While the GLBA Privacy Rule places its focus primarily on notice and disclosure, the GLBA Safeguards Rule focuses instead on how NPI is protected. It mandates that financial institutions develop an information security plan in writing that describes all of the procedures and processes seeking to protect client NPI.
A thorough risk analysis of each and every department of the company that handles NPI is required. Other departments, such as those that monitor, develop, or test programs with the aim of securing NPI, are to be evaluated as well. Should any of the methods of information collecting, using, or storing be changed in any way, the safeguards must be brought up to date, too.
The FTC provides advice on how best to comply with the safeguards rule, starting with the security plan itself. This plan has to be appropriate to the size of the company, as well as its complexity, the breadth of its activities, and their nature, taking into account the sensitivity of all client information being handled.
According to the FTC, as part of the plan, every company must:
- Designate employees to coordinate the information security program
- Identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks
- Design and implement an NPI safeguards program
- Regularly monitor and test its NPI safeguards program
- Select service providers that can maintain appropriate safeguards, make sure they are contractually obliged to maintain safeguards, and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring
The FTC's guidance for being GLBA compliant in light of the Safeguards Rule covers items ranging from data encryption all the way to document shredding. Within each of these broad avenues of approach, companies could potentially encounter a number of individual responsibilities.
The necessary course of action, of course, ultimately depends on the specific, case-by-case risks each corporate operation structure presents.
Security and Encryption
In GLBA Section 501, which deals with the protection of NPI, a requirement is placed on financial institutions to initiate adequate standards with respect to technical, administrative, and physical safeguards of client records and information. The extent of these safeguards is defined by the GLBA Data Protection Rule, requiring financial institutions to:
- Ensure the security and confidentiality of customer data
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such data
- Protect against unauthorized access to, or use of, such data that would result in substantial harm or inconvenience to any customer
While there are federal agencies that supervise financial institutions, the Federal Financial Institutions Examination Council (FFIEC) is in charge of devising and overseeing the audits for most of them.
The FFIEC publishes the IT Examination Handbook that provides guidance with respect to IT security controls for protecting NPI. According to the handbook, financial institutions should use encryption to mitigate the risk of disclosure or alteration of sensitive information during transit or storage.
The implementations of encryption ought to include:
- Validation that the encryption strength is sufficient to protect the information from disclosure until such a time when disclosure poses no material risk
- Effective key management practices
- Robust reliability
- Appropriate protection of the encrypted communication's endpoints
GLBA Compliance Checklist
In an effort to further shed light on the matter, we've compiled a short checklist of actionable items.
- Get to know the GLBA. A deep understanding of how the GLBA functions and how it affects your organization is paramount; It is most advisable to sit down with an expert and review the GLBA in detail first. This will allow you to gain a clearer overview of how the GLBA could apply to your corporate operations.
- Perform a vigorous risk assessment. Risk assessment allows you to map out your current situation with respect to GLBA compliance. The most efficient way to conduct this is to engage an external experience expert to help you pinpoint the areas where any (potential) GLBA weaknesses are.
- Improve internal controls. To achieve this goal, external help makes installing any cybersecurity checks more efficient and effective.
- Manage internal threats. Outside threats should be considered first (for example hackers, or cyber criminals), but they are not the only ones. Internal staff and employees could even compromise the NPI of your consumers and customers (even by accident). To prevent this scenario, make sure to conduct a thorough employee recruitment process that filters potential risks and have a continuous employee education program keeping them updated on security practices.
- Vet your service providers. If you engage service providers of any kind for help with your operations, make sure to check if they are GLBA compliant as well.
- Stay on top of things. Keep updating your privacy rule requirements; Continuously revise, review, and update your privacy notices - making sure that things are up to date.
- Disaster Recovery Plan. The GLBA mandates that there be an incident response plan in existence. Make sure that you have an IT disaster recovery and business continuity plan readily available to be able to show you have thought of everything and have precautions in place to alleviate any issues.
GLBA Compliance Fines
Given the complexity the GLBA creates, it is also important to note the fines it imposes. The GLBA applies both monetary penalties and imprisonment as means of sanctioning corporate behavior that goes against it. Specifically, the scope of these fines include:
- Financial institutions being subjected to a civil penalty, not over $100,000 per violation
- Directors and Officers are subject to a civil penalty not over $10,000 for each violation in addition to being personally liable for each
- Both the officers and the institution are subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years
Like in the aforementioned examples of Venmo and RCG, it is clear that these fines, if incurred, prove to be more than only a financial burden to the firm. In addition to all the reputational harm and loss of goodwill, a perpetual control process, like in the case of Venmo, further strains all levels of corporate operations.
Conclusion - GLBA is a Key Law for Most Financial Institutions
With the GLBA being in force for more than two decades now, it still continues to be a key factor for financial institutions when it comes to making decisions regarding the data privacy and safeguarding of client data.
Still, while focusing on the GLBA itself is obligatory, it is vital to go beyond it. Various other federal, state and international laws could apply as well. This means that, in addition to statutory requirements, companies could be presented with a need to take additional measures so as to protect their client's data and reduce other risks adequately.
Undertaking this task - achieving the status of a GLBA compliant company - could be quite burdensome.
Given such levels of convolution, it might be the most prudent call to engage outside help. An experienced outside expert counsel, like that of InnReg, might just be the difference your operation needs to maintain a high level of compliance.
InnReg has extensive experience in helping financial institutions achieve outstanding levels of compliance. Get in touch today and find out how InnReg could aid your corporate operation flows today.