The history of the Gramm-Leach-Bliley Act and the Subsequent Federal Trade Commission (FTC) Safeguards Rule

Wade Hoffman • July 2, 2024

The Gramm-Leach-Bliley Act (GLBA) act was passed in November of 1999 after the merger of Citibank and Travelers Group. The passage of GLBA allowed banks to offer additional financial services (i.e., investment) previously restricted by the Glass-Steagall Act that was created following the Great Depression. In addition to reforming the financial services industry, GLBA also addressed concerns regarding consumer privacy and dissemination of consumer data to third-parties along with the ability to “opt-out”. Additionally, the act put the responsibility for any data breaches of those organizations on the board of directors. It required the FTC and other federal agencies to carry out the act’s provisions. Specifically, it requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. The FTC was to be responsible for enforcing the Privacy of Consumer Financial Information (Privacy Rule).


Originally set to require compliance in 2001, the GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. Among other things, the GLBA requires financial institutions to provide customers with information about the institutions' privacy practices and about their opt-out rights, and to implement security safeguards for customer information. Subtitle A of Title V of the GLBA required the Commission and other Federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information. Based on the GLBA directive, the FTC promoted the Safeguards Rule in 2002 and became effective in May of 2003.


Following industry and consumer group input and subsequent Commission workshops in 2020, it issued the final amendments to the Safeguards Rule in December of 2021 that also included breach notification requirements. Due to delays caused by the pandemic, effective May 13, 2024, 16 CFR Part 314: Standards for Safeguarding Customer Information requires financial institutions to report to the Commission any notification event where unencrypted customer information involving 500 or more consumers is acquired without authorization.


The Safeguards Rule

Regarding sections 501 and 505 (b)(2) of the GLBA, the Safeguards Rule provides expected standards for the development, implementation, and maintenance of reasonable administrative, technical and physical safeguards to protect the availability, confidentiality, and integrity of customer data. The scope is regarding the handling of customer information by all financial institutions under FTC jurisdiction (those financial institutions not otherwise subject to the enforcement authority of another regulator). Those entities include lenders, brokers, servicers, counselors, and advisors across any industry that is, as mentioned above, not under any other regulatory authority. Some examples are mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, auto dealers, and financial, collection, and tax advisors and agencies.


Information Security Requirements of the Safeguards Rule

The elements of the Safeguard Rule include information security best-practices that should be part of any organization. While the Safeguard requirements are not comprehensive regarding controls that make up a complete Cybersecurity Framework (CSF), they provide a baseline of controls that will substantially improve an organization’s ability to manage and protect clients’ private information. The Rule includes the following items as a minimum baseline for compliance:


  1. Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.
  2. Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.
  3. Design and implement safeguards to control the risks identified through your risk assessment.
  4. Implement and periodically review access controls.
  5. Perform an asset inventory – where is data collected, stored, or transmitted.
  6. Encrypt customer data at rest and in transit.
  7. Assess applications.
  8. Implement multi-factor authentication (MFA) using two of three: what you know (password), what you have (token key), what you are (fingerprint, face scan, etc).
  9. Secure data disposal (specifically customer data) within two years of last use.
  10. Implement change control processes and reporting.
  11. Maintain and report on system logs regarding information and system access.
  12. Periodically monitor and test the effectiveness of your safeguards.
  13. Train your staff on information security and threat awareness.
  14. Oversee service providers by selecting third-parties who are capable of maintaining appropriate safeguards, who are under contract with you to implement and maintain those safeguards, and who pass periodic risk assessment baselines.
  15. Periodically evaluate and adjust your information security program based on the results of the testing and monitoring.
  16. Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control.
  17. Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body.


What Does This Mean for My Business?

In reality, the safeguards listed above are recommended for any business to protect its clients, staff, and the business itself. Those items would be considered prudent and best practices in the effort to manage risk that is inherent in today’s connected world. Additionally, many of those items are not expensive in the grand scheme of things versus the cost of a data breach. Those breach costs include the breach response itself, the likely loss of revenue, long-term damage to reputation and credibility, increased costs or complete loss of insurance, and potential fines and civil suit losses due to employee and customer impacts. The majority of small and medium businesses do not recover from those costs. Many best practices and effective solutions exist to support risk management and the compliance with these safeguards.



