Last week Bob Maley, Chief Security Officer at Black Kite and I led a Fireside Chat discussion on the current regulatory landscape regarding privacy and security. While state laws continue to advance and there is momentum for a Federal U.S. Privacy Regulation, the update by the Federal Trade Commission (FTC) on the Gramm-Leach-Bliley Act (GLBA) Security Safeguards rule is impacting specific sectors right now. I have worked with GLBA since its inception in my tenure at one of the largest service providers to financial institutions, so let me break down the components we discussed as a “Primer” on GLBA in 2022.
The Gramm-Leach-Bliley Act (GLBA) is one of the most mature regulations in financial services that has brought together data privacy and third party obligations. Originating in 1999, with multiple updates over the last two decades, it set the foundation for data protection obligations from both a privacy and security viewpoint with respective rule sets. GLBA established oversight of the regulation by the financial services regulators for banking entities and the FTC for oversight of “non-banks” that were “significantly involved” in financial services.
Fast forward, after years of proposals, workshops, and industry dialog, the FTC finalized updates to GLBA’s Standards for Safeguarding Information which became effective January 10th of 2022. The most significant changes to the rule do not become effective until December 9th, 2022, so organizations that are impacted have six months to get the remaining set of requirements analyzed and processes implemented to meet more detailed requirements. The FTC has also been active at updating guidance on formalizing breach notification processes which continue to advance the goal of strengthening data protection across many industries.
The updated GLBA rule clarified the types of services that fall under the non-bank scope in GLBA. The types of businesses impacted are based on their business model and how they may be offering or enabling a financial product or service to a consumer for personal, family or household purposes. Examples of these types of services include:
• Extensions of credit or servicing of loans, including pay day lenders and traditional mortgage lenders
• Higher education functions that provide federal financial aid
• Automobile
• Real estate and personal property appraisal and settlement services
• Collections agencies, wire transfer and check cashing services
• Credit bureau services
• Tax preparation firms
• Check printers
• Non-federally insured credit unions
• Career counselors that provide services to previously displaced employees of financial organizations
• Certain travel agencies
• Investment advisory company and credit counseling services
• Finders that bring together one or more buyers and sellers of any product or service for transactions that the parties negotiate and consummate
While higher education may seem to be an unlikely segment impacted by a banking regulation, it is due to their role in providing federal financial aid. All Title IV higher education institutions whether public, private non-profit, or for-profit must comply with GLBA cybersecurity requirements as a condition of participation in Title IV funding. In fact, the Department of Education has issued its recommendation that higher education align its security and privacy requirements to the NIST special publication NIST 800-171.
To the traditional banking sector, most of the requirements issued are not new. Obligations for safeguarding customer information and improving cybersecurity posture have been driven by changes like NY DFS-500, NIST Standards, OCC requirements for TPRM, etc. The FTC modeled its updated guidance to bring the non-bank sector obligations in alignment to the banking sector.
Security Program: New requirements are driving greater accountability for the information security program. The starting point is to require the designation of a qualified individual to be accountability for the program, conduct a written risk assessment and provide periodic reports to the organization’s board of directors.
Technical Controls: The security rule changes trigger both the use of encryption and multi-factor authentication; secure disposal of data. To address cybersecurity risks, information systems need to undergo continuous monitoring or deploy penetration testing/vulnerability assessments.
Third Party Risk Assessments: While the original rule extended contractual obligations to third parties, the updated rule now requires periodic assessments of third parties that are involved in delivering the services. As a result, TPRM programs, due diligence standards and vendor classification structures should be reviewed to address the expanded technical controls.
Incident Response: Due to the focus on cybersecurity, the updated rule outlines expectations for incident response and security/privacy training for security personnel.
Balancing these changes, along with other data privacy changes is an impact to both internal resources but also technology investments. Understanding the impacts and building out both Security Program and TPRM program maturity is the focus in the remaining six months before the rules are enforced. The FTC recently published a primer for organizations that need to address these new requirements in a booklet FTC Guidance on What a Business Needs to Know.
For organizations looking to address the obligations related to Third Party Risk Management, here are resources from Shared Assessments that may be helpful: