GLBA stands for the Gramm-Leach-Bliley Act, a congressional act established in 1999 that removed cumbersome regulations within the financial industry. The purpose of the act was to update and modernize the financial industry. However, it did much more than that. It started a new era of information security and business transparency for customers. In response to GLBA, financial institutions became required to develop information-sharing practices and request their customers to opt in or out of having their non-public information shared with third parties (“The Gramm-Leach-Bliley Act of 1999 (GLBA)”). Fast forward to 2022, GLBA’s jurisdiction has surpassed banks and now includes but is not limited to organizations like educational institutions, travel agencies, and brokerage firms. More recently, new responsibilities have emerged, and the FTC now requires enhanced protection of customer information and everyday business communications including developing and maintaining an information security program (Federal Trade Commission, What does the Safeguards Rule require companies to do?).
From 1999 Until Today
GLBA repealed part of the 1933 Glass-Steagall Act, removing all barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company.
Most importantly, GLBA started an era of safeguarding customer non-public information and the development of information-sharing practices. GLBA set the following requirements for all financial institutions to explain their information-sharing practices to their customers and how they safeguard that sensitive data.
In 2003, the Federal Trade Commission (FTC) expanded on the GBLA and established The Safeguards Rule. The rule established standards for safeguarding customer information to ensure those entities covered by the rule maintain protocols to protect the security of customer information. In October 2021, the FTC made updates to those standards and expanded the Safeguards Rule requiring further compliance by financial institutions (“FTC Safeguards Rule: What Your Business Needs to Know”).
What exactly are those safeguards?
The Safeguards Rule requires financial institutions under FTC jurisdiction to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The “customer information” that financial institutions must safeguard includes the following (“FTC Safeguards Rule: What Your Business Needs to Know”, What does the Safeguards Rule require companies to do?):
Developing and Maintaining Your Own Information Security Program.
The last step to FTC IT compliance is developing, managing, and updating your financial institution’s own Information Security Program. An Information Security Program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information (“FTC Safeguards Rule: What Your Business Needs to Know”, Glossary – Information Security Program). These safeguards must be appropriate to your business’s size and complexity, the nature, and scope of your activities, and the sensitivity of any customer information at issue (“FTC Safeguards Rule: What Your Business Needs to Know”, What do the Safeguards Rule require companies to do?).
What does an Information Security Program exactly include?
An Information Security Program includes 9 elements. These 9 elements are imperative to building a foundation for FTC IT compliance and remaining compliant in the future as you can anticipate further updates to the Safeguards Rule. Your financial institution must obtain FTC IT compliance as determined by the new Safeguards Rule update by Dec. 9th, 2022, to avoid cumbersome financial penalties and potentially federal investigation. Below is a summary of all 9 elements with their appropriate codes from The Safeguards Rule amendments section. For this post, each section has been summarized. Please note that each element is much more detailed in nature and that a detailed provision of each element can be provided to you upon consultation.
§ 314.4 (a) | Designate a Qualified Individual to implement and supervise your company’s information security program. |
§ 314.4 (b) | Conduct a risk assessment based on the type of information stored and storage location. |
§ 314.4 (c) | Design and implement safeguards to control the risks identified through your risk assessment. |
§ 314.4 (d) | Regularly monitor and test the effectiveness of your safeguards. |
§ 314.4 (e) | Train your staff. Provide security briefings and refreshers. |
§ 314.4 (f) | Monitor your service providers. |
§ 314.4 (g) | Keep your information security program current. |
§ 314.4 (h) | Create a written incident response plan. |
§ 314.4 (i) | Require your Qualified Individual to report to your Board of Directors. |
(National Archives and Records Administration, § 314.3 Standards for safeguarding customer information.)
This table is a foundation for the requirements needed for you and your associates to ensure the protection of your consumer’s non-public information and maintain effective security of your current information system and your organization’s financial well-being. Please do not hesitate to take the necessary steps to get FTC IT compliant ASAP. We have an effective and convenient way for you to do so. For a limited time, we are offering a complimentary FTC IT Compliance Audit to gauge your current information security system(s) and develop a plan of action for your business to meet each requirement set by the FTC. Please follow the link below and fill out each section required to secure your complimentary FTC IT compliance audit today!