Skip to Content
Colin Taggart Emily Fletcher
November 21, 2019 Article 3 min read
You may not define your company as a financial institution, but the FTC may regarding the GLBA Safeguards Rule and the Privacy Rule. We discuss the released updates and what can be a complex road to compliance.
Three people looking at a computer screen

The Federal Trade Commission (FTC) proposed updates to the GLBA Safeguards Rule and the Privacy Rule in April 2019, which requires financial institutions to develop, implement, and maintain a comprehensive information security program. In March, the FTC announced that it was seeking comment on proposed changes to the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule as well as the Privacy Rule. As a result of the comments, the definition of financial institutions was clarified. That’s good news for financial institutions under the supervision of the FDIC, the OCC, the Federal Reserve, and the NCUA, such as community banks and credit unions. These new guidelines may not directly apply to you.

What types of companies must comply with the Safeguards Rule?

The definition of “financial institution” includes many businesses that typically don’t describe themselves that way, such as check-cashing companies, payday lenders, mortgage brokers, nonbank lenders, personal property, real estate appraisers, professional tax preparers, and courier services. The updates to both rules will expand the definition of financial institution to specifically include “finders.” Also, the Safeguards Rule applies to credit reporting agencies and ATM operators that receive information about the customers of other financial institutions as well as fintech companies, educational institutions, auto dealers, and accounting firms completing tax returns, to name a few.

Companies included by the Rule are responsible for ensuring that their affiliates and service providers safeguard customer information in their care.

How will these updates affect you?

The impacts of these proposals may vary based on the size of a financial institution and the maturity of its information security controls. The current proposed due date for these requirements would be six months after publication of the final rule. There has been no indication from the FTC of final rule updates.

Organizations newly brought into scope of the Safeguards and Privacy Rules may be at a loss for controls to implement in order to comply with these rules.

For financial institutions with more robust information security programs, the new requirements under the Safeguards Rule are likely already in place. However, six months may be a short period of time to implement these controls, if none are currently in place. Likewise, organizations newly brought into scope of the Safeguards and Privacy Rules may be at a loss for controls to implement in order to comply with these rules. FFIEC endorsed frameworks for cybersecurity may be a useful starting point.

Let’s review the GLBA Safeguards Rule updates:

The updates to the Safeguards Rule will require financial institutions to:

  • Assign the CISO role to only one qualified individual, which can be an employee of the financial institution or an employee of an affiliate or a service provider.
  • Complete a full data inventory, which would require mapping all devices and networks containing customer information.
  • Encrypt all customer data at rest or transmitted over external networks, or CISO signoff, if compensating controls are implemented.
  • Implement multifactor authentication for any individual accessing customer information, or CISO signoff, if compensating controls are implemented.
  • Enact vulnerability management, which includes semiannual vulnerability scanning, along with either effective continuous monitoring or annual penetration testing.

Privacy Rule updates include:

  • Reduced scope of the Rule due to Dodd-Frank Act changes, which primarily consist of removing references that don’t apply to motor vehicle dealers.
  • Financial institutions that meet certain requirements can be eligible for an exception to the general rule requiring the delivery of annual notices.

Information is the first step to compliance:

Concerned about the strength of your cybersecurity controls and compliance?

The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. Since companies vary in size and complexity the requirements are flexible. That flexibility can make compliance complex. For assistance in determining your level of compliance with the GLBA and the systems, processes, and procedures necessary to achieve compliance, contact us today.

Looking for expert advice?

Subscribe now