Gramm-Leach-Bliley Act  - Safeguards Rule Update

Under the Gramm-Leach-Bliley Act, organizations defined as “financial institutions” must keep customer information secure and confidential. The Safeguards Rule, one of three sections of the GLBA, was updated Dec. 9, 2021. With this update, the Federal Trade Commission notes that an organization “engaging in an activity that is financial in nature or incidental to such financial activities” is considered a “financial institution” and must comply.

That said, key changes to the Safeguards Rule are slated to take effect Dec. 6, 2022.

Who must comply with the Safeguards Rule?

The following are examples of organizations deemed to be “financial institutions” under the Safeguards Rule:

• Retailers extending a credit card

• Dealerships leasing a car long term — longer than 90 days

• Organizations appraising real estate or personal property

• Counselors helping individuals associated with a financial institution

• Businesses printing and selling checks on behalf of customers or wiring money

• Businesses engaging in cash checking services

• Income tax return preparers

• Travel agencies

• Real estate settlement services

• Mortgage brokers

• Colleges and universities accepting Title IV funds

Effective Dec. 6, 2022, organizations classified as “financial institutions” must implement security practices and then review and periodically update formal policies and procedures, including:

• Designating a qualified individual to oversee the information security program

• Developing, implementing, and maintaining a written information security program

• Completing a written information security risk assessment

• Design and implement safeguards to control the risks you identify through risk assessment

• Establishing continuous monitoring of information systems

• Engaging third-party penetration testing and vulnerability assessments

• Conducting security awareness training

• Assessing third-party service providers periodically

• Establishing a written information incident response program

• Providing the board or respective group with a written report periodically and at least annually from the qualified individual

Specific controls requirements regarding the implementation of safeguards include:

• Implementing and reviewing access control

• Inventorying the systems that handle customer information

• Identifying and managing data based on risk

• Encrypting data both in transit and at rest

• Securing software development practices

• Requiring the use of multifactor authentication for those accessing the information systems

• Establishing secure procedures for disposing data

• Developing change management procedures

• Implementing logging and monitoring procedures

While these elements must be implemented as part of an information security program, the revised rule is flexible enough to cover large and small “financial institutions” alike. Specific safeguards must be appropriate for:

1. The size and complexity of an organization and its operations

2. The nature and scope of activities involving customer information

3. The sensitivity of the customer information handled by the organization

That means organizations classified as financial institutions are permitted to implement different programs based on the scope of their operations and assessment of security risks.

There are potential penalties for noncompliance with the Safeguards Rule, and penalties for not complying could be of a financial or nonfinancial nature. There is a maximum charge of $46,517 per consent order violation.

Getting in compliance with the new requirements could be a heavy undertaking. Depending on the sophistication and maturity of an organization’s personnel and security infrastructure, a comprehensive diagnostic assessment to evaluate compliance may be necessary. Some requirements may need to be implemented once with ongoing maintenance, while others may require recurring assessments such as penetration tests, risk assessments, and training.