Regulations concerning consumer privacy, information security, and data protection represent a dynamic and ever-changing landscape. With this understanding, it's imperative to keep you informed of impending changes impacting financial institutions.
Effective May 13, 2024, financial institutions under the Federal Trade Commission’s (FTC) jurisdiction via the Gramm-Leach-Bliley-Act (GLBA) are required to report to the FTC any notification event where unencrypted customer information is acquired without authorization and affects 500 or more individuals. These requirements build upon and amend the longstanding Safeguards Rule promulgated by the Commission over twenty years earlier under the GLBA.
What is the GLBA?
The Gramm-Leach-Bliley Act was enacted on November 12, 1999, and required the Federal Trade Commission (FTC) and other government agencies that regulate financial institutions to implement standards relating to administrative, technical, and physical safeguards to protect nonpublic information (“NPI”) and consumer rights relating to NPI. In addition to reforming the financial services industry, the Act addressed concerns relating to consumer NPI by mandating stringent standards for handling such data, and imposed these obligations onto banks, credit unions, and other financial entities. Consequently, ensuring the security and privacy of nonpublic information is paramount for a wide range of financial institutions. Among the numerous regulations governing this domain, the Gramm-Leach-Bliley Act—as amended from time to time—stands out as a cornerstone and remains relevant today.
At its core, GLBA provides a framework for regulating privacy and security practices for businesses significantly engaged in providing financial products or services and aims to enhance consumer privacy by bolstering the security of financial information. The Act includes:
- A Privacy Rule: The Privacy Rule outlines requirements for financial institutions to protect the NPI of both customers and consumers, such as notifying them about their information-sharing practices and affording them the opportunity to opt-out of certain disclosures that would include the consumer’s NPI.
- A Safeguards Rule: The Safeguards Rule directs the establishment of robust written information security programs to protect consumer data. Financial entities must also designate a qualified individual to implement and supervise the program, identify and assess risks to customer information, implement appropriate safeguards, and regularly monitor and adjust their security measures. Additionally, at least annually, the qualified individual must report to the Board or governing body regarding the status of the information security program. That report should include, but not be limited to, the status of risks and compensating controls, service provider arrangements, test results, security events and actions taken in response, and recommendations for changes and enhancements to the program.
- Pretexting provisions: GLBA also addresses concerns regarding pretexting, or the use of false pretenses to obtain personal financial information. It prohibits the practice of obtaining consumer data under false pretenses and enhances penalties for these actions.
Navigating Compliance with GLBA: Some Tips for Financial Institutions
Whenever new requirements are publicized, it is general practice for businesses to begin positioning themselves to comply. However, it is also an excellent opportunity to revisit “the basics” and reassess your compliance with any related standards.
Seven key tips for compliance with GLBA
In the wake of the recent amendment to the GLBA, financial institutions face heightened responsibilities regarding the protection of data. Compliance with GLBA requires a multi-faceted approach that considers administrative, physical, and technical safeguards. Here are some fundamental steps financial institutions should take to have compliance with GLBA:
1. Data mapping and classification
Begin by conducting a thorough inventory of all consumer data collected, processed, and stored. Classify this data based on sensitivity and assess associated risks. Map its flow through the environment and understand which systems and applications interface with the data. Understanding the flow of information is crucial for implementing appropriate safeguards.
2. Privacy policy and notice
Develop comprehensive privacy policies and notices that articulate your information-sharing practices and provide consumers with clear opt-out mechanisms. Regularly review and update these documents to reflect any changes in operations or regulatory requirements.
3. Security program implementation
Establish a robust security program in accordance with the safeguards rule. This involves appointing a designated security officer, conducting risk assessments, developing incident response plans, and implementing controls such as access controls, encryption, and intrusion detection systems.
4. Employee training and awareness
Employees play a pivotal role in maintaining data security. Provide regular training to educate staff on GLBA requirements, data handling best practices, and the importance of safeguarding consumer information. Foster a culture of vigilance and accountability across the organization.
5. Regular audits and monitoring
Implement mechanisms for ongoing monitoring, auditing, and testing of security controls. Regularly review access logs, conduct vulnerability assessments, and perform penetration testing to identify and mitigate potential security gaps.
6. Incident response and reporting
Develop a comprehensive incident response plan to address data breaches or security incidents promptly. Establish clear procedures for reporting incidents to regulatory authorities and providing any required notices to affected consumers and other stakeholders as required by law.
7. Vendor management
Many financial institutions rely on third-party vendors for various services, including many of the information security services listed above. Ensure that vendors adhere to GLBA standards by conducting due diligence assessments, including evaluating their security practices and contractual obligations.
GLBA challenges and future considerations
GLBA provides a robust framework for safeguarding consumer data, and financial institutions continue to face ongoing challenges in maintaining compliance with technological advancements and the evolving cyberthreat landscape.
Looking ahead, regulatory authorities will likely continue to refine and expand GLBA requirements to address emerging risks and enhance consumer protections. Cloud computing, mobile banking, and digitalization have introduced new complexities and vulnerabilities that require careful consideration. Financial institutions must stay abreast of regulatory updates, invest in continuous training and technology upgrades, and foster a culture of compliance to navigate the ever-changing regulatory landscapes successfully.
The role of managed IT services in GLBA compliance
Technology plays a pivotal role in supporting GLBA compliance efforts. Financial institutions often find it beneficial to leverage the advanced cybersecurity solutions and data protection tools available through a Managed Security Service Provider (MSSP) to fortify their defenses against evolving threats. Encryption technologies, multi-factor authentication, and intrusion detection systems can help safeguard sensitive information from unauthorized access or disclosure. MSSPs also offer reporting tools to identify potential issues, streamline audit processes, and support annual reporting obligations.
Partner with a managed IT provider who can help you create a culture of information security and compliance within your financial institution. Locknet Managed IT is both SOC 2 Type 2 audited and FFIEC examined because we value information security as much as you do. Contact us to get started.
This information is provided by Locknet for informational purposes only. All information is provided in good faith, and we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability, or completeness of any information included. Before acting based on any information or material contained herein, you should review the Final Rule and evaluate the appropriateness of these recommendations. If you need legal advice, please consult an attorney.
