The Gramm-Leach-Bliley Act (GLBA) aims to protect consumer financial privacy with three provisions: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions.
In our previous post, we covered the GLBA Financial Privacy Rule and what financial institutions, as defined by the GLBA, need to know to be compliant. Simply put, the Financial Privacy Rule requires financial institutions to notify customers about their privacy policies and to protect the confidentiality of customer data.
In this guide, we’ll break down the GLBA Safeguards Rule. If the Financial Privacy Rule covers the “what” — what customer information a financial institution needs to protect — the Safeguards Rule covers the “how.” This rule outlines what security measures a financial institution needs to take to keep nonpublic personal information (NPI) from falling into the wrong hands.
[Read more: GLBA Compliance Checklist: Keeping Financial Data Safe And Secure]
What is the GLBA Safeguards Rule?
First, let’s review the ins and outs of the GLBA Safeguards Rule.
The Safeguards Rule was established in 2003, setting forth the requirements of an information security program that financial institutions and others must implement to protect “non-public personal information” (NPPI). This original iteration had few specific requirements, allowing financial institutions to create their own system for protecting the security of customer data.
The Safeguards Rule has evolved over time, however, with a recent update in 2021 that’s more prescriptive than previous versions. The current Safeguards Rule contains specific requirements for information security, which we’ll outline below. In general, financial institutions and others subject to the GLBA are required to develop, implement, and maintain a written information security plan that has the appropriate safeguards for securing customer nonpublic personal information.
What is nonpublic personal information?
NPPI, or NPI, is “any personally identifiable financial information a customer provides to obtain a financial service or product.”
NPPI includes information such as Social Security numbers, credit card numbers, account balances, tax return information, and even dates of birth. It’s also worth noting that this type of information can be accessed by those outside the financial industry: higher education institutions, for instance. This level of access requires educational institutions to adhere to the Safeguards Rule.
2022 Updates to the GLBA Safeguards Rule
Changes to the GLBA Safeguards Rule came into effect in January 2022. These changes include the following.
- An expanded definition of “financial institution.” Financial institutions now include entities that engage in activities tangential or incidental to financial activities, including “finders” — defined as “companies that bring together buyers and sellers of a product or service.” These companies must comply with the Safeguards Rule.
- New information security program provisions. Designed to improve the accountability of infosec programs, the FTC now requires the designation of a specific individual to oversee and implement the security program. It also requires risk assessments and periodic reports to boards of directors or another governing body.
- Clear guidance on how to develop and implement an infosec program. These provisions outline specific recommendations, such as encrypting customer information, using multifactor authentication, and implementing the secure disposal of customer information.
- Provides exemption for certain financial institutions. Despite expanding the definition of “financial institution” as outlined above, the FTC now exempts financial institutions that have fewer than 5,000 customers from certain requirements.
In December 2022, more new provisions will impact GLBA compliance. These changes will come into effect on December 9, 2022.
- Organizations will be required to designate a “qualified individual”
- New, specific requirements for written risk assessments will be announced (Note: organizations are currently required to carry out risk assessments, but mandated criteria is not yet effective)
- New, specific requirements for the implementation of safeguards (e.g., multifactor authentication and encryption)
- A requirement to continuously monitor and conduct periodic pen testing on information systems; as well as guidance on periodic assessments for service providers
- Training and operational requirements for security personnel
- A requirement to establish a written incident response plan in the event of a data breach impacting NPPI
In other words, the GLBA Safeguards Rule is about to become a lot more directive over the next year. Impacted organizations can begin to prepare for this change by creating and implementing a GLBA checklist.
GLBA Safeguards Rule checklist
As the GLBA Safeguards Rule gets more specific, organizations can start building an information security management program with the following elements:
- One or more employees who are in charge of developing and coordinating the information security program
- A risk assessment that identifies risks to NPI in every area of the company; and, a way to evaluate existing safeguards to combat these risks
- An information security program that includes ways to regularly monitor and test the efficacy of your protections
- Regular employee data security training
In addition, financial institutions should work with service providers to maintain safeguards and ensure contracts requires partners to implement and regularly maintain these safeguards.
A good way to get ahead of the detailed security requirements coming later this year is to implement a data loss prevention (DLP) platform. These tools integrate into your cloud program and help your IT team monitor for data leaks.
Nightfall’s DLP uses machine learning to scan data with over 150 machine learning-based detectors, flagging instances when NPI is shared in potentially unsafe ways in platforms like Slack, GitHub, and Google Drive. Nightfall also offers the tools to quickly remediate security issues by notifying admins and quarantining or deleting data.
Check out our full GLBA Compliance Checklist to get a comprehensive list of everything you need to know to be compliant with the GLBA standard. And, learn how Nightfall can help achieve GLBA compliance by setting up a demo at the link below.