Understanding GLBA Compliance Requirements: How You Should Prepare for the June Deadline
On November 5, 2022, the Federal Trade Commission (FTC) extended the deadline to comply with the updated GLBA to June 9, 2023. Does this affect your business? And if so, what do you need to do to become compliant? Keep reading to find out.
What Is GLBA Compliance?
A federal law passed in 1999, the GLBA refers to the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act. Essentially, it governs how financial institutions handle their customers’ private information. As the FTC offers a broad definition of what counts as a “financial institution,” your business just might qualify.
When Was the GLBA Updated?
In 2021, the FTC updated the Standards for Safeguarding Customer Information section (Safeguards Rule for short) of the GLBA. This rule primarily helps protect customer information. It was added in 2003 but updated to keep up with current technology.
Who Does the Updated GLBA Regulations Apply to?
The Safeguards Rule applies to any financial institutions within FTC jurisdiction that aren’t subject to enforcement authority by another regulator under section 505 of the GLBA. The FTC defines a financial institution as any entity engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956.”
To give you a better idea of what kinds of entities fall into this broad category, the FTC provides the following non-exhaustive list of examples: “businesses like mortgage lenders, mortgage brokers, motor vehicle dealers, payday lenders, finance companies, account servicers, check cashing companies, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.”
Maintaining your technology framework is challenging when you have other business objectives to pursue. CTMS specializes in IT consulting, helping you stay compliant and secure.
Why Was the Updated GLBA Compliance Deadline Extended?
The FTC extended the updated GLBA compliance deadline in response to a request by the Deputy Chief Counsel of the U.S. Small Business Administration (SBA). It asked for an extension due to personnel shortages and supply chain issues that would make it difficult for many firms to comply with the updated GBLA by the original December 9, 2022 deadline. The FTC met them halfway and settled for a six-month extension (June 9, 2023) instead.
What Exactly Changed in the GLBA?
As mentioned, the changes primarily affected the Safeguards rule. You may read the rule in full on the FTC website, but the June extension applies specifically to the following provisions:
- Designate a qualified person to oversee their information security program
- Develop a written risk assessment
- Limit and monitor who can access sensitive customer information
- Encrypt all sensitive information
- Train security personnel
- Develop an incident response plan
- Periodically assess the security practices of service providers
- Implement multi-factor authentication or another method with equivalent protection for anyone who accesses customer information
What to Do Between Now and June to Become GLBA-compliant
Though you still have a few months to meet the June deadline, you shouldn’t put it off. Compliance may require significant investment in staff and technology on your part. Furthermore, failure to comply by the deadline could result in significant fines and penalties, and damage your company’s reputation. It’s preferable to err on the side of caution.
The first step is to determine whether your business qualifies as a financial institution under the FTC’s definition above. If your firm meets the definition, you need to start developing an information security program to:
- Ensure the security and confidentiality of customer information
- Protect against anticipated threats or hazards to the security or integration of that information
- Protect against unauthorized access to that information which could result in substantial harm or inconvenience to any customer
Here are nine things you must do to achieve GLBA compliance:
- Designate a Qualified Individual to implement and supervise your company’s information security program. Even if you outsource the role to a third-party provider, the overseer ensures the responsibility to comply with GLBA falls on your company.
- Conduct a risk assessment. This includes making a complete inventory of customer data and uncovering potential security threats to that data. The written assessment must be performed regularly to keep up with changes in your organization and new threats.
- Design and implement safeguards to control the risks identified through your assessment. They should include:
- Implementing and periodically reviewing access controls
- Knowing what customer data you have and where it’s stored
- Encrypting customer data when it’s in transit
- Assessing your apps
- Implementing multi-factor authentication (MFA)
- Disposing of customer data safely
- Anticipating and evaluating changes to your information system or network
- Maintaining a log of authorized user activity
- Regularly monitor and test the effectiveness of your safeguards. This can involve continuous monitoring of your information system or penetration testing and vulnerability assessments.
- Train your staff. Organize regular training sessions to keep staff up to date on best cybersecurity practices and GLBA standards.
- Monitor your service providers. Only hire reputable providers and make sure they maintain GLBA standards.
- Keep your information security program current. Technology constantly changes, so your information security program must adapt. Make sure it addresses current cyberthreats and risks.
- Create a written incident response plan. If a cyber-incident occurs, your staff should know exactly what to do. An incident response plan should cover goals, processes, roles, communication channels, and more.
- Require your Qualified Individual to report to your Board of Directors. They should report at least once annually. Among other things, their report should cover risk assessments, decisions, results, and recommendations.
Partner With CTMS to Become GLBA-Compliant
As you can see, you may have to do a lot to maintain compliance with the updated GLBA. If you’re struggling to meet the June deadline, CTMS can help. Contact us today to learn more about our managed IT services, and we’ll help get you GLBA-compliant in no time!
Share This Post
Computer Technology Management Services (CTMS) supports organizations nationwide with high-quality, customizable business IT tools and cybersecurity strategies for dealerships and more.