Contact Blueprint Security to find out more about how we can help with proven solutions to ensure your successful path toward a mature and effective information security program.


(612) 564-3030

info@blueprintsecurity.net

Looking up at a tall building in the fog.

The Business Power Hour Podcast with Wade Hoffman

By Wade Hoffman July 21, 2024
The Business Power Hour with Deb Krier
A close up of a blue and white striped background.

Decoding the R-words of Cybersecurity Jargon

By Wade Hoffman July 2, 2024
Tips to consider when investigating “XDR” solutions Over the past few years, it has become apparent that many cybersecurity vendors are experts at blurring the lines of meaning in their carefully crafted descriptions of their solutions. Unfortunately, this has only increased confusion while reducing cybersecurity effectiveness for customers. We are bombarded with terms like Web 2.0, XaaS, Cloud, SASE, Zero Trust, and endless other vague marketing jargon — but who is spending the money and effort to shape our vocabulary in this way? Well, it’s primarily coming from vendors touting their capabilities in EDR, MDR, XDR, and other variations of this service. The problem is that none of these “XDR” terms really have an actual, singular definition. Each vendor can create their own meaning to suit their go-to-market objective and capabilities. However, the one letter that consistently appears in all these acronyms is “R” for response. Unfortunately, this word is often the most misleading part of the service description since vendors can have different interpretations of what “response” looks like. Visibility Vendors can only respond to what they can see. For many cybersecurity providers, visibility is created by deploying sensors, agents, and scanning tools in the relevant customer environment, typically at the endpoint. The problem with this process is the service vendor can only see what is sent back by those monitoring tools. Frequently, systems get missed or are outside of the service scope, which creates more risk exposure. Items that can be easily missed include operational technologies such as a control system in a manufacturing environment or an IoT device providing physical security or environmental controls. Or it could be as common as a server running a legacy application that wasn’t addressed in the scoping definition for “XDR.” A complete security assessment, asset inventory, and scan must be completed before purchasing any “XDR” vendor’s solution to determine fit and coverage. Response A vendor’s response to the event doesn’t actually correct or counteract anything. At best, computing devices can be isolated from the network when a threat is identified. However, the actual investigation, remediation and resolution of that quarantined device are still left to the client or their service provider — putting the burden of remediation back on internal teams without enough time, resources, or expertise to address the problem adequately. Action A vendor only provides vulnerability and security operations recommendations. With few exceptions, the “XDR” vendor is only providing guidance through voluminous reports and dashboards notifying the customer’s IT team of remediation items to address. The vendor is typically not providing any hands-on work for the significant fees charged, draining resources from an already depleted staff and budget. That means the day-to-day staffing and knowledge burden, which is by far the biggest cost and most challenging need, is still left unresolved for the customer to address. Questions to Ask Your Vendors Despite these trends, XDR services are often advertised as “end-all, be-all” solutions that offer full protection from cyber risk protection. Unfortunately, no such solution exists (and no, not even Ostra can be your all-in-one solution). Building a comprehensive cybersecurity strategy involves more than installing the right products or working with the right partners. To be clear, there are many great services and solutions on the market (including MDR, EDR, and XDR platforms). But it’s up to the IT service providers and the clients they serve to ask the right questions — especially SMBs who have limited budgets and resources to utilize and zero to waste. When investigating ways to fill your operational and technical needs through a cybersecurity program, ensure that these questions are answered to your satisfaction: Is your solution built on proven and reliable security platforms and tools? The cybersecurity landscape is constantly evolving. Find a provider with vast industry knowledge and one that continuously evaluates the marketplace to ensure their products are updated with the latest and best features to protect clients in a scalable way. Does your solution cover the critical categories of cybersecurity? Cybersecurity is a very broad category with several sub-specialties. When picking a security partner, make sure their services cover the most critical elements at a minimum. A layered solution should include cyber risk protection from the firewall and VPN all the way to endpoints, including email and mobile devices. Have ALL cybersecurity components been integrated and orchestrated to optimize efficiency? Vendors often have either an endpoint-centric approach or a limited integrated solution through a hodgepodge of agents, scanners, and sensors with limited correlation and intelligence. Make sure