Gramm-Leach-Bliley Act Updates Take Effect Soon

On November 15, 2022, the Federal Trade Commission (FTC) announced it would delay the compliance deadline for certain provisions of its updated Safeguards Rule (Rule) to June 9, 2023.

The Rule, which was mandated under the 1999 Gramm-Leach-Bliley Act, “requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.”

The Rule has been amended several times since its creation, and the most recent round, approved by the FTC on October 27, 2021 would update the Rule to “include more specific criteria for what safeguards financial institutions must implement as part of their information security program such as limiting who can access consumer data and using encryption to secure the data.”

According to Reuters, these amendments “seek to enforce a more prescriptive Safeguards Rule,” an acknowledgement of sorts by the FTC “that comprehensive information security programs must account for the size and complexity of users/organizations, nature and scope of the activities, and sensitivity of any customer information.”

Many provisions of the amendments were effective within 30 days after being published in the Federal Register, while the below-outlined sections were set to go into effect on December 9, 2022. The FTC is now extending the effective date of these sections due to a reported “shortage of qualified personnel to implement information security programs and that supply chain issues may lead to delays in obtaining necessary equipment for upgrading security systems.”

FTC Commissioner Christine S. Wilson also stated that this extension was necessary, “[d]espite assurances that financial institutions were already implementing many of the requirements of the amended rule or had sophisticated compliance programs that could easily adopt and pivot to address new obligations,” due to the economic impact and burden that the proposed changes may have caused the covered institutions.

By the new June 9, 2023 effective date, financial institutions must develop an information security program that:

• Designates a qualified individual to oversee, implement, and enforce their information security program and—if an institution or service provider maintains the personal information of 5,000 or more consumers—will report on the program regularly, and at least annually, to the governing persons in the organization

• Develops a written risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of consumer information that could result in the unauthorized access of this information and assesses the company’s established safeguards to control these risks

• Addresses how an institution will ensure that the information systems of their service providers are sufficient, such as conducting periodic assessments of the security practices of these service providers

• Establishes a process for evaluating and updating the information security program, as needed

• Requires the development of an incident response plan, if an institution or service provider maintains the personal information of 5,000 or more consumers.

The FTC advised in their announcement that the best way for financial institutions to prepare for these amendments to go into effect is to take action now to comply by considering your company’s current information security practices, including, but not limited to which employees can access a consumer’s sensitive information, whether or not sensitive information collected and stored in your system is encrypted, and whether your organization requires multi-factor authentication to access sensitive information. And, if your organization’s practices are not sufficient to comply with these updates, updating these practices, as needed, and training employees to ensure compliance is achieved.

Considering the basis for the delay, covered financial institutions should begin their compliance efforts with the amended Rule as these types of changes often require an institution to expel significant effort and resources.

* * * * * * *

To read our news alerts discussing: The Trans-Atlantic Privacy Framework’s progress, the Deputy Attorney General’s comments on TikTok, a new whitepaper on healthcare data privacy, and changes to the CFPB’s legal structure, click here.

This week’s breach report covers breaches of the following companies: Activision, Tom James Company, Eureka Casino Resort, O’Neal Industries, Inc., CentraState, Pepsi, Bottling Ventures, GoDaddy, and Atlassian. Click here to find out more.

Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!

We will release Episode 87 on Wednesday. Our guest is Heather West, Silicon Valley rock star and Senior Director of Cybersecurity Services at Venable LLP.  We explore artificial intelligence (AI) and chatbots, such as ChatGPT, and discuss what these technologies can do, who will be early adopters and beneficiaries of AI, whether articles or answers generated by AI can be trusted, and look at some of the privacy and security risks associated with AI. 

Our most recently released episodes:

86 | Using Tools to Help Manage Incident Response (with guest Lauren Wallace)

85 | How Incident Response Has Changed (with guest Violet Sullivan)

84 | Internet Archive Project Related to Russia’s War with Ukraine (with guest Mark Graham)

To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.