FTC Updates Financial Institution Data Security Requirements Under GLBA

The Federal Trade Commission (FTC) recently released changes to the data security requirements for financial institutions by revising the safeguard rule (rule) under the Gramm-Leach-Bliley (GLBA). The law is designed to protect the privacy and security of consumers’ financial information when dealing with financial institutions. The scope of the covered financial institutions is wide and includes a wide range of companies in the financial sector, not just banks. In adopting the new safety rules, the FTC acknowledged that “[i]In recent years, large-scale data breaches and cyber attacks have caused significant damage to consumers, including monetary loss, identity theft and other forms of financial distress.

Strong points

  • The rule changes contain many specific and relatively detailed requirements for compliance, such as the development of a written information security program and the appointment of a “qualified person” (for example, an information security officer) to oversee and implement the program, encryption and multi-factor authentication

  • While the Rule has always applied to “financial institutions” with a broader scope than just banks (e.g. credit bureaus are covered), the definition has been broadened to cover businesses. who are substantially engaged in activities “ancillary to” financial activities, such as as “finders” which bring together buyers and sellers of a financial product or service

  • While the rule does not require reporting of data security incidents, the FTC has asked for comment on whether, in the future, it should require covered financial institutions to report certain data breaches. and other security incidents.

  • Changes further align the rule with other data security laws and industry standards

  • Many new requirements come into effect 30 days after the amended rule is posted in the Federal Register, with larger changes coming into effect one year after posting.

Previously, the rule was light on details and contained only general terms requiring companies to implement appropriate data security measures. This has led to uncertainty within and within the financial sector, with ad hoc decisions and guidance being issued by regulators. The new rule contains detailed requirements, including that covered financial institutions must:

  • Develop, implement and maintain a comprehensive information security program

  • Designate a qualified person responsible for the supervision and implementation of the program

  • Require the qualified person to report regularly (at least annually) to the board of directors, or equivalent, on all safety events that have occurred during the past year

  • Conduct a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information

  • Implement and periodically review access controls

  • Create inventory and manage data, staff and devices that impact data privacy and security

  • Encrypt all customer information held or transmitted by the company both in transit over external networks and at rest (in storage)

  • Adopt secure development practices for internal software development applications

  • Set up multi-factor authentication for people accessing the company’s information system

  • Adopt a written incident response plan

  • Securely dispose of customer information in accordance with written policies and procedures

  • Implement a data retention policy to minimize unnecessary data retention

  • Adopt procedures for managing and controlling changes to company data security measures

  • Monitor and record authorized user activity to detect unauthorized use or tampering with customer information

  • Test and monitor the effectiveness of the organization’s data security program

  • Conduct training and awareness exercises for all relevant personnel

  • Oversee vendors and service providers with respect to data security safeguards and controls

  • Evaluate and adjust the information security program as needed due to organizational changes and security threats

The rule expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be “incidental to” financial activities. A business will fall under the definition of a financial institution if it is “significantly engaged in activities ancillary” to financial activities. This change adds entities such as “researchers” – companies that bring together buyers and sellers of a product or service – within the scope of the Rule. This type of activity has grown considerably with the significant development and expansion of the Internet and online marketing in the past few years since the adoption of the Rule. Researchers often collect and maintain highly sensitive financial information about consumers, and this change will require them to comply with the requirements of the Safeguard Rule to protect that information.

One area of ​​particular concern to the business community regarding rule revisions was the extent to which companies are required to report data security breaches. The industry and the FTC recognize the potential friction between the benefits of sharing security breach information and the privacy and security concerns inherent when that information is provided to government or made public. The FTC has not promulgated any rules in this regard, but is seeking comment on whether financial institutions should be required to report certain data breaches and other security occurrences.

The rule may have been overdue for an update, with no changes since its enactment in 1999. The revisions bring the rule more in line with data security regulations, including those under the HIPAA regulations and New York Cybersecurity, as well as current industry standards such as the NIST Cybersecurity Framework and ISO / IEC 27001. While the new requirements apply to GLBA-regulated companies, they provide additional guidance and support for data security measures and safeguards that should be considered and adopted by organizations in all sectors.

Effective date

Certain aspects of the amended rule, including those relating to the implementation of safeguards, carrying out a written risk assessment, appointing a qualified person and carrying out continuous monitoring or penetration tests annual, come into force one year after the publication date (therefore, in October 2022). The other portions are effective 30 days after publication.

© 2021 Foley & Lardner srlNational Law Review, Volume XI, Number 314

Comments are closed.