In 2003, the Gramm Leach Bliley Act’s (GLBA) Safeguards Rule established important standards for financial institutions to protect the confidentiality and security of consumers’ nonpublic personal information. Given the sensitive nature of financial transactions, the Safeguards Rule paved the way in preparing the financial sector for increased cyber threats targeting high-value data.
Reflecting a much-changed technological landscape, the Federal Trade Commission (FTC) decided to recently introduce the first updates to the Safeguards Rule in almost two decades. With mandatory compliance set to take effect for the updated rule in November 2022, now is the time to get familiar with the changes and refresh your security program in line with them. This article overviews the new Safeguards Rule, including key updates, the expanded definition of financial institutions, and required security programs to comply with the rule.
A Brief History of the Safeguards Rule
The Safeguards Rule applies to financial institutions falling under FTC jurisdiction (non-banking institutions). The original standard required compliance from any covered financial institution engaging in activities of a financial nature.
Currently, the rule specifies that financial institutions must “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts.” The original rule included the following standards and guidelines for what organizations need to do:
- Create an information security program that reflects the company’s size, complexity, and sensitivity of any data handled.
- Designate responsibility for the information security program at the company.
- Conduct a risk assessment and implement appropriate mitigation measures.
- Provide security training and awareness as part of the information security program.
While all of these points remain cornerstone elements of any modern information security program, the initial implementation details were fairly non-specific. With large-scale data breaches regularly impacting customer financial data over the last decade, the FTC moved in 2021 to produce more specific guidelines and measures on how financial institutions need to implement an information security program and effectively protect customer data.
New Safeguards Rule: Key Updates
Termed the “Final Rule,” the FTC’s amendment to the Safeguards Rule contains the following key updates.
Overall security program
More specific implementation guidance for what suffices as appropriate controls to protect customer data. These updates reflect the current cyber threat landscape and include important data security measures like encryption and access controls. (More details below).
The Final Rule broadens the criteria for what a risk assessment must include and also requires the risk assessment to be set forth in writing. One of the important new directions is for financial institutions to specify criteria for examining the adequacy of existing technologies and controls in the context of identified risks and threats. It appears the aim here is to get organizations to consider adopting technologies that enhance and preserve privacy.
Formerly, testing requirements directed organizations to regularly test or monitor the effectiveness of their security safeguards without specifying any frequency or type of testing. The amendments now require either (a) annual penetration testing and biannual vulnerability assessments or (b) continuous monitoring.
New incident response guidelines in the rule calls for a written incident response plan. This plan outlines the specific actions to take for responding to and promptly recovering from any security event that affects the confidentiality, integrity, or availability of customer information. The incident response plan needs to cover goals, processes, roles and responsibilities, and communications, among other details.
Extended Definition of Financial Institutions
The FTC also expanded the definition of financial institutions to include finders in its amended Safeguards Rule. A finder is an intermediary that brings together buyers and sellers to make deals. Instead of requiring compliance just from companies engaging in financial activities, the new rule adds organizations incidental to such activities to the wording.
It’s worth pointing out that the amendments also come with a compliance exemption for small businesses in relation to some of the changes. The Final Rule states that financial institutions collecting information on fewer than 5,000 consumers don’t need a written risk assessment, incident response plan, or annual reporting to the Board of Directors.
Required Security Measures for the Safeguards Rule
The new prescriptive requirements in relation to security measures and safeguards include:
- Access controls—implement and review technical and physical controls to protect against unauthorized access to customer information. Of note, the amended rules refer to the principle of least privilege; restrict any access to only what’s necessary for performing job duties and functions.
- Encryption—scramble data into an unreadable form using consistent encryption methods with current cryptographic standards. This safeguard applies to data at rest or in transit over external networks.
- Secure development practices—in light of the fact that threat actors may attack custom applications with the intention of accessing customer data, the changes call for any in-house apps that transmit, access, or store customer data.
- Multi-factor authentication—a stringent multi-factor authentication (MFA) requirement means you need MFA for any individual who accesses any information system MFA requires users to provide two or more different categories of information to verify their identities.
- Secure data disposal—If a customer’s data hasn’t been used for two years in connection with the provision of a product or service to that customer, securely dispose of the data. The only exception for retaining data beyond that two-year unused timeframe is if it’s necessary for business operations or other legitimate business purposes. You also need to conduct a periodic review of your data retention policy to minimize unnecessary retention, although the frequency of such reviews isn’t referred to in the document.
- Monitoring—use a combination of policies, procedures, and controls to monitor log files and other sources of user activity to help detect when unauthorized users access or tamper with customer information.
The Role of Data Loss Prevention
The sweeping and specific changes introduced under the new GLBA Safeguards Rule help covered financial institutions strengthen their information security programs using proven principles of effective data security. While many robust security programs already include these practices, formalizing them into law helps to ultimately better protect individual privacy and security.
From payday lenders to mortgage brokers to higher education institutions participating in federal student financial aid programs, countless businesses and organizations need to comply with GLBA. But what can you do if your current information security program falls short of what’s required?
Data loss prevention (DLP) solutions ameliorate many of the challenges in addressing regulatory requirements. Endpoint Protector is an endpoint DLP that monitors and controls all exit points to ensure sensitive data doesn’t leave your network even when employees work remotely. Additional features include the ability to discover, encrypt and delete sensitive data as required by the updated Safeguards Rule.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.