February 7, 2022
Good afternoon, everyone!
Special GLBA Update for the financial services industry
The Gramm-Leach-Bliley act (GLBA), also known as the Financial Services Modernization Act of 1999, applies to all financial institutions, which are defined in Section 313.3(k) of the GLB Privacy Rule and the Financial Activities Regulations as follows: [edited for brevity]
(k)(1) Financial institution means any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). An institution that is significantly engaged in financial activities is a financial institution.
(2) Examples of financial institution.
(i) A retailer that extends credit by issuing its own credit card directly to consumers
(ii) A personal property or real estate appraiser
(iii) An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days
(iv) A career counselor that specializes in providing career counseling services to individuals [associated with] a financial organization
(v) A business that prints and sells checks for consumers
(vi) A business that regularly wires money to and from consumers
(vii) A check cashing business
(viii) An accountant or other tax preparation service that is in the business of completing income tax returns
(ix) A business that operates a travel agency in connection with financial services
(x) An entity that provides real estate settlement services
(xi) A mortgage broker is a financial institution
(xii) An investment advisory company and a credit counseling service are each financial institutions
Anyone who falls into any of these categories needs to be aware of the significant changes made to the Safeguards Rule in December.
Part 314 of the Code of Federal Regulations implements those sections of GLBA relating to information security. The specific requirements have been greatly expanded. Some of them are current requirements as of January 9, 2022, while the remainder have to be in place by December 9, 2022. Three of the provisions do not apply to "financial institutions that collect information on fewer than 5,000 consumers" but the provisions summarized below apply to all financial institutions, regardless of size:
(a) Designate a qualified individual responsible for overseeing, implementing and enforcing your information security program.
(b) Base your information security program on a risk assessment, and periodically conduct additional assessments.
(c) Design and implement safeguards to control the risks you have identified. Note: specific safeguards that are now required include encryption of customer data both in transit and at rest, multi-factor authentication for any individual accessing customer information, change management procedures, monitoring & logging of user activity (among others).
(d) Regularly test or otherwise monitor the effectiveness of your safeguard controls, including intrusion prevention & intrusion detection systems.
(e) Implement policies and procedures including security awareness training for employees, using qualified information security personnel to perform or oversee your program and verify that they maintain current knowledge of changing threats and countermeasures.
(f) Oversee service providers by selecting those that are capable of maintaining your safeguard standards, and requiring them by contract to implement and maintain such safeguards.
(g) Evaluate and adjust your information security program on an ongoing basis.
If this seems overwhelming, don’t panic! All these things are doable, and we are currently working with several local managed service providers to develop package solutions for businesses and individuals that need to meet these requirements.
If you want to discuss how these changes impact your business, please reach out to me at any time.
Remember, past editions of newsletters and many other resources are available on our website.
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