The GLBA compliance deadline has been extended to June 9, 2023. Learn about the reasons of this extension and figure out how the GLBA compliance works
Not so long ago, we wrote a post-reminder of the obligation of “financial institutions” to comply with provisions of GLBA’s new Safeguards Rule by December 9, 2022. However, the Federal Trade Commission (FTC) announced a six-month extension of the deadline on November 15, 2022. While this extension is likely to be welcome news for financial institutions, they should not delay their compliance efforts. For many, the new Safeguards Rule may require significant investment in security program development, personnel, and technology.
The postponement of the new Safeguards Rule signals substantial issues that businesses meet on the way to GLBA Compliance. When explaining their decision, FTC’s commissioners cited a report from the Small Business Administration Office of Advocacy. The report claims that a shortage of qualified information security personnel and supply chain issues affecting IT and security systems seriously hamper companies’ ability to comply with the new requirements. These difficulties were exacerbated by the COVID-19 pandemic, which made it difficult for financial institutions, especially small ones, to come into compliance by the deadline.
In this article, we are going to dig deeper into the GLBA Safeguards Rule and figure out why it is so difficult to comply with for some businesses.
As we already wrote, the FTC overhauled the Safeguards Rule in October 2021, requiring financial institutions to adopt enumerated technical and administrative safeguards. A few requirements of the new Safeguards Rule became effective 30 days after the rule was published. The major part of the new requirements, however, was set to go into effect on December 9, 2022 (now this date moved to June 9, 2022). By this date, the financial institutions must meet Safeguard Rule requirements, such as
A kind reminder of who the financial institutions in the GLBA context are. Financial institutions are entities that are directly engaged in financial activities. After June 9, 2023, it will also include companies that may not consider themselves to be financial institutions, such as non-bank and alternative lenders, retailers that extend credit to customers, and even colleges and universities that administer certain federal student aid programs. More on the updated definition of “financial institutions” under GLBA we wrote in one of our previous posts.
Besides the Safeguards Rule, GLBA contains two other major sections. Understanding the aim of these three sections helps organizations meet the requirements of the legislation. Each of these three parts is designed to inform about the types of data to protect, specific measures expected, and prevent unauthorized access.
The Financial Privacy Rule rule covers nonpublic personal information (NPI) such as name, date of birth, Social Security number, etc.) as well as transactional data (card, and/or bank account numbers). It also covers private information you may acquire during a transaction (a credit report, for instance). Thus, the GLBA Privacy Rule describes in detail what information must be protected. “Financial institutions” directly engaged in financial activities as well as those receiving “nonpublic personal information (NPI)” regarding consumers must adhere to the GLBA Privacy Rule.
The Safeguards Rule – the one which was updated a year ago, mandates how the GLBA-covered entities must protect this information. In other words, it requires financial institutions to have specific means to protect the NPI. According to the text of the rule, GLBA adherents must have “all necessary administrative, technical, and physical safeguards in place to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.” The Safeguards Rule states that financial institutions must create a written information security plan describing the program to protect their customers’ information. The information security plan must be tailored specifically to the institution’s size, and operations complexity. It must also take into consideration the sensitivity of the customers’ information. Other important requirements of the GLBA Safeguards Rule are highlighted above.
In addition to protecting nonpublic personal information (NPI), GLBA-covered organizations must detect and prevent as many instances of unauthorized access as possible. These include applying a zero-trust approach and other countermeasures to prevent sensitive data from unauthorized access and disclosure by phone, email, or even in person. Pretexting provisions aim to mitigate this data loss and protect more consumers.
GLBA compliance puts financial institutions at a lower risk of penalties or reputational damage caused by data security incidents. And this is an extremely high motivation to comply because the non-compliance penalties include:
GLBA compliance makes many data incidents, such as unauthorized sharing or loss of private customer data, less likely to happen.
There are also several privacy and security benefits for customers, some of which include:
Compliance with the GLBA protects consumer and customer records and will help build and strengthen consumer reliability and trust. Customers gain assurance that their information will be kept secure by the institution. Safety and security cultivate customer loyalty, resulting in a boost in reputation, repeat business, and other benefits for financial institutions.
If some questions regarding the GLBA compliance and deadlines remain unanswered, please, contact our Planet 9 team, and we’ll be happy to assist!