What companies need to know about proposed changes to the Gramm-Leach-Bliley Act
Introduction: What is the Gramm-Leach-Bliley Act (GLBA)?
Also called the Financial Modernization Act of 1999, GLBA governs the way in which financial institutions must prevent the disclosure of consumer nonpublic personal information (NPI). The regulation outlines its requirements in three rules:
- The Financial Privacy Rule (“Privacy Rule”): Requires information-sharing practices disclosures
- The Safeguards Rule: Requires implementation of security programs to protect data
- Pretexting Protection: Prohibits obtaining private information under false pretenses
Additionally, GLBA requires that financial institutions provide a way for consumers to opt out of data sharing.
Who must comply with GLBA?
GLBA applies to organizations classified as “financial institutions.” The regulation defines a financial institution as any business engaging in activities that are “financial in nature” or incidental to financial activities. Specifically, these types of organizations include:
- Banks
- Credit unions
- Investment companies
- Security brokers and dealer
- Insurance underwriters and agents
- Finance companies
- Mortgage brokers
- Travel agencies
However, GLBA’s reach has expanded over the years as more types of organizations manage consumer personally identifiable information (PII). For example, colleges and universities collect student information for financial aid and payroll purposes. Additionally, healthcare providers collect PII for billing purposes which creates an overlap between GLBA and the Health Insurance Portability and Accountability Act (HIPAA).
What are the potential fines for non-compliance?
Although an older regulation, GLBA could be considered a trailblazer when it comes to stringent penalties. Organizations that fail to comply with GLBA risk facing significant fines and penalties:
- Civil penalties against the organization up to $100,000 per violation
- Personal liability civil penalties against officers and directors up to $10,000 per violation
- Fines against officers, directors and the institution under Title 18 of the United States Code
- Imprisonment for up to five years
With consumers adopting new technologies, companies find themselves in the GLBA spotlight. In 2018, PayPal and the FTC reached a settlement over the allegations that PayPal’s Venmo peer-to-peer payment service did not adequately inform users about how to keep transaction information private, thus violating GLBA’s privacy and security requirements. PayPal and Venmo were required to provide specific privacy disclosures alerting users how transaction information would be shared and how to use settings that limit or restrict transaction visibility. Additionally, the settlement required PayPal and Venmo to undergo additional compliance audits and reporting.
What are the recent changes to GLBA?
In April 2019, the Federal Trade Commission solicited public comment on proposed changes to the Privacy Rule and the Safeguards Rule As the Dodd-Frank Act limited the FTC’s enforcement capabilities under the Privacy Rule, the proposed changes to the Safeguards Rule seek to incorporate the intent of the Privacy Rule back into the FTC’s purview. In May, the FTC extended the Safeguards Rule comment period from June 2019 to August 2019, which means that the changes will likely be announced some time in 2020.
Proposed amendment to purpose and scope
The FTC proposed rule seeks to change the Safeguards Rule to reflect a general definition of financial institution — mostly from the Privacy Rule, which the Dodd-Frank Act limited to only a small set of automobile dealers.
Proposed amendment to definitions
The proposed amendment looks to change the definition of the terms authorized user, security event, encryption, financial institution, information system, multi-factor authentication and penetration testing.
The changes reflect an intent to respond to changing technologies as well as expand the Safeguards Rule to incorporate the Privacy Rule’s initial purpose.
Proposed amendment to standards for safeguarding customer information
The FTC seeks to change the requirement that financial institutions put “safeguards” in place by using the term “information security program.”
Proposed amendments to elements
These changes seek to address the way in which organizations need to protect data as a result of increased consumer technology adoption. Many of these changes will align GLBA to other information security standards and regulations.
Responsible party
The proposed rule will require the designation of a single qualified individual to oversee, implement, and enforce the information security program. The individual can be an organization employee, affiliate employee, or service provider. In cases where the organization uses a service provider, the financial institution will still be responsible for compliance, need to designate a senior personnel member to oversee the service provider, and require the service provider to maintain the information security program in accordance with the rule.
