(More) Amendments to the GLBA Safeguards Rule
By: James Ward and Dara Tarkowski
Major news in the regulation of financial data last week. The FTC has recently approved an amendment to the GLBA Safeguards Rule, which brings significant implications for non-banking financial institutions. This updated rule mandates that these institutions report any data breaches affecting 500 or more consumers to the FTC. This change underscores the evolving landscape of threats to financial data security and the FTC's commitment to bolstering consumer protections.
These amendments are set to be enforced starting in 2024, six months following their publication in the Federal Register. The specific requirements include electronic notification to the FTC as soon as possible, and no later than 30 days after the discovery of any unauthorized acquisition of unencrypted customer information impacting at least 500 consumers. This tight timeframe for reporting underscores the urgency with which the FTC expects potential breaches to be addressed, reflecting a proactive stance in consumer financial information protection.
New Obligations, New Risk
What’s the biggest headline here? If you're a non-banking financial institution—everyone from mortgage brokers, debt collectors, smaller lenders, even tax preparers—your obligations have dramatically increased. More than this, the Rule imposes burdens most non-bank institutions have not ever experienced, and which go beyond merely reporting. For instance, FTC now requires the adoption of multifactor authentication (MFA), encryption of all customer information at rest and in transit, and continuous monitoring to detect unauthorized activity.
The rule even imposes a requirement that institutions appoint a 'Qualified Individual' to oversee their information security programs. This individual, while not required to be an expert in cybersecurity, does need to be capable enough to lead company efforts against potential breaches and oversee the technical and administrative aspects of cybersecurity and data management.
In essence, the FTC's rule is asking financial institutions to be more like European companies under GDPR—implementing minimum standards, consistently auditing activities, appointing (what amounts to) a Data Protection Officer, etc. There has long been a desire to see a unified approach to data management on both sides of the Atlantic, and as FTC's oversight of the Data Privacy Framework gets underway, we think this trend is likely to continue.
Getting Ready…again
So, what should financial institutions do now?
Step one is to get methodical about documenting internal data practices, inventorying data sets, and ensuring that your security methods are not going to be red flags. As always, it begins with basic data hygiene (privacy policies, role-based access controls, data usage minimization) but rapidly scales up to match the complexity of your organization. The more data you have, the more will be expected, and so a preliminary audit is crucial.
Once the audit is complete, there needs to be an incident response plan that is more than a mere fig-leaf downloaded from the internet. This plan should be a living document, adaptable and ready for an increasingly high number of threat vectors. It should outline clear procedures for breach notification, a nuanced understanding of what constitutes a security event, and a sequencing protocol that should be updated and tested. Similarly, employee (and even vendor) training is crucial. What we've seen from the regulators in the last few years makes clear that having a dust-covered binder with an incident response plan or data protection protocols in place is not going to cut it: training employees cannot simply be a once-a-year, check-the-box exercise. It’s ongoing, evolving training that keeps pace with the ever-shifting landscape of cyber threats and regulatory requirements.
In tandem with training, financial institutions must also grapple with the task of continuous monitoring and vulnerability testing. It's a bit like holding a mirror up to your own defenses, looking for cracks and potential weaknesses. This, too, cannot be an exercise in self-congratulation, because if the review is inadequate or fails to identify obvious flaws, it can actually become an additional source of liability for companies who find themselves being investigated. And the requirements for what constitutes "continuous monitoring" are, themselves, evolving, with FTC's view now that at least one penetration test per year (along with related social engineering and follow-up) is more or less the minimum effort they'll accept.
What’s the biggest challenge?
The biggest change for most organizations that had not previously been subject to these rules? Designation of a Qualified Individual to oversee the information security program. It's more than a mere regulatory checkbox; it’s a declaration of intent. This individual is not just responsible for data oversight, but the contact point for the institution with respect to data security. They are the one who will stand before the board and the FTC to explain security incidents managed, lessons learned, and plans for future improvements.
Looking to the horizon, financial institutions must prepare for what’s next. The FTC's new rule is part of a broader movement by the federal agencies to reach areas previously untouched by GLBA. One aspect of this that becomes murky is whether state-law carveouts for
What does this mean for the consumer?
It's a bit like being a shopper in Diagon Alley, knowing that each store—each financial institution—is bound by a code of magical conduct to protect your personal scrolls—your data. The difference is, in this narrative, the magic is real, manifested in the form of cybersecurity measures, legal requirements, and the promise of transparency and protection.
For financial institutions, the message is clear: while the value of data continues to grow, the regulatory burdens are going to scale accordingly. Being prepared means taking steps now, ahead of the effective date for the new Rule. Ask anyone who was involved in last June's update to the Safeguards Rule -- implementation day arrives faster than you think, and so does potential liability.