The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule was first promulgated in 2002 and was designed to ensure that financial institutions have measures in place to keep customer information secure.
On October 27, 2021, the Federal Trade Commission (FTC) announced a number of important changes to the Safeguards Rule, which came into effect on January 10, 2022.
The main purpose of these changes is to ensure that any non-bank financial institutions (or “finders”) that process customer information, such as fintech companies, mortgage brokers, credit reporting agencies, and accountants, are able to satisfy the GLBA compliance requirements.
Regulated entities are required to make a number of important changes to their information security plan, assuming suitable measures are not already in place. These changes include;
GLBA Safeguards Rule Updates for 2022
Write a risk assessment to evaluate the security threats that affect the confidentiality, integrity, and availability of customer information. The risk assessments must also include the procedures for addressing these threats.
Implement and periodically review access controls to ensure that access to customer information is restricted to only those who legitimately need access to it to perform their role.
Use multi-factor authentication (MFA), or an equivalent secure access control method, when accessing sensitive customer information. MFA requires additional factors to authenticate, such as something you know, something you have, and/or something you are. In some cases, companies will send an access code to your mobile device via SMS, which you must enter in order to login. However, it should be noted that the FTC does not encourage the practice of using SMS messages for MFA verification as “extremely sensitive information can be obtained” through this method. This is mainly because standard SMS messages are transmitted in clear text, which makes them easier to intercept. Not only that but cyber-criminals have been known to trick employees into transferring their phone numbers to them, which means they will receive the access code when the employee tries to access their account.
Inventory of assets
Maintain an up-to-date inventory of all relevant data, devices, systems, employees, and facilities, as well as ensure that you have a deep understanding of these systems, including their role/relevance to the company.
Encrypt all customer information, both at rest and in transit over an external network. Data does not need to be encrypted in transit when shared internally.
Establish a plan for developing in-house applications that process customer information in a secure manner. This includes implementing procedures for evaluating and testing the security of any third-party apps used.
Secure disposal of data
Establish procedures for the secure disposal of customer information. Customer information must be removed no later than two years after it was last accessed. The FTC will allow companies to retain data for longer periods on the provision that doing so is “necessary for business operations or other legitimate business purposes”.
Implement procedures for keeping track of important changes to systems and data. This includes monitoring all access to customer information for suspicious activity, including any unauthorized access or use. The FTC has ignored concerns about the additional costs associated with the continual auditing of user activity, based on the grounds that auditing can be automated.
Designate a single “qualified individual” who will be responsible for overseeing the information security program and reporting to the relevant authorities.
Establish criteria for selecting service providers who will have access to customer information. You must take “reasonable steps” to ensure that any third-parties you share customer information with have the necessary safeguards in place to protect it.
Develop and maintain a written incident response plan (IRP) in order to ensure that you have a formalized process for responding to security events in a fast and efficient manner. The FTC has defined a “security event” as an incident “resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on an information system, or customer information held in physical form”.