The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule was first promulgated in 2002 and was designed to ensure that financial institutions have measures in place to keep customer information secure.
On October 27, 2021, the Federal Trade Commission (FTC) announced a number of important changes to the Safeguards Rule, which came into effect on January 10, 2022.
The main purpose of these changes is to ensure that any non-bank financial institutions (or “finders”) that process customer information, such as fintech companies, mortgage brokers, credit reporting agencies, and accountants, are able to satisfy the GLBA compliance requirements.
Regulated entities are required to make a number of important changes to their information security plan, assuming suitable measures are not already in place. These changes include;
GLBA Safeguards Rule Updates for 2022
Risk assessments
Write a risk assessment to evaluate the security threats that affect the confidentiality, integrity, and availability of customer information. The risk assessments must also include the procedures for addressing these threats.
Access controls
Implement and periodically review access controls to ensure that access to customer information is restricted to only those who legitimately need access to it to perform their role.
Multi-factor authentication
Use multi-factor authentication (MFA), or an equivalent secure access control method, when accessing sensitive customer information. MFA requires additional factors to authenticate, such as something you know, something you have, and/or something you are. In some cases, companies will send an access code to your mobile device via SMS, which you must enter in order to login. However, it should be noted that the FTC does not encourage the practice of using SMS messages for MFA verification as “extremely sensitive information can be obtained” through this method. This is mainly because standard SMS messages are transmitted in clear text, which makes them easier to intercept. Not only that but cyber-criminals have been known to trick employees into transferring their phone numbers to them, which means they will receive the access code when the employee tries to access their account.
Inventory of assets
Maintain an up-to-date inventory of all relevant data, devices, systems, employees, and facilities, as well as ensure that you have a deep understanding of these systems, including their role/relevance to the company.
Encryption
Encrypt all customer information, both at rest and in transit over an external network. Data does not need to be encrypted in transit when shared internally.
Application security
Establish a plan for developing in-house applications that process customer information in a secure manner. This includes implementing procedures for evaluating and testing the security of any third-party apps used.
Secure disposal of data
Establish procedures for the secure disposal of customer information. Customer information must be removed no later than two years after it was last accessed. The FTC will allow companies to retain data for longer periods on the provision that doing so is “necessary for business operations or other legitimate business purposes”.
Change management
Implement procedures for keeping track of important changes to systems and data. This includes monitoring all access to customer information for suspicious activity, including any unauthorized access or use. The FTC has ignored concerns about the additional costs associated with the continual auditing of user activity, based on the grounds that auditing can be automated.
Security officer
Designate a single “qualified individual” who will be responsible for overseeing the information security program and reporting to the relevant authorities.
Vendor analysis
Establish criteria for selecting service providers who will have access to customer information. You must take “reasonable steps” to ensure that any third-parties you share customer information with have the necessary safeguards in place to protect it.
Incident response
Develop and maintain a written incident response plan (IRP) in order to ensure that you have a formalized process for responding to security events in a fast and efficient manner. The FTC has defined a “security event” as an incident “resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on an information system, or customer information held in physical form”.
If you’d like to see how the Lepide Data Security Platform can help you meet GLBA compliance, schedule a demo with one of our engineers or start your free trial today.