The U.S. Federal Trade Commission (FTC) has updated its Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) to bolster data security measures for financial institutions. Effective from June 9, 2023, and fully enforced starting May 13, 2024, these amendments require institutions to develop comprehensive security programs to protect customer information and to report data security breaches.
These programs must encompass administrative, technical, and physical safeguards tailored to an institution's size, complexity, and the nature of its activities. The primary objectives are to ensure the security and confidentiality of customer information, protect the security of that information against threats or hazards, and prevent unauthorized access to that information.
Key terms to know
Before diving into the subject, let's familiarize ourselves with key terms used throughout this blog post: The Gramm-Leach-Bliley Act and Safeguards Rule.
The Gramm-Leach-Bliley Act (GLBA) is a federal law that requires financial institutions to safeguard sensitive data and explain their information-sharing practices to their customers. It includes three key sections: The Financial Privacy Rule, the Pretexting Provisions, and the Safeguards Rule. This blog post will focus on this last section.
The Safeguards Rule is a regulatory framework that mandates financial institutions to implement comprehensive security measures for protecting customer data. Originally established in 2003, these guidelines were most recently updated on December 9, 2021. The amendments took effect on June 9, 2023, and additional amendments focused on “notification events” took effect on May 13, 2024.
What purpose does the Safeguards Rule serve?
The purpose of the Safeguards Rule is to ensure that financial institutions take proactive steps to protect customer information. With the rise in cyber threats, these measures are crucial for preventing data breaches, safeguarding consumer privacy, and maintaining the integrity of financial systems. Compliance with the rule helps build consumer trust and reduces the risk of financial and reputational damage.
Who needs to be compliant?
The GLBA broadly applies to all “financial institutions,” which include businesses that are “significantly engaged” in “financial activities,” as well as those providing services that facilitate financial operations for these institutions. The definition of financial “activity” is interpreted expansively—it covers not just banks, but also fintech companies, mortgage lenders and brokers, payday lenders, professional tax preparers, check-cashing businesses, collection agencies, non-federally insured credit unions, and real estate appraisers.
These security programs must be thorough and tailored to the organization’s size and complexity. Institutions with more than 5,000 customers must comply with all requirements of the Safeguards Rule, whereas smaller businesses with fewer than 5,000 customers have some exceptions within their information security management plans.
What are the GLBA-Safeguards Rule requirements?
Businesses covered by the GLBA-Safeguards Rule are required to develop a written, comprehensive information security program that encapsulates administrative, technical, and physical measures set to achieve the following objectives:
- Insure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
The information security program should include the following elements:
- Designating a Qualified Individual: Appoint a person responsible for overseeing and implementing the security program.
- Conducting Risk Assessments: Identify and evaluate internal and external risks to the security, confidentiality, and integrity of customer information.
- Implementing Safeguards: Design and implement appropriate safeguards to control identified risks.
- Regularly Monitoring and Testing Safeguards: Continuously monitor the effectiveness of safeguards and conduct regular tests or audits.
- Training Staff: Provide security training for employees to ensure they understand and adhere to security practices.
- Monitoring Service Providers: Ensure that service providers maintain appropriate safeguards by including specific contractual obligations.
- Keeping Information Security Program Current: Continuously evaluate and adjust the security program to address new risks or changes in operations.
- Creating a Written Incident Response Plan: Develop and maintain a plan to respond to data breaches or security incidents.
- Reporting to the Board: Regularly report the status of the information security program and material matters related to it to the institution’s board of directors or governing body.
- Notifying the FTC: Notify the FTC in accordance with the notification requirement upon discovery of security breaches involving consumer information.
Why should businesses ensure compliance with the Safeguards Rule?
Non-compliance with the Safeguards Rule can lead to severe penalties, including fines and legal action, further compounded by potential damages to an institution's reputation and financial health. Penalties can include fines up to $100,000 per violation, $192 per lost record in restitution, and up to $10,000 per violation for officers and directors, along with criminal penalties of up to five years in prison and revocation of professional licenses. Additionally, non-compliance erodes customer trust and increases security vulnerabilities.
Examples of recent notable GLBA noncompliance cases include:
- Ascension Data and Analytics, LLC (2020): Settled with the FTC over insecure cloud storage of customer data.
- LightYear Dealer Technologies, LLC (2019): Settled with the FTC after failing to secure consumer data, leading to a breach affecting millions of customers.
- Equifax, Inc. (2019): Agreed to a settlement between $575 million and $700 million after allegations of network security failures.
How can Fingerprint help businesses comply with the Safeguards Rule?
Fingerprint’s device intelligence platform can help financial institutions comply with the Safeguards Rule without compromising on user experience by requiring authentication challenges. Here’s how:
- Unauthorized access prevention: Fingerprint’s device fingerprinting technology adds an additional layer of security for user authentication, significantly reducing the risk of unauthorized access to customer information aligning with the Safeguards Rule's objective of protecting data against unauthorized access.
- Protecting against threats and hazards: Fingerprint helps detect and prevent fraudulent activities by recognizing patterns associated with malicious behavior. This proactive approach supports the requirement to protect against anticipated threats and hazards.
Key takeaways
The FTC’s updated Safeguards Rule is essential for enhancing data security within financial institutions, as well as in businesses providing services that facilitate financial operations for these institutions.
Leveraging advanced solutions like Fingerprint can help meet these compliance requirements. Sign up for a free 14-day trial to see how Fingerprint’s device intelligence platform can help your business protect customer information and maintain consumer trust without sacrificing user experience.