The importance of consumer financial privacy drove Congress to enact the Gramm-Leach-Bliley Act (“GLBA”) in 1999. The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. The GLBA imposed both the Privacy Rule (customer notification requirements) and the Safeguards Rule (standards for safeguarding certain information) on financial institutions. The original Safeguards Rule (16 CFR part 314) became effective on May 23, 2003, and the FTC has administered the Safeguards Rule ever since.
Under the new, revised Safeguards Rule the definition of “financial institutions” has been broadened to focus on business activities that are financial in nature. Moreover, “nonpublic personal information” now covers all customers who provide the covered business with such records, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates. Additionally, the Safeguards Rule identifies nine elements that a covered business’s information security program must include:
- Designate a qualified individual responsible for overseeing and implementing a financial institutions information security program and enforcing their information security program. Qualifications will depend upon the size and complexity of a financial institution’s information system and the volume and sensitivity of the customer information that the financial institution possesses or processes.
- Conduct and continuously monitor systems and data inventories.
- Protect by encryption all the customer information that is held or transmitted in transit over external networks and at rest.
- Implement multi-factor authentication (MFA) for any individual accessing any information system, unless the use of reasonably equivalent or more secure access controls has been approved in writing by a qualified individual at the financial institution.
- Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates.
- Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
- Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information that is in the control of the financial institution.
- Regularly test, or otherwise monitor, the effectiveness of the safeguards’ key controls, systems, and procedures, including those used to detect actual and attempted attacks on, or intrusions into, information systems. Covered financial institutions are required to conduct penetration testing annually and vulnerability assessments at least every six months.
- Oversee service providers by requiring financial institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards.
The revised Safeguards Rule has some limits. First, the Safeguards Rule applies only to financial transactions “for personal, family, or household purposes.” Second, the Safeguards Rule exempts financial institutions that collect information on fewer than 5,000 customers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors. Lastly, key provisions, including the appointment of a qualified individual and conducting a written risk assessment, do not become effective until December 9, 2022.
The FTC’s strengthening of financial privacy protections is part of a larger societal and governmental awakening to the need for greater information privacy and security protections. This revision, among other changes, is a signal to all businesses that use nonpublic personal information to begin to assemble their data teams, including privacy counsel, to assess their data governance requirements and cybersecurity hygiene.