Risk assessment
The proposed rule intends to solidify and enforce the organization’s need to base its information security program on a risk assessment and emphasize that requirement. It will also formalize the risk assessment process, requiring organizations to document the process, criteria, risk tolerance decisions, and controls used to mitigate risk. Finally, it will add a periodic reassessment requirement.
Control decisions
Although the FTC notes that most financial institutions currently follow best practices, the proposed changes detail requirements to provide clarification. The proposed requirements include:
- Access controls
- Authentication and authorization controls
- Inventories that identify and manage data, personnel, devices, system and facilities
- Physical location access restriction
- Encryption of all customer data
- Secure development practices for in-house developed applications that transmit, access or store customer information
- Implement multi-factor authentication
- Establishment of audit trails that detect compromises or attempted compromises to information systems
- Secure data disposal procedures
- Change management procedures
- Monitoring to detect authorized user activities or unauthorized data access, use or changes
Monitoring
The proposed changes require the adoption of continuous monitoring for real-time threat intelligence. In the event an organization cannot adopt effective continuous monitoring, it needs to engage in annual penetration testing and biannual vulnerability assessments.
Training
The proposed rule highlights the importance of employee training to create a culture of security. Training would need to highlight risks to customer information and financial institution policies. Additionally, they are required to use qualified information security personnel for the training who can either be employees, affiliate employees or service providers. Finally, it requires financial institutions to provide information security personnel the necessary resources to address emerging risks and maintain current cybersecurity countermeasure knowledge.
Third-party risk monitoring
The current iteration of GLBA only requires vendor due diligence at onboarding, but the proposed rule will require it as on an ongoing basis. The oversight requirements will require organizations to investigate alerts about potential weaknesses in the supply chain and to conduct periodic assessments.
Incident response planning
Under the proposed rule, must be designed to respond to and recover from any security event that materially impacts the customer data confidentiality, integrity, or availability. Financial institutions would be required to:
- Establish incident response plan goals
- Define roles/responsibilities
- Formalize internal/external communication paths
- Identify remediation steps, establish documentation and reporting for security events
- Formalize the evaluation and revision of the incident response plan post-event
Reporting
According to the proposed rule, the person responsible for the organization’s information security program will need to report to the Board of Directors or other governing body. The report will need to include:
- The information security program’s status and compliance with the Safeguards Rule
- List material matters related to the information security plan
- Address issues such as risk assessment, risk management, service provider arrangement, testing results, security events and violations
- Suggest recommendations for changes to the information security program
Conclusion: Managing updates to GLBA
Most financial institutions likely incorporate the requirements set forth in the proposed rule. At their core, they align GLBA with other mission-critical IT regulatory requirements such as those set out by the FFIEC, the FDIC, the Federal Reserve Bank and the National Credit Union. The FTC indicates in its preamble that the proposed rule intends to clarify GLBA’s otherwise vague requirements while also offering businesses flexibility in managing their controls.
At the core of any compliance program, however, lie the people who use the technology. Based on the discussion in the Federal Register, the FTC seeks to reinforce the importance of creating a cyber-aware workforce. As financial institutions brace themselves for the inevitable regulatory changes that 2020 brings, ensuring security by focusing on the human element rather than just the technology is the most proactive risk mitigation strategy a company can establish.
Sources
- VIII. Privacy — GLBA, fdic.gov
- Privacy Law Basics: Don’t be Glib! Gramm-Leach Bliley Act (GLBA), Faruki
- PayPal Settles FTC Charges that Venmo Failed to Disclose Information to Consumers About the Ability to Transfer Funds and Privacy Settings; Violated Gramm-Leach-Bliley Act, Federal Trade Commission
- 16 CFR Part 313: Privacy of Consumer Financial Information Rule under the Gramm-Leach-Bliley Act, Federal Trade Commission
- Standards for Safeguarding Customer Information, Federal Register