The December 2021 amendment to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule has prompted organizations to take a range of actions, from simply making small tweaks to their infosec programs, to frantically building one from scratch. Regardless of where your organization falls on the scale, it’s helpful to have a definitive list of action items you can review to help ensure you’re in the clear by the deadline.
A checklist, maybe?
Keep reading to learn more about changes to the Safeguards Rule, and what boxes your organization can check off to comply.
The Safeguards Rule (known fully as “Standards for Safeguarding Customer Information”) is one of three major guidelines that comprise the Federal Trade Commissions’s GLBA. It mandates organizations defined as “financial institutions” to implement safeguards that prepare and protect customer data from breaches and security incidents. Customer data in this case is defined as any nonpublic personal information a customer gives to an organization.
In December 2021, the FTC released “The Final Rule,” an amendment to the Safeguards Rule that encompasses a variety of changes, including an expansion of the FTC’s jurisdiction and specific requirements for executing an information security program. Specifically, the amendment changed the definition of “financial institution” to specify the types of businesses that must comply, including:
And, they added a new category of businesses that must comply, described generally as “finders.”
The purpose of new changes to the FTC Safeguards Rule is to maintain protection of customer data in a world with increasingly sophisticated cyber attacks. The original Safeguards Rule was released in 2003—since then, advancements in tech and public comment have persuaded the FTC to mandate appropriate safeguards for the year 2022.
The Final Rule also lists out reasonable steps that a financial institution’s information security program can take to build out digital and physical safeguards for data. We’ve simplified them, and assembled them here in a checklist for you.
You can read the full FTC Safeguards Rule text here, but to make sense of it, we’ve broken the requirements up into four buckets: accountability, risk management, personnel management, and data security.
In the new Safeguards Rule update, the FTC stresses that financial institutions should create internal processes of accountability to 1) ensure there is always a cybersecurity advocate focused on running the information security program and 2) to track down and properly investigate the source of risks or breaches.
This person can be anyone in the organization with the knowledge and experience it takes to manage an infosec program.
As new tech is introduced to your company, ensure it’s fully vetted for security, and constantly implement and reevaluate security practices as business changes and technology advances.
Breaches can happen through the vulnerability of a service provider — and if they have access to your systems or data, their breach is, by extension, your breach. Ensure your providers have the ability to securely partner with you, and continually monitor them.
The FTC requires that qualified individuals report to their company’s board of directors at least once a year on the overall status of the information security program, and “material matters” such as the findings of risk assessments, service provider dealings, detailed accounts of security events, and future recommendations.
Hackers’ tactics are always changing. You will need to change with them, to ensure they don’t outsmart you as time goes on.
Organizations should be vigilant about predicting and preparing for risk within their information systems. The risk management bucket focuses on having written documentation on the ways your organization is vulnerable to attacks and preparing an organized response in the case of a breach.
This should include taking inventory of your data and where it’s being stored. Then, assess your organization's threats and risks; this should be an evaluation of any internal or external security risks that could compromise the security, confidentiality, or integrity of customer information. Then write down your findings, including the criteria you used to conduct the assessment.
In addition to your initial risk assessment, the FTC requires you to periodically assess your organization for risks as threats evolve. Specific requirements include annual penetration testing, and vulnerability assessments twice a year. The FTC also provides the option for continuous monitoring, meaning that companies can opt to implement a system of consistent or live penetration/vulnerability assessments. Organizations can choose one option or implement both.
Outline exactly how your organization should spring into action in response to identified risks. This should include a list of goals, roles and responsibilities, processes and procedures for beginning and commencing work, and a post-mortem to identify lessons learned.
It takes a village to implement a strong infosec program—and the FTC makes this very clear with their directives on managing people, managing access controls, and monitoring activity.
Know who is accessing customer data, and enact a system to alert you about users’ unauthorized access.
Train both your general staff and your infosec staff on required on such safeguards and security practices developed in your program. Update your training program as needed.
Designate who has access to what data, for what reason, and for how long. Then, revisit access controls often to ensure that only authorized individuals have access to data.
It all comes down to the data. The FTC outlines specific methods for organizing, monitoring, and protecting data based on modern industry standards.
Keep a log of what data you have, what systems, devices, platforms, and people it makes contact with. Make sure you’re always updating it.
Make sure you’re conducting assessments on apps you use or create within your organization. They should be held to comparable security standards as your business.
Multi-factor authentication is verifying the identity of a user using at least two identification factors, including a knowledge factor, a possession factor, and an inherence factor.
Unless there’s a business or legal need for your organization to hang on to customer information, the law requires it to be destroyed to protect the privacy of your customers.
Encryption is an industry-standard method of data protection; and when it comes to encrypting your data inside and outside of your organization, you want to make sure you deploy a service that your staff can easily adapt to, and use on a daily basis.
Virtru encrypts your data on a granular level using the Trusted Data Format, an open standard of security that empowers data owners with unmatched levels of control and oversight. From email to file sharing to app integrations to gateway protections, Virtru is the “easy button” to encrypt your data wherever it goes, and wherever it lands.
With Virtru, data owners maintain complete control and power over their data, including the ability to revoke or grant access, apply watermarks, disable forwarding, and easily view activity logs for any data from an email to a file to a message sent from a SaaS app. Or, establish an encrypted safety net for all customer data with the Virtru gateway or Data Loss Prevention rules.
Dealerships and other FTC “financial institutions” meet GBLA Safeguards requirements using Virtru data protection. Book a demo today to see how Virtru can help you reach compliance by December.
Here’s one for the road—download our handy checklist for free.