Deadline to Meet Requirements of New Safeguards Rule is December 9th

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, requires all organizations who offer consumer financial products or services to safeguard sensitive customer data and to explain their information-sharing practices to customers. The GLBA Safeguards Rule was officially revised in December 2021, making substantial changes to the information security measures required for compliance.

A number of specific new information security measures are required to be in place by December 9, 2022, or violators will be considered out of compliance.

The GLBA doesn’t just apply to traditional financial institutions, but to any organization that handles customer financial information whether in paper, electronic, or other form.

Colleges, universities, and other institutions of higher education are also governed by the GLBA in terms of their collection, storage, and use of student financial records that contain nonpublic personal information or personally identifiable financial information. Records regarding tuition payments, for example, as well as financial aid or student aid applications and related records, are governed by the GLBA Safeguards Rule and enforced by the Federal Trade Commission (FTC).

GLBA Overview

The GLBA Safeguards Rule requires all covered entities to develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.

The required elements of the information security program are specified in 16 CFR § 314.4 of the revised GLBA Safeguards Rule. The Rule was substantially revised in order to reflect changes in cybersecurity and information security technologies and the evolving cyberthreat landscape.

The other primary components of the GLBA are the Privacy Rule and the Pretexting Rule, which are not affected by the recent Safeguards Rule revision.

The requirements of the GLBA are enforced by the FTC and seven other federal agencies, depending on several factors. Penalties for non-compliance include fines of up to $100,000 per violation, fines for officers and directors of up to $10,000 per violation, criminal penalties of up to five years in prison, and the revocation of licenses.

Timing, Milestones, and Final Compliance Deadline

On April 4, 2019, the FTC issued a Notice of Proposed Rule Making that proposed substantial changes to the GLBA Safeguards Rule.

The public, including affected organizations, were able to comment on the proposed changes until August 2, 2019. In July 2020, the FTC held a public workshop to discuss the proposed changes.

The revised GLBA Safeguards Rule was enacted into law on December 9, 2021, with some of its requirements taking effect on January 10, 2022. For the majority of the required information security program elements, a one-year implementation period was permitted. That final compliance deadline is December 9, 2022.

Who Must Comply with the GLBA Safeguards Rule

The Purpose and Scope section of the revised Safeguards Rule defines covered entities (those who must comply with the GLBA) as including but not limited to mortgage lenders, pay day lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors not required to register with the SEC, and entities acting as finders.

The GLBA Safeguards Rule applies to all customer information in your possession, regardless of whether it pertains to individuals you have a customer relationship with or to customers of other financial institutions that have provided information to you.

The Definitions section of the Safeguards Rule further delineates what constitutes a ‘financial institution’ for purposes of GLBA compliance. Following are examples:

• Retailers who extend credit by issuing their own credit cards to consumers.
• Automobile dealerships that, as a normal part of their business, lease vehicles on a nonoperating basis for longer than 90 days.
• Personal property appraisers, real estate appraisers, and entities who provide real estate settlement services.
• Career counselors who specialize in counseling individuals currently employed by or recently displaced from a financial organization, or individuals who are seeking employment with a financial organization or with the finance, accounting or audit departments of any company.
• Businesses that print and sell checks for consumers, whether as a sole business or part of a product line.
• Check cashing businesses, and businesses that regularly wire money to and from consumers.
• Accountants and other tax preparation services who are in the business of completing income tax returns.
• Businesses that operate travel agencies in connection with financial services.
• Mortgage brokers and brokers of other loans.
• Investment advisory firms and credit counseling services.
• Entities acting as finders in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.

As previously noted, colleges, universities and other higher education institutions who regularly collect tuition payments and disburse or coordinate the disbursement of student financial aid are also governed by the GLBA Safeguards Rule.

14 Security Elements Mandatory by December 9, 2022

The information security program is mandated in 16 CFR § 314.3, and the individual elements of the program are detailed in 16 CFR § 314.4. While some were required to be in place by January 10, 2022, most were allowed a year for implementation, with a deadline of December 9, 2022.

