Institutions Subject to FTC’s Enacting Regulations to GLBA Must Implement Information Security Programs by June 9, 2023
Effective June 9, 2023, the Federal Trade Commission’s (FTC) updated enacting regulations to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule will take effect. The updates to the regulations include more robust privacy and security requirements for financial institutions that are primarily regulated by the FTC. By this date, among other things, relevant organizations must have implemented an information security program that incorporates nine specific elements.
Background & Impact of the Updated Regulations
The GLBA is one of the primary regulatory frameworks governing privacy and information security at the federal level and specifically governs “Financial Institutions”, which is broadly defined to include organizations that are significantly engaged in financial services. Organizations subject to the GLBA are required to comply with, among other provisions, the GLBA Safeguards Rule, which imposes requirements for protecting the privacy and security of information.
The GLBA empowers certain federal agencies to enforce the rule. This includes the Federal Reserve, NCUA, OCC, SEC, and FDIC. In the event that an organization is not specifically subject to the regulatory authority of one of the federal agencies primarily tasked with the enforcement of the GLBA, enforcement authority is vested in the FTC.
The FTC’s authority has traditionally extended to organizations that would not be ordinarily construed as a financial institution, including automotive dealerships that facilitate consumer financing, real estate brokers, and most postsecondary institutions (as well as third-party service providers and other organizations substantially involved in facilitating access to, or administration of, the federal student financial aid programs authorized under Title IV of the Higher Education Act of 1965). The updated requirements will be most impactful to organizations subject to the FTC’s authority under GLBA.
While the FTC’s implementation regulations of the Safeguards Rule have always imposed requirements for protecting the privacy of information, those requirements were revised and expanded on December 9, 2021. The effective date of those changes was delayed until June 9, 2023, which is now around the corner.
The new regulations require financial institutions to develop, implement, and maintain an information security program (a “Program”) that includes nine specific elements. These elements represent the minimum requirements for a compliant Program, and an organization’s Program must include controls to accommodate all nine elements before it can be compliant with the new FTC regulations. The elements are:
- Designating a “qualified individual” to oversee the Program.
- Ensuring the Program is based on a written assessment of internal and external risks to customer information and the safeguards in place to control those risks.
- Designing and implementing controls identified through the risk assessment. Among other things, in most cases, these controls should include:
- using encryption to protect customer information in transit and at rest;
- implementing multi-factor authentication;
- monitoring log activity to identify unauthorized users; and
- unless an exception applies, securely disposing of customer information “in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer.”
- Regularly testing/monitoring the effectiveness of implemented safeguards. In most cases, this should include an annual penetration test and twice-annual vulnerability assessments.
- Implementing policies/procedures for personnel to enact the Program by, among other things, providing security awareness training.
- Addressing service providers by, among other things, taking steps to select providers that are capable of safeguarding customer information.
- Providing for the evaluation and adjusting of the Program (e.g., based on material changes to operations).
- If the organization maintains student information on 5,000 or more consumers, establishing an incident response plan.
- If the organization maintains student information on 5,000 or more consumers, requiring the “qualified individual” to provide written reports to the organization’s board of directors regarding the status of the Program and material matters related to the Program.
As clear from above, the updated requirements now include both big picture items and certain prescriptive “lowest-common-denominator” security controls (such as the implementation of multi-factor authentication) that may be low-hanging fruit for enforcement action.
Organizations Need to Get Prepared
Organizations subject to the FTC’s jurisdiction would be well-served to get prepared immediately, and in no event later than June 9, 2023, when the updated FTC implementation of the Safeguards Rule takes effect.
While all relevant organizations were already working to confirm their compliance with the coming updates by June 9, 2023, an announcement issued by the Department of Education (DOE) last month has brought renewed focus on the pending deadline for postsecondary institutions. In its announcement, DOE signaled an intent to audit relevant institutions for GLBA compliance, with particular scrutiny and heightened probability of sanction for organizations (including post-secondary institutions) that have experienced a data breach. Although the DOE is not one of the federal agencies specifically empowered to enforce the GLBA, the DOE has expressed that it expects covered organizations to comply with GLBA and may refer non-compliant organizations to the FTC for further investigation. To avoid that attention, relevant organizations are further motivated to ensure that their privacy and security programs are consistent with the updated prescriptions of the GLBA.
Regardless of industry, the first step for many organizations subject to the new regulations will likely be mapping all data in their control, such that any “customer information” can be readily identified as such and protected in accordance with the new regulations. The next steps will be developing and rolling out (or confirming the exitance of) the nine-element Program.