rules for 10 years.
• In 2020, the FTC alleged that Mortgage Solutions FCS, doing business as Mount Diablo Lending, violated the Fair Credit Reporting Act and other laws by revealing personal information about consumers in response to negative reviews posted on Yelp. The company agreed to pay USD$120,000 to settle the case.

How to implement the GLBA Safeguards Rule

Affected financial institutions should coordinate with leadership and the appropriate staff to implement the updated requirements by June 9, 2023.

Best practices for GLBA compliance center on expanding and tightening consumer data privacy safeguards and restrictions.

Best practices for GLBA compliance center on expanding and tightening consumer data privacy safeguards and restrictions. For financial institutions and IT professionals, the main focus is to secure and protect the confidentiality of customers’ private and financial information.

Achieving and maintaining GLBA compliance is paramount for every financial institution–violations are both costly and detrimental to operations. By taking steps toward GLBA compliance, organizations can benefit from improved security, avoid penalties, and increase customer trust and loyalty.

For additional guidance, organizations can reference a new publication from the FTC entitled “FTC Safeguards Rule: What Your Business Needs to Know.”

Steps to implementing the GLBA Safeguards Rule

TL;DR:

Take these following 9 steps to implement the GLBA Safeguards Rule at your organization: 1) Designate a qualified individual to implement and supervise the information security program; 2) Conduct a risk assessment; 3) Design and implement safeguards to control the risks identified in the risk assessment; 4) Regularly monitor and test safeguards; 5) Train staff; 6) Monitor service providers; 7) Keep the information security program current; 8) Create a written incident response plan; and 9) Require the Qualified Individual to report to the Board of Directors regularly.

Designate a qualified individual to implement and supervise the information security program.

This person can be an employee or someone who works for an affiliate or service provider. While they don’t need a particular degree or title, they need the real-world know-how best suited to your organization’s circumstances. No matter whom you choose, your company is responsible for designating a senior employee to supervise that person.

Conduct a risk assessment.

You can’t create an effective information security program until you identify what information you have and where it’s stored. Conduct a thorough IT asset inventory to identified all covered units and then conduct the required GLBA Safeguards Rule risk assessment to determine foreseeable internal and external threats to customer information security, confidentiality, and integrity.

Your risk assessment can be based on any security framework, but it must be written and include criteria for evaluating risks and threats. Some common security frameworks for risk assessments include ISO 27001, CIS, NIST CSF, NIST SP 800-53, and NIST 800-171.

The Safeguards Rule is not prescriptive, but it does require organizations to adhere to an established standard. Although there is no single, universal security framework for conducting risk assessments under the Safeguards Rule, there will be a framework that is best suited for your organization.

As you conduct your risk assessment, consider how customer information might be disclosed without authorization, misused, altered, or destroyed. Since the risks to information constantly change, the Safeguards Rule also requires you to conduct regular reassessments in response to business operations changes or the emergence of new threats.

Design and implement safeguards to control the risks identified in the risk assessment.

The Safeguards Rule requires a risk assessment against a specific security framework, but it also requires that those identified risks have a safeguard (or a remediation) in place. Essentially, you must put in writing what your organization is doing to mitigate any identified risks.

Here are the safeguards required to be in place under the Safeguards Rule:

• Implement and periodically review access controls: First, determine who has access to customer information. Then, regularly check whether they still have a legitimate business need for access to it.
• Know what you have and where it’s stored: Understanding your company’s information ecosystem is fundamental. Conduct a periodic data inventory and note where data is collected, stored, or transmitted. Maintain an accurate, up-to-date list of all IT systems, devices, platforms, and personnel. Create safeguards that enable you to respond with resilience.
• Encrypt customer information: If encrypting data on your system and when it’s in transit is not feasible, secure it with adequate alternative controls.
• Assess applications: Implement procedures for evaluating the security of in-house and third-party apps that store, access, or transmit customer information.
• Implement multi-factor authentication: The Safeguards Rule requires at least two of the following authentication factors:
  • A knowledge factor (e.g., a password)
  • A possession factor (e.g., a token)
  • An inherence factor (e.g., biometric characteristics)
  • Another equivalent form of secure access controls
• Dispose of customer information securely: Dispose of customer information by two years after its most recent use. The only exceptions are if you have a legitimate business need or legal requirement to keep it or if targeted disposal isn’t feasible.
• Anticipate and evaluate changes: Changes to your information system or network can impair existing security measures. Since systems and networks often change to accommodate new business processes, your safeguards should be equally dynamic.
• Maintain an activity log: Monitor when authorized users access customer information on your systems and implement procedures and controls to detect unauthorized access.
• Regularly monitor and test safeguards.

Periodically test your procedures for detecting actual and attempted cyberattacks. You can accomplish testing through continuous monitoring of information systems. Otherwise, you must conduct annual penetration testing and twice-annual vulnerability assessments, including system-wide scans designed to test for publicly-known security vulnerabilities.

Additionally, you must test whenever material changes to your operations or business arrangements occur or whenever there are circumstances that may have a material impact on your information security program.

Train staff.

A comprehensive information security program is only as effective as its least vigilant staff members. However, employees trained to identify risks can enhance the program’s impact.

Provide your staff with security awareness training with regular refreshers. Require specialized security awareness training for employees, affiliates, and service providers with the responsibility of maintaining your security program and ensuring they stay abreast of emerging threats and countermeasures.

Monitor service providers.

Consider selecting service providers (AKA, third-party vendors) with the necessary skills and experience to implement and maintain the appropriate safeguards. Your contracts should spell out your expectations, create ways to monitor the service provider’s work, and require periodic reassessments of their suitability for the role.

Keep the information security program current.

Change is the only constant in information security. The best information security programs are flexible enough to accommodate periodic modifications and address relevant security risks.

Create a written incident response plan.

Every organization needs a response and recovery plan if it experiences a security event or an incident resulting in unauthorized access to or misuse of information stored on your system or in physical form.

Your incident response plan must cover the following:

• The goals of your plan
• The internal processes you will activate in response to a security event
• Clear roles, responsibilities, and levels of decision-making authority
• Communications and information sharing both inside and outside your company
• A process to fix any identified weaknesses in your systems and controls
• Procedures for documenting and reporting security events and your company’s response
• A post-mortem of what happened and a revision of your incident response plan and information security program based on what you learned
• Require the qualified individual to report to the board of directors regularly.

The Qualified Individual assigned to implement and supervise your information security program must regularly report in writing to your Board of Directors or governing body, at least annually.

The report should address the following:

• An overall assessment of your company’s compliance with its information security program
• Specific topics related to the program, including risk assessments, risk management, and control decisions, service provider arrangements, test results, security events and responses, and recommendations for changes to the information security program

How Isora GRC from SaltyCloud can help

TL;DR:

Isora GRC from SaltyCloud is the powerfully simple GLBA Safeguards Rule solution, making regulatory compliance easier while helping organizations improve their cyber resilience.

The quest for GLBA Safeguards Rule compliance is complex as organizations strive to protect customer data while navigating shifting threats and regulations.

Knowing where GLBA-covered data resides, if it’s protected, and whether it meets GLBA compliance standards requires an agile and lightweight solution that transcends outdated GRC platforms and tedious manual spreadsheets.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

• Ace your GLBA compliance audit with collaborative surveys, risk assessments, dynamic dashboards, and insightful reporting for auditors, leadership and employees.
• Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
• Protect GLBA-covered and other sensitive data with a comprehensive host inventory, robust API integrations, and continuous assessments.
• Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how Isora GRC from SaltyCloud can streamline your GLBA Safeguards Rule compliance.