The New GLBA Safeguards Rule and the Future of US Financial Industry Data Security

The New GLBA Safeguards Rule and the Future of US Financial Industry Data Security

For the US banking and financial services industry, Gramm Leach Bliley Act (GLBA) is the "go to" law for data security and privacy requirements. Passed by Congress in 1999, GLBA set basic rules on data security. Security pros are likely familiar with GLBA's Safeguards Rule, and its general language that calls for developing and maintaining "reasonable administrative, technical, and physical safeguards." Unlike, say, HIPAA, which has similar overall goals for protecting patient health data, the actual GLBA regulations are not much more specific than that!

Directly inspired by the NYDFS law, the FTC finalized in October 2021 a significant update to the Safeguards Rule. For the first time, some financial companies will have to implement security controls for data access, data classification, multi factor authentication (MFA), logging, and more. It is thought that rest of the regulatory agencies enforcing GLBA will follow along and mirror these tougher rules.

In the world of financial data security, this is a monumental shift! To fully understand the updates to the GLBA Safeguards Rule, let's refresh memories by looking at the existing regulations, analyzing the new technical controls, and then reviewing FTC's overall take on data security for the financial sector.