- Don’t gloss over the Federal Trade Commission’s updated Safeguards Rule just because you’re not a bank or credit union.
- Under GLBA, “financial institutions” is defined in broad context — and it can impact organizations across many industries.
- Check your data handling practices ahead of the December deadline, to help keep customer information confidential and secure and get in compliance.
Do your customer information protection practices need review?
Protecting customers’ personal information isn’t just good business, it’s often a requirement. Now, an updated rule may mean some financial institutions need to review their security and handling practices — and the definition for “financial institution” may come as a surprise for many organizations across industries.
Is your organization prepared to navigate these complex decisions by the December deadline? Read on to get the important details.
What is the Safeguards Rule?
Under the Gramm-Leach-Bliley Act (GLBA), organizations defined as “financial institutions” must keep customer information secure and confidential. The Safeguards Rule, one of three sections of the GLBA, was updated December 9, 2021. With this update, the Federal Trade Commission (FTC) notes that an organization “engaging in an activity that is financial in nature or incidental to such financial activities” is considered a “financial institution” and must comply.
Key changes to the Safeguards Rule will take effect December 6, 2022.
Who must comply with the Safeguards Rule?
Consider these examples of organizations deemed to be “financial institutions” under the Safeguards Rule:
- Retailers extending a credit card
- Dealerships leasing a car long term — longer than 90 days
- Organizations appraising real estate or personal property
- Counselors helping individuals associated with a financial institution
- Businesses printing and selling checks on behalf of customers or wiring money
- Businesses engaging in cash checking services
- Income tax return preparers
- Travel agencies
- Real estate settlement services
- Mortgage brokers
- Colleges and universities accepting Title IV funds
What requirements do you need to be aware of?
Effective December 6, 2022, organizations classified as “financial institutions” must implement the following security practices and then review, and periodically update formal policies and procedures, including:
- Designating a qualified individual to oversee the information security program
- Developing, implementing, and maintaining a written information security program
- Completing a written information security risk assessment
- Design and implement safeguards to control the risks you identify through risk assessment
- Establishing continuous monitoring of information systems
- Engaging third-party penetration testing and vulnerability assessments
- Conducting security awareness training
- Assessing third-party service providers periodically
- Establishing a written information incident response program
- Providing the board or respective group with a written report periodically and at least annually from the qualified individual
Specific controls requirements regarding the implementation of safeguards include:
- Implementing and reviewing access control
- Inventorying the systems that handle customer information
- Identifying and managing data based on risk
- Encrypting data both in transit and at rest
- Securing software development practices
- Requiring the use of multifactor authentication for those accessing the information systems
- Establishing secure procedures for disposing data
- Developing change management procedures
- Implementing logging and monitoring procedures
While these elements must be implemented as part of your information security program, the revised rule is flexible enough to cover large and small “financial institutions” alike. Your specific safeguards must be appropriate for:
- The size and complexity of your organization and its operations
- The nature and scope of your activities involving customer information
- The sensitivity of the customer information you handle
That means you are permitted to implement different programs based upon the scope of your own operations and your assessment of security risks.
What can happen if you’re not compliant?
There are potential penalties for noncompliance with the Safeguards Rule, and penalties for not complying could be of a financial or nonfinancial nature. There is a maximum charge of $46,517 per consent order violation.
How can CLA help?
Getting in compliance with the new requirements could be a heavy undertaking. Depending on the sophistication and maturity of your personnel and security infrastructure, you may need a comprehensive diagnostic assessment to evaluate compliance. Some requirements may need to be implemented once with ongoing maintenance, while others may require recurring assessments such as penetration tests, risk assessments, and training.
CLA’s cybersecurity and data privacy team has years of experience providing guidance in developing policies, procedures, and assessments as well as helping organizations identify gaps in the existing ones. Please contact us to learn how CLA can help with your GLBA Safeguards Rule gap assessment and remediation consulting.