For your convenience, those final required elements are summarized below, minus the January 10 elements. In addition, several requirements do not apply to organizations having fewer than 5,000 customers, and those are noted in italics below.

For organizations governed by the GLBA Safeguards Rule, following are the information security elements you are required to have implemented by the final December 9 deadline:

• You must designate a Qualified Individual to oversee, implement, and enforce your information security program. (Qualified Individual may be an employee or a third party.)
• Your information security program must be based on a written risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and assesses the sufficiency of any safeguards in place to control these risks. This requirement does not apply to organizations with fewer than 5,000 customers.
• You must design and implement safeguards to control the risks identified in the assessment, including technical and physical access controls. And authenticate and permit access only to authorized users based on their need to know.
• In accordance with your risk strategy, identify and manage the data, personnel, devices, systems, and facilities that enable achievement of your business purposes and goals.
• Encrypt all customer information held or transmitted over external networks and at rest. Or secure it using effective, approved alternative compensating controls.
• If you develop software applications inhouse that transmit, access, or store customer information, you must adopt secure development practices. For applications developed externally, create procedures to evaluate or test their security.
• Implement multifactor authentication for any individual accessing any information system. Or use reasonably equivalent or more secure approved access controls.
• Develop, implement, and maintain procedures for the secure disposal of customer information, in any format, no later than two years after the last date the information is used. Periodically review policy to minimize unnecessary retention of data.
• Adopt procedures for change management, including implementing policies, procedures, and controls to monitor and log authorized user activity and to detect information tampering, abuse, or unauthorized use.
• You must also regularly test or monitor the effectiveness of your safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on or intrusions into your information systems. (Includes penetration testing and vulnerability assessments conducted periodically, annually, or semi-annually depending on several criteria.) This requirement does not apply to organizations with fewer than 5,000 customers.
• Implement policies and procedures to ensure your organization employs qualified information security personnel, provides them with security updates and security awareness training, and supports their continuous learning about security threats and countermeasures.
• For third-party service providers, you are required to periodically assess the risk they present, and the ongoing adequacy of their information security safeguards for your customer information.
• Establish a written incident response plan that enables you to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of your customer information. The plan must define goals; internal processes for responding to security event; clear roles, responsibilities, and levels of decision-making authority; external and internal communications and information sharing; requirements for remediation of any identified weaknesses in information systems and associated controls; documentation and reporting about security events and incident response activities; and evaluation and revision of the incident response plan following a security event, as needed. This requirement does not apply to organizations with fewer than 5,000 customers.
• The Qualified Individual responsible for overseeing, implementing, and enforcing your information security program is required to report in writing, regularly and at least annually, to board of directors or equivalent governing body. If no board or body exists, report to senior officer over the information security program. The report must include overall status of your information security program and status of compliance with these GLBA requirements. It must also address material matters related to your program, including issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses, and recommendations for changes to your information security program. This requirement does not apply to organizations with fewer than 5,000 customers.

Summary

The extensive revision of the GLBA Safeguards Rule enacted in 2021 affects a wide range of organizations and industries. A comprehensive information security program is mandated, and must include specific elements that constitute a solid security program according to universally accepted cybersecurity frameworks.

Security risk assessments, vulnerability assessments, and penetration testing. Access controls, multifactor authentication, data encryption, and secure software development practices. These and certain other security measures are required to be implemented by December 9, 2022.

Organizations have had nearly a year to bring their programs into compliance with the revised Safeguards Rule, and the deadline is now upon us. Financial and criminal penalties against violators are permitted, but the more compelling motivation for compliance is the improvement of information security programs and safeguards for the protection of customer information.

Need Some Help?

With the December 9 deadline looming, many organizations are feeling the pressure. We can relieve some of that pressure by assisting you in developing and implementing the security elements required by the revised GLBA Safeguards Rule. The cybersecurity and compliance professionals at 24By7Security are credentialed, experienced, and fully qualified to help. We’ve conducted more than 2,500 risk assessments, performed countless penetration and vulnerability tests, written thousands of pages of security policies and procedures, and provided virtual CISO services for dozens of clients seeking expert information security guidance.

Contact us today for a free consultation. There’s no time to waste.