The Federal Trade Commission’s (FTC) final rule that amended the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA) became effective on January 10.
The final rule expanded many definitions, including what is considered a “financial institution”, as well as adding provisions concerning accountability, development and implementation of information security systems.
“As a practical matter, the amendments will likely require many financial institutions to revisit and revise their policies and procedures, including, for example, in the areas of risk assessments, vendor oversight, and incident response plans.” (JDSUPRA).
Originally implemented in 2003, the public felt the Safeguards Rule required an update and in 2021 the FTC amended the rule based on developments in technology.
“The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.” (FTC).
The final rule broadened the definition of a financial institution to include “traditional banking functions, making, acquiring, brokering, or servicing loans or other extensions of credit, real estate and personal property appraising, collection agency services, credit bureau services, asset management, servicing, and collection activities, leasing personal or real property, and real estate settlement servicing”. The rule also “exempts financial institutions that collect customer information from fewer than 5,000 consumers from certain requirements.” (FDSUPRA).
Some provisions will not take effect until December 2022.
These include: “The requirement to designate a qualified individual; The specific requirements for written risk assessments (please note that the requirement to perform risk assessments is effective now — only the criteria mandated by the final rule are not yet effective); The specific requirements related to implementation of safeguards based on risk assessments, which include the provisions on encryption and multifactor authentication; The requirement that “information systems” undergo continuous monitoring or periodic penetration testing and vulnerability assessments; Training and operational requirements for security personnel; The requirement to perform periodic assessments of service providers; The requirement to establish a written incident response plan to respond to and recover from security events materially affecting the confidentiality, integrity, or availability of customer information; and the requirement that the qualified individual’s periodic reports be given in writing, regularly and at least annually, to the board of directors.” (FDSUPRA).
Compliance for financial institutions is not optional. Companies should be preparing to implement safeguards into their programs to follow the guidelines laid down by the FTC.
“Affected entities should be proactive in implementing the significant operational requirements of the revised Safeguards Rule. The requirements are not light lifts, and the countdown clock to compliance is ticking.” (JDSUPRA).
The FTC has recommendations on how to comply with the Safeguards Rule. These tips include but are not limited to these concepts:
“Regularly monitor and test the effectiveness of your safeguards; Train your staff; Monitor your service providers; Keep your information security program current; Create a written incident response plan.” (FTC).
For more details surrounding the Safeguards Rule visit the FTC’s website.
Have any questions about cyber-security? Responsive Technology Partners is the leading cyber-security expert in the Athens, Metter, Milledgeville, Vidalia, and Atlanta, Georgia areas. We also have locations in Tampa, Florida, Roanoke, Virginia, and Raleigh South Carolina. Service offerings include I.T. support, cyber-security and compliance, telephony, cloud services, cabling, access control, and camera systems. Our company’s mission is to provide world-class customer service through industry leading I.T. solutions that make every customer feel as if they are our only customer. Please visit our website to learn more: https://www.responsivetechnologypartners.com/.
Sources:
JDSUPRA. https://www.jdsupra.com/legalnews/glba-safeguards-rule-amendments-become-8621602/
FTC. https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know
