As a cybersecurity and privacy lawyer, I consider the GLBA (Gramm-Leach-Bliley Act) an early but outdated effort at regulating the financial industry. It was passed in 1999.
For consumers, the main impact is a long privacy notice that explains what information the company gathers about them and gives them the right to opt out from allowing their information to be shared. The odd thing about this notice is that it comes by mail. I sincerely doubt that many people have taken advantage of the opt-out privilege.
The jurisdiction of the GLBA is broad. It covers all businesses “significantly engaged” in providing financial products or services in the U.S. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and even ATM providers that receive customer information.
Recently the FTC (Federal Trade Commission), the agency responsible for enforcing the GLBA, has moved to require financial institutions to adopt more modern and structured cybersecurity. It is about time.
The Act’s Safeguards Rule became effective in 2002. An updated rule has been discussed since 2016, and after a 3–2 vote along party lines, the amendments were adopted and will come into effect on November 1, 2022.
The main change is the implementation of very specific requirements that would be familiar to anyone with knowledge of an information security standard like ISO 27001 or the requirements of the NYDFS (New York Department of Financial Services) Regulations.
The original rule required a company to adopt a WISP (written information security program), but was not very specific about what must be in it. That has changed.
The new rule requires very specific controls, including:
- Access controls with periodic review
- Data and systems inventory
- Encryption of all customer information in transit and at rest
- Multifactor authentication
- Adoption of secure development practices
- Change management
- Intrusion detection, annual penetration testing, and twice-yearly vulnerability assessments
- A written incident response plan
- A “qualified individual” to oversee the program
- A small business exemption for entities that collect information from fewer than 5,000 customers
Organizations subject to the FTC’s and GLBA’s jurisdictions have a year to implement all these controls, but they should not dawdle. While the FTC may be patient, criminal hackers are not. They will take advantage of any opportunity – such as a business with weak cybersecurity.
It’s time to simplify cybersecurity
The new GLBA rule highlights something else: the problems with U.S. regulations. In the EU, there is just the GDPR (General Data Protection Regulation).
By contrast, cybersecurity and privacy legislation in the U.S. has a host of issues. It is very political. It varies from sector to sector. It varies according to size. It varies from federal executive agencies, federal laws, state laws, and state agencies.
These laws change almost as fast as IT technology and the techniques used by criminal hackers. Determining which laws apply, when they apply, who they apply to, and what they contain is a full-time job.
The present administration appears determined to strengthen cybersecurity, and your organization should also be doing its part.
Not only is the cyber threat landscape constantly evolving, but organizations must now consider what life might look like in a post-pandemic world. What systems implemented out of necessity have proven beneficial? What changes do you need to ensure that you function safely though 2022 and beyond.
Whatever challenges await, IT Governance USA is here to help. We are a one-stop shop for your cybersecurity and data protection needs, offering a variety of tools you can use to bolster your defences and maintain regulatory compliance.
Subscribe to our Weekly Round-up to get the latest cybersecurity news and tips delivered straight to your inbox.