Skip to main content
What can we help you find?
main content, press tab to continue
Article

The U.S. Federal Trade Commission (FTC) Adopts New GLBA Safeguards Rule

By Gamelah Palagonia | December 15, 2021

The FTC adopts revisions to the original 2002 GLBA rule imposing more detailed data security requirements.
Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

In 1999, Congress enacted the Gramm Leach Bliley Act (“GLBA”), which provided a framework for regulating the privacy and data security practices of a broad range of financial institutions. The GLBA requires financial institutions to provide customers with information about the institutions’ privacy practices and their opt-out rights, and to implement security safeguards for customer information. The GLBA required the FTC and other federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information. Pursuant to the Act’s directive, the FTC promulgated the Safeguards Rule in 2002, which became effective on May 23, 2003.

On October 27, 2021, the FTC adopted a new Gramm-Leach-Bliley Safeguards Rule. The revision to the original 2002 GLBA rule imposes more detailed data security requirements. and only applies to financial institutions under the FTC’s jurisdiction.

Under GLBA, the FTC has jurisdiction over a broad range of entities not regulated by any other financial services regulator. These include mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, retailers that extend credit by issuing their own credit cards directly to consumers, certain automobile dealerships, personal property or real estate appraisers, even career counselors who specialize in providing career counseling services to individuals currently employed by or recently displaced from a financial organization.

The revision adds a new category to the rule’s list of covered financial institutions: “finders,” defined as entities that bring together buyers and sellers of a product or service for transactions that the parties themselves negotiate and consummate.

The new rule is substantially more detailed in terms of the requirements for an information security plan. Among other requirements, regulated entities must:

  • Implement and periodically review access controls to (a) authenticate and permit access only to authorized users and (b) limit authorized users’ access only to customer information that they need to perform their duties and functions.
  • Inventory and manage data, personnel, devices, systems, and facilities.
  • Encrypt all customer information both in transit over external networks and at rest.
  • Adopt secure development practices for in-house developed applications that process customer information and procedures for evaluating, assessing, or testing the security of externally developed applications.
  • Implement multifactor authentication for any individual accessing any information system or use other reasonably equivalent or more secure access controls.
  • Develop, implement and maintain procedures for the secure disposal of customer information no later than two years after the last date the information is used.
  • Adopt procedures for change management.
  • Monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information.
  • Monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.

Notably, the old rule required a regulated entity to designate “an employee or employees” to coordinate its information security program, while the new rule specifies that companies must designate a single “qualified” individual responsible for overseeing, implementing and enforcing their information security program.

It is recommended that financial institutions under the FTC’s jurisdiction review the new rule to ensure their information security program meets compliance.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc. (in Canada).

Author
Gamelah Palagonia
FIP, CIPM, CIPT, CIPP/E, CIPP/US, CIPP/G, ARM, RPLU+, CPLP

Executive Vice President – Cyber Development & Regulatory Leader

email Email
Related content tags, list of links Article Cyber Risk Management Financial, Professional and Executive Risks Financial Institutions

Related Solutions

Financial, Professional and Executive Risks
Cyber Risk Management
Contact us