After originally taking effect in 2003, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, which outlines how certain “covered financial institutions” should be protecting customer information, was amended by the FTC in 2021 to help ensure that the rule continues to be aligned with rapidly evolving technologies, and to provide concrete principles and data security measures that all covered entities need to implement. However, due to the economic impact of the COVID-19 pandemic, a shortage of qualified information security personnel, and supply chain issues impacting the procurement of technology necessary to support compliance, the FTC delayed the effective date of eight subsections of the amended rule from December 2022 to June 9, 2023.

With the June 9 deadline having now passed, it’s imperative that organizations review their strategies to confirm that they are compliant with the additional requirements. The amendments authorize the FTC to impose fines and penalties for non-compliance, as well as to enforce other financial penalties for deceptive practices.

Which institutions are affected

The categories of organizations affected by this rule include, but are not limited to, banking and financial institutions. Some organizations may not consider themselves to be financial institutions and may not realize they are subject to this new regulatory landscape.

The rule applies to organizations referred to as “covered financial institutions,” organizations that while not “traditional financial institutions” are still significantly engaged in providing financial products or services. Examples of these include colleges, universities, and other higher education organizations that administer federal student aid programs. This may also include – depending on the products or services provided – mortgage brokers, check-cashing businesses, payday lenders, non-bank lenders, collection agencies, professional tax preparers,  personal property or real estate appraisers, and investment advisors that are not required to register with the Securities and Exchange Commission (SEC), among others. There is no minimum size for an organization to be subject to the rule.

This is not an exhaustive list, but if you fall into any of those categories, you may be required to comply – which means that you will need to develop, implement, and maintain a comprehensive security program to keep your customers’ information safe.

What is included in the amendments

As outlined by the FTC, the newly effective amendments require organizations to:

• Designate a qualified individual to oversee their information security program
• Develop a written risk assessment
• Limit and monitor who can access sensitive customer information
• Encrypt all sensitive information
• Train security personnel
• Develop an incident response plan
• Periodically assess the security practices of service providers

• Implement multi-factor authentication, or another method with equivalent protection, for any individual accessing customer information

While the amended rule imposes additional requirements and presents implementation complexities, it also provides covered entities with more detailed guidance regarding how to develop and implement specific aspects of their overall security program. The rule can be summarized into three main focus areas:

• Ensure the security of customer information
• Implement safeguards against anticipated threats to customer information
• Prevent unauthorized access to information systems or technology that store customer information

What now?

Compliance can be difficult to achieve, and there is no shortcut around the time and resources needed to get there. 

If you haven’t already, the key is to start small and fast, by implementing simple and affordable tools that apply to your workforce. 

The first step in completing items on your FTC Safeguard Checklist is performing a gap assessment between your current state and the new compliance requirements. This will help you identify the exact scope of what needs to be done, and yield a detailed step-by-step roadmap for achieving compliance and maintaining it for years to come.

Due to the abnormal labor market trends of the past few years, covered organizations may be facing difficulties with maintaining the in-house expertise and bandwidth needed to cross the finish line to being compliant. It might make sense to look for a trusted third party with specific expertise and a proven track record of successfully guiding organizations through the necessary changes. 

History has shown us that just one data breach is enough to permanently damage an organization’s reputation, destroy trust in a recognized brand name, and damage relationships with customers, suppliers, and other affiliates. Complying with the new FTC GLBA amendments will not only help safeguard you from fines, but also help protect your and your clients’ data – and reputations. 

Contact

Thomas McDermott, CISA, CRISC, CGEIT, Principal, Cybersecurity, Technology Risk and Privacy

973.364.7836

Karla Barreto, Manager, Cybersecurity, Technology Risk and Privacy

973.364.7750