Industry Insight   Regulatory Updates   

FTC Proposes Additional Requirements to GLBA Safeguards Rule

In March, the FTC published a notice of proposed rule-making requesting public comment on the addition of specific policy, process and technical requirements to the Gramm-Leach-Bliley (‘GLBA’) Safeguards Rule (the ‘Rule’).

The comment period was extended once, and expired on August 2nd, so now we await publication of the final rule. Many of the requirements would take effect six months from the final rule’s effective date.

The Rule has been in place since 2003, and implements the GLBA’s requirement on financial institutions to implement and maintain a comprehensive information security program to protect consumer personal and financial information. In its current form, the Rule permits financial institutions to take a flexible approach to implementation that takes into account the size and complexity of the institution, the scope of services offered, and the sensitivity of consumer information held. 

The proposed rule-making adds specific requirements that would apply in any security program implementation, some of which are similar to the requirements imposed on state-licensed or supervised financial institutions by the New York Department of Financial Services cybersecurity regulations, the final portion of which took effect earlier this year. The requirements could add to the administrative burden for covered entities that currently use other or less detailed controls to meet current privacy requirements. Among the proposed specific requirements are the following:

  • Designation of a single individual to be responsible for overseeing and implementing the program
  • A written risk assessment that details how the program will mitigate identified risks, system access controls, physical security controls
  • Secure disposal of consumer information no longer needed (secure shred bins for paper files, business record destruction policy for records in all formats)
  • Encryption of consumer information, both in transit and at rest
  • Multi-factor authentication of users before granting access to financial institution systems
  • Incident response plan, including audit trail of investigation and response to incidents
  • Change management policy and procedure and secure development practices for internally-developed applications and software
  • Continuous monitoring and regular testing of systems, controls and procedures, appropriate training and education for employees and use of qualified security personnel
  • Periodic assessment of service providers based on their security risk
  • Reporting at least annually to the financial institution’s board of directors on issues related to the program

Very small financial institutions with information on fewer than five thousand consumers would be exempt from the risk assessment, continuous monitoring, incident response plan and board of director reporting requirements.  

Sign up for news + updates

Expert insights and regulatory updates on RegTech, compliance management, and fair lending.

In this blog post concerning legal and regulatory matters of interest to the mortgage industry, Sandler Law Group (SLG) provides general information and industry observations that are not motivated by or concerned with a particular past occurrence or event, or a specific existing legal problem of which SLG is aware. Nothing published herein is intended to constitute legal advice and the use of the blog post by a reader shall not give rise to an attorney-client relationship with SLG. SLG expressly disclaims any representation of accuracy or reliability as to the content of this blog post, as well as any obligation to maintain such content over time or to ensure it is free from errors. Brad Cope is the attorney responsible for the SLG content of this blog post. The attorneys of SLG are not certified by the Texas Board of Legal Specialization. 

Recommended Resources