Understanding the Proposed Changes to the Safeguards Rule and Who it Affects
GLBA (Gramm-Leach-Bliley Act), also known as the Financial Services Modernization Act, might be getting some changes to better protect consumers and provide more certainty for businesses. GLBA outlines the regulations for financial institutions to protect the privacy and security of customer data in their control. Under this are two rules; the Privacy Rule and the Safeguards Rule.
The Safeguard Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program.
The Privacy Rule requires a financial institution to inform customers about its information-sharing practices and allow customers to opt-out of having their information shared with certain third parties.
With the increase in cyberattacks and breaches, there needs to be more protection for consumer data. As a result of this, there are talks about changing the Safeguards Rule to better protect consumers and their PII (personal identifying information).
1. Adding more specific requirements for financial institutions to develop and implement an information security program.
2. Adding provisions to increase the accountability of financial institutions’ information security programs.
3. Exempting small businesses form certain requirements.
4. Expanding the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determine to be incidental to financial activities. (See more on this in the paragraph below.)
5. Adding the definition of “financial institution” and related examples in the Rule itself rather than relying on cross-reference to a related FTC rule.
There has been confusion as to what companies qualify under this rule. Under the Safeguards Rule, a “financial institution” is defined as any institution of business that is engaging in financial activities as defined by the Bank Holding Company Act. Meaning, this applies to companies offering consumers financial products or services like loans, financial or investment advice, or insurance. It includes activities that are incidental or related to banking or lending. For example, activities of third-party collections agencies or credit reporting agencies.
Quick Look: You fall under the “financial institution” rule if you are a/n:
· Insurance Company
· Payday Lender
· Mortgage Broker
· Solicitor
· College/University
· Company that deals with loans, deposits, investments, and currency exchange
Entities that maintain customer information of less than 5,000 customers are exempt from some requirements such as:
· Written risk assessment
· Continuous monitoring or penetration testing/vulnerability assessment
· Written incident response plan
· Annual governing board reporting
Simple answer, protecting you. The reasons for the additions to the Safeguards rule is to better protect consumer data. With an increase in cyberattacks and data breaches, PII has been exposed more now than ever putting many consumers at risk. Currently, the Safeguards Rule is very flexible and doesn’t explicitly state who is considered a financial institution and what they must follow to comply. The updates to the rule will clarify who must follow the rule and what they must follow.
At the time of writing this, the changes to the Safeguards rule have not gone into effect. If and when they are approved covered entities will have 6 months from the effective date to be in compliance with the new regulations.