GLBA Safeguards Proposed Rule
By: Greggory B. Oberg, Esq.
Since 2003, the Gramm Leach Bliley Act (GLBA) Safeguards Rule has required regulated entities take reasonable precautions to--as the name implies--safeguard the private consumer data they are entrusted with in the course of business. Under the Safeguards Rule, financial institutions are required to develop Information Security Programs tailored to the specifics of their operations.
For better or worse, the explicit mandates included in the GLBA Safeguards Rule explaining how to meet these requirements is hazy at best. The lack of clarity in the Rule contributed to confusion in small to mid-sized entities who don't possess the technological resources or knowhow of larger player. How much is "enough"? It's tough to know. A better question, as asked by commentators for years and by the FTC in the 2016 Request for Comment, is whether it is normatively desirable to promulgate more specific rules, as opposed to general guidelines.
But that all could be changing, after an April 2019 NPRM by the FTC to amend the GLBA Safeguards rule and provide clearer, more prescriptive guidance for compliance.
Background
The basis of the GLBA Safeguards rule comes from one small subsection in the United States Code which directs Federal Regulators to ensure that regulated entities under their supervision maintain administrative, technical, and physical safeguards in the handling of certain sensitive customer data.
The [CFPB] … shall establish appropriate standards … relating to administrative, technical, and physical safeguards
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
From this mandate, the Federal Trade Commission developed and promulgated the initial GLBA Safeguards rule, which became effective in May of 2003. The essential mandate requires development of a Written Information Security Program, not uncommon from the Massachusetts state law requirement.
(a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in §314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.
The Information Security Program developed pursuant to the Regulation carries the same objectives specified in the Statute. As noted by commentators, GLBA Safeguards have endured critiques for the lack of specificity in establishing minimal standards for data processing. But let's be clear about how generic the language is…
Section 314.4 Elements of an Information Security Program
In order to "develop, implement, and maintain" an effective Information Security Program, you need five things.
Authority/Autonomy/Resources: Designation of "an employee … to coordinate [the program];
Risk Assessment: Assessment of "reasonably foreseeable … risks to the security … of customer information" posed by (my words here) your people, your systems, and info security program;
Internal Controls: Implementation of safeguards designed "to control the risks you identified through [step 1]";
Third Party Due Diligence: Utilization of due diligence in the "select[ion] and ret[ention of] service providers … capable of maintaining appropriate safeguards[,]" which may be accomplished through contractual controls.
Continuous Monitoring and Testing: Evaluation and adjustment of the "information security program in light of the results" of the Risk Assessment and testing of Internal Controls.
With that general framework in mind, the regulation leaves to industry to figure out what exactly is "good enough" to protect the integrity of our customers' data.
GLBA Safeguards 2019 NPRM
This blog specifically focuses on those elements of the NPRM that will modify the core Information Security Program requirements that community institutions have come to understand over the last sixteen years. There are, additionally, substantial definitional proposed to Section 312.2, which may be addressed in a subsequent blog.
First, the proposed rule would make significant changes to the first prong, now requiring a "Chief Information Security Officer", or "CISO" be the individual with authority for the information security program. That individual may be internal or external, but no longer may be a group of employees.
Second, changes to the Risk Assessment requirement are included to formalize the process. If it wasn't already clear, the Risk Assessment needs to be in writing, and should be a significant process. Here, the rule may actually provide more flexibility than was previously apparent, as it allows institutions to set their own written risk criteria. Once identified, institutions need to document mitigating steps, else explain the decision to accept a residual risk in excess of risk tolerances.
Third, a majority of the action in this NPRM comes in subsection (c) of §314, which expands from one sentence to ten numbered subsections. In practice, Internal Controls on data privacy regulations are tricky; it's tough to know when enough is enough. In that sense, the Proposed Rule actually helps us out by providing somewhat clear guidance on what is, legally speaking, the minimal requirements. If implemented reasonably, of course.
Fourth, FTC proposes two alternative methods of meeting "monitoring and testing" obligations. Institutions may either carry out periodic penetration testing, or develop and maintain a continuous monitoring system.
Fifth, training gets a LOT more specific. All individuals touching consumer data must have data security awareness training, which must be performed by qualified individuals--either internally or externally. Additionally, resources must be committed to both the executive/senior, and IT departments to ensure that these groups in particular are provided the appropriate level of training to keep up with threats.
Sixth, institutions will be required to develop incident response plans. Such plans must be designed to "promptly respond to, and recover from, any security event{,]" and generally requires a clear goal, delegation of authority, procedures for response, and internal/external communication plans, among other items proposed.
Finally, the CISO will be required to report at least annually to the board on the overall status of the Information Security Program and any material matters related to the program.