The Gramm-Leach-Bliley Act (GLBA) was enacted to modernize the financial industry. One component of the GLBA establishes Standards for Safeguarding Customer Information (the Safeguards Rule). In 2021, the Safeguards Rule was amended in several respects, which broadened the scope of traditionally understood covered financial institutions and increased data security obligations of such covered financial institutions. The Amendments became effective on June 9, 2023, and below are the most critical elements of what business owners need to know.

Covered Financial Institutions

The definition of a financial institution subject to the requirements of the GLBA is quite broad. “Financial institution” means “any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956. An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.”

After public comment, the FTC issued guidance, adding “finders,” or those that bring together buyers and sellers of a product or service, to the enumerated examples of covered financial institutions. “Finders” are the most recent addition to other statutory examples, which include, but are not limited to: (a) personal property or real estate appraisers, (b) accountants or tax preparers, (c) an entity offering real estate settlement services, (d) mortgage brokers, (e) investment advisors, (f) retail businesses extending credit, and (g) traditional banking functions.

Data Security Obligations

Under the new Amendments, covered financial institutions must develop, implement and maintain an information security program in compliance with certain standards set forth in the Safeguards Rule. The key updates include:

    (a)    Qualified Individual. Financial institutions must designate a qualified individual who is responsible for overseeing and implementing the information security program.

    (b)    Risk Assessments. Financial institutions must conduct written risk assessments, which includes (i) establishing criteria for evaluation and categorization of data security threats, (ii) assessing internal quality controls and (iii) using assessment findings to improve the information security program. There are also more robust requirements if an institution maintains consumer information concerning 5,000 or more consumers (whether present consumers or those subject to data retention).

   (c)    Implementation of Safeguards. Financial institutions must design and implement safeguards to control any identified risks through its risk assessment, including implementation of multi-factor authentication, encryption, limitations of access and logging user activity.

   (d)    Monitoring. Financial institutions must regularly test and monitor the effectiveness of implemented safeguards. There are also more involved requirements if an institution maintains consumer information concerning 5,000 or more consumers (whether present consumers or those subject to data retention), including continuous monitoring and periodic penetration testing of information security systems.

    (e)    Training. All personnel must receive appropriate security awareness training, be given security updates, and key information security personnel must take steps to maintain current knowledge of changing information security threats.

     (f)    Analyze Service Provider Risks. Financial institutions must oversee service providers and take reasonable steps to select those that are capable of maintaining appropriate safeguards, require service providers by contract to implement and maintain such safeguards and periodically assess service providers based on the risk they present and the adequacy of their safeguards.

    (g)    Written Incident Response Plan (WISP). Financial institutions must establish a WISP that is appropriately tailored to the size and needs of the business and the WISP must be designed to promptly respond to, and recover from, any security incident, such as unauthorized access to consumer information or personally identifiable information.

Risks of Noncompliance

At a time when the costs of unauthorized data breaches are on the rise, there are also substantial monetary and non-monetary risks if a financial institution fails to comply with the Safeguards Rule. Such risks include civil penalties that are imposed by the FTC on a per diem basis until the violation(s) is/are cured, FTC enforcement actions, investigations and audits of business records and reputational harm.