While the GLBA Privacy Rule focuses primarily on notice and disclosure, the GLBA Safeguards Rule centers around how NPI is protected. It mandates that financial institutions develop an information security plan in writing that describes all of the procedures and processes seeking to protect client NPI.
GLBA Safeguards Rule Requirements
A thorough risk analysis of each department of the company that handles NPI is required. Other departments monitoring, developing, or testing programs to secure NPI will also be evaluated. Should any of the methods of information collecting, using, or storing be changed in any way, the safeguards must be updated as well.
How to Comply with Safeguards Rule
The FTC advises how best to comply with the GLBA safeguards rule, starting with the security plan itself. This plan must be appropriate to the size of the company, as well as its complexity, the breadth of its activities, and its nature, considering the sensitivity of all client information being handled.
According to the FTC, as part of the security plan, every company must:
- Designate employees to coordinate the information security program;
- Identify and assess the risks to customer information in each relevant operational area, and evaluate current safeguard effectiveness for controlling these risks;
- Design and implement the NPI safeguards program;
- Regularly monitor and test the NPI safeguards program;
- Select service providers that maintain appropriate safeguards, ensure they are contractually obliged to maintain safeguards and oversee their handling of customer information; and
- Evaluate and adjust the program considering relevant circumstances, including changes in the firm's business or operations, or security testing and monitoring results.
The FTC's guidance for GLBA compliance in light of the Safeguards Rule covers items ranging from data encryption to document shredding. Within each of these broad approaches, companies could potentially encounter several individual risks and responsibilities.
The necessary course of action, of course, ultimately depends on the specific case-by-case risks each corporate operation structure presents.
Security and Encryption
In GLBA Section 501, which deals with the protection of NPI, a requirement is placed on financial institutions to initiate adequate standards regarding technical, administrative, and physical safeguards of client records and information. The GLBA Data Protection Rule defines the extent of these safeguards, requiring financial institutions to:
- Ensure the security and confidentiality of customer data.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such data.
- Protect against unauthorized access to, or use of, such data that would result in substantial harm or inconvenience to any customer.
While some federal agencies supervise financial institutions, the Federal Financial Institutions Examination Council (FFIEC) devises and oversees the audits for most of them.
The FFIEC publishes the IT Examination Handbook that provides guidance on IT security controls for protecting NPI. According to the handbook, financial institutions should use encryption to mitigate the risk of disclosure or alteration of sensitive information during transit or storage.
The implementations of encryption ought to include:
- Validation that the encryption strength is sufficient to protect the information from disclosure until such a time when disclosure poses no material risk
- Effective key management practices
- Robust reliability
- Appropriate protection of the encrypted communication's endpoints
GLBA 2023 Safeguards Rule Updates Include New Data Privacy Requirements
A decades-old financial services law is changing, raising the bar for cybersecurity and data privacy compliance and posing new challenges for a wide range of businesses that gather client financial data, including tax preparers, higher education institutions, car dealerships, travel agencies, career counselors, and more.
As of June 2023, the GLBA’s Safeguards Rule updates provide comprehensive guidelines for creating a strong information security program. These guidelines cover documentation, testing, reporting, and using methods like encryption and multifactor authentication.
The Safeguards Rule requires businesses that provide financial products or services to consumers to safeguard sensitive data and notify clients of their information-sharing policies. The revised GLBA Safeguards Rule broadened the list of covered enterprises to include "finders," or businesses that connect buyers and sellers of goods or services.
The new requirements also expand state data privacy rules. Amid those changes, some covered entities may not understand the extent of the GLBA shifts, while others — typically smaller accounting or brokerage firms — often lack the in-house resources to handle the accompanying cybersecurity requirements. Even larger organizations that track GLBA but whose focus lies outside financial services may not yet have programs in place to address the new requirements.
Failure to comply could be costly, with each violation potentially resulting in a fine of up to $100,000.
Below, we discuss the new rules, which types of entities are affected, and the steps organizations should take now to ensure compliance and avoid costly penalties.
GLBA Compliance Checklist
To help unpack the GLBA Safeguards Rule, we've compiled a short checklist of actionable key steps to ensure compliance with the Safeguards Rule.
- Get to know the GLBA. A deep understanding of how the GLBA functions and how it affects your organization is paramount. Sitting down with an expert and reviewing the GLBA is most advisable. A compliance expert will provide a clear, accurate, and thorough overview of how the GLBA applies to your corporate operations.
- Perform a vigorous risk assessment. A proper risk assessment allows you to map out your current situation with respect to GLBA compliance. The most efficient way to conduct this is to engage an experienced expert to help pinpoint the areas of (potential) GLBA weaknesses.
- Establish a budget to ensure GLBA compliance. Companies must be ready to invest in security technology and solutions in case they don't have all the necessary protections.
- Identify a qualified expert to manage the program. Identifying skilled cybersecurity professionals can be challenging and costly, as the field of cybersecurity is always changing. To comply with regulatory requirements, businesses should consider outsourcing specific tasks to external Chief Information Security Officer (CISO) services.
- Improve internal controls. To achieve this goal, external help makes installing any cybersecurity safeguards more efficient and effective.
- Manage internal threats. Consider outside threats ( hackers, or cyber criminals) first, then internal staff and employees that could — even accidentally — compromise your customer/consumer NPI. To prevent this scenario, make sure to conduct a thorough employee recruitment process that filters potential risks and have a continuous employee education program keeping them updated on security practices.
- Vet your service providers. If you engage service providers of any kind for help with your operations, make sure to check if they are also GLBA compliant.
- Stay on top of things. Keep updating your privacy rule requirements: Continuously revise, review, and update your privacy notices, making sure that things are up to date.
- Disaster Recovery Plan. The GLBA mandates that organizations have an incident response plan in place. Ensure that you have an IT disaster recovery and business continuity plan readily available to be able to show you have considered all potential risks and have precautions in place to alleviate any issues.
- Ongoing Compliance Monitoring. Be flexible in planning your annual cybersecurity assessments through continuous monitoring and preventive exercises. For example, penetration tests and vulnerability assessments should be conducted at least on a yearly basis, if not every six months. The best rule of thumb to keep in mind is that a significant material change in your business model or activities will trigger another mandatory test.
The bottom line is organizations must plan to incorporate all GLBA — existing and forthcoming — by setting aside funds, time, and resources to guarantee compliance in the upcoming years. Working with a trustworthy compliance and cybersecurity provider like InnReg can help your fintech expedite its compliance processes and enhance your overall security and compliance.
The GLBA applies both monetary penalties and imprisonment to sanction inviolate corporate behavior. Specifically, the scope of these fines includes:
- Financial institutions are subject to a civil penalty, not over $100,000 per violation
- Directors and Officers are subject to a civil penalty not over $10,000 for each violation in addition to being personally liable for each
- Both the officers and the institution are subject to fines under Title 18 of the United States Code or imprisonment for not more than five years
The Venmo and RCG breaches make it clear that the aftermath of such fines encompasses much more than a financial burden, including reputational harm and loss of goodwill.
Conclusion: GLBA is a Key Law for Most Financial Institutions
Even after two decades, GLBA enforcement continues to be a key consideration for financial institutions regarding safeguarding client data and privacy.
Still, while focusing on the GLBA itself is obligatory, it is critical to go beyond it. Various other federal, state, and international laws could apply as well. This means that, in addition to statutory requirements, companies could be required to take additional measures to protect their client's data and reduce other risks effectively.
Undertaking this task — achieving the status of a GLBA-compliant company — could be quite burdensome.
Given GLBA’s layers of complexity, the best strategy might be to engage outside help. An experienced outside compliance expert team, like that of InnReg, might be your best solution to efficiently reach and maintain a high level of compliance.
InnReg has extensive experience in helping financial institutions achieve outstanding levels of compliance. Get in touch today and find out how InnReg could aid your corporate operation flows today.
InnReg is a team of over 30 Regulatory Compliance and Innovation Consulting experts helping fintechs succeed in highly regulated markets since 2013. InnReg specializes on mitigating regulatory risk while helping clients launch and grow innovative fintech products and services.