“Gramm-Leach-Bliley Act (GLBA): Security Requirements for Federal Finance Industry Regulators”
The GLBA was enacted in 1999 and pertains to financial regulations generally. However, one part of the Act mandates that federal regulators mandate their own data cybersecurity standards for financial institutions under their purview. This section of the Act is commonly known as the “Safeguards Rule,” and it has different forms of implementations for each regulator. The overarching mandate from the GLBA is as follows:
Federal agencies must enact administrative, technical, and physical safeguards:
- To ensure the security and confidentiality of customer records and information;
- To protect against any anticipated threats or hazards to the security or integrity of such records; and
- To protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
It is important to note that customer records and information only means “non-public personal information” which means personally identifiable financial information that is:
- Provided by a consumer to a financial institution,
- Resulting from any transaction with the customer or any service performed for the customer, or
- Otherwise obtained by the financial information. (very broad)
So, now you know the ultimate mandates of the GLBA, but as stated above, the actual standards instantiated from the mandate by the regulators vary (but not that much). I have stated the general standards below for each.
Interagency Guidelines
Several federal agencies have agreed to take the GLBA high level mandate and create their own, shared, less abstract guidelines.
The agencies that had adopted the Interagency Guidelines are as follows:
- Office of the Comptroller of the Currency;
- The Federal Reserve Board;
- FDIC; and
- Office of Thrift Supervision (now defunct)
In broad strokes the Interagency Guidelines mandate that the adoptees:
- Have a comprehensive written information security program;
- Involve the Board of Directors in instituting and managing the security program;
- Conduct risk assessments;
- Have controls in place to mitigate reasonably foreseeable risks.
- Incorporate an incident response program (which includes notification) for sensitive information (which is specifically defined).
SEC Regulation S-P
SEC Regulation S-P is a little scary. What the SEC has chosen to do is follow the GLBA is very broad strokes and not specify many details.
What DO we know?
- The SEC has prioritized cybersecurity;
- The SEC is aggressive in enforcing this regulation;
- You need to have written policies and procedures that meet the GLBA amorphous standards…..its gray; and
- You probably need:
- A routine risk assessment;
- Firewall;
- Encryption at rest;
- Encryption in transit; and
- An incident response plan.
FTC Safeguards Rule
Yes. The FTC again. These folks are persistent and motivated. And they, like the SEC have adopted a fairly gray set of rules (but more detailed than the SEC).
Who do these rules apply to?
They apply to any financial institutions not regulated by another agency. These include consumer reporting agencies, credit retailers, and mortgage brokers.
Like the SEC, the FTC requires a written security program that satisfies the conditions of the GLBA. However, the FTC has further specified how these programs are to be implemented. These include:
- Designated employees coordinate the program;
- Risk assessment;
- Implementation of controls for risks.
- Require service providers to comply with their rules contractually; and
- Regularly review policies and procedures.
But….remember that list is not really all of it. Remember that the FTC’s rule is very amorphous and cases have shown that numerous standard cybersecurity controls not specifically mentioned are also required to meet the FTC mandate.
Privacy Rules and the GLBA
The above rules and standards dealt with the GLBA’s mandate to protect personal information, but the GLBP has another section known as the Privacy Rule that regulates whether and to what extent a financial institution may share personal information.
Generally speaking, the GLBA requires that financial institutions give consumers a) Notice, and b) Choice.
The Notice must consist of clear and conspicuous disclosure of the institution’s privacy practices, including the institution’s policy for disclosing personal information to 3rd parties, and other disclosures. This notice must be given at the time that the customer relationship is formed and every year after that. BUT. There is an exception….if the institution does not share information with 3rd parties the notice requirement does not apply.
The Choice part mandates that the institution must allow users to choose whether they will allow their personal information to be shared with a 3rd party for purposes other than providing services for the institution itself (ex. selling personal information for other companies to use for cold calls). However, the institution does NOT need to provide an opportunity to “opt out” if the personal information will be disclosed to a 3rd party solely for the purpose of providing services for the institution itself.
Conclusion
So the key takeaways for this month’s blog post are that if you are a financial institution, a) MAKE SURE YOU HAVE WRITTEN POLICIES AND PROCEDURES IN PLACE, b) make sure you perform risk assessments, c) make sure you have an incident response program, d) make sure you are encrypting personal information in transit and at rest, e) make sure you have all the standard technical controls one would expect a company to have, and f) make sure you are constantly reviewing and updating your security system….Also, don’t forget that a federal regulator can bring an enforcement action even if there haven’t been any security breaches.
