The Gramm-Leach-Bliley Act (“GLBA”) was a bi-partisan regulation passed by Congress in 1999 in an attempt to update and modernize the financial industry. One component of the GLBA, its Safeguards Rule, requires financial institutions to establish measures to keep their customers’ private information secure.
On December 9, 2022, certain provisions of the Federal Trade Commission’s amendments to the GLBA’s Safeguards Rule become effective. Other provisions expanding the scope of the Safeguards Rule took effect in January, so all businesses that handle consumer financial information should pay attention to these changes. Importantly, under the FTC’s new amendments to the Safeguards Rule, “finders,” or those that bring together buyers and sellers of a product or service, are now governed by the Safeguards Rule and must comply with its heightened data protection requirements. Therefore, companies offering third-party financing—such as car dealerships, furniture stores, and the like—should pay close attention to their new privacy and data protection obligations under the GLBA.
As part of the FTC’s amendments, multiple changes will become effective on December 9, including:
Qualified Individual Appointment. This amendment will require businesses to identify a “qualified individual” to oversee and implement their information security programs. This will typically be the firm’s Chief Information Security Officer and changes the prior requirement that any employee or representative could be designated.
Criteria for Risk Assessments. While risk assessments were required by the original rule, the amended rule sets forth mandatory criteria, including (1) criteria for evaluating and categorizing information security risks; (2) criteria for assessing confidentiality, integrity, and availability of the business’s information systems and customer data; and (3) requirements for identifying how to mitigate risks.
Additional Criteria for Implementing Safeguards. The amended rule now specifies additional requirements for implementing safeguards for risks identified by assessments, including access controls, data inventory, data disposal, change management, and monitoring, among other things.
IS Monitoring & Penetration Testing. The amended rule provides that information system monitoring must take the form of either “continuous monitoring” or “periodic penetration testing.” This change adds specific criteria to the rule’s general requirement that financial institutions regularly test or monitor the effectiveness of information security safeguards.
Other Requirements. The amended rule requires training for security personnel, periodic assessments of service providers, written incident response plans, and periodic reports from the qualified individual to the board of directors.
Under this amended rule, “financial institutions” includes a wide array of businesses, including those that engage in the following: (1) traditional banking functions; (2) making, brokering, or servicing extensions of credit; (3) property appraising; (4) collection services; (5) credit reporting; (6) asset management; (7) leasing property; (8) real estate settlement; and (9) bringing together buyers and sellers of any product or service that the parties negotiate and consummate.
Businesses that have not historically been required to comply with this rule must now do so. For example, if a retail business offers third-party financing for its purchases, it could be considered a “finder” under the amended rule and would have to comply with the Safeguards Rule. Failure to comply with these rules could open firms up to legal risk from regulators or others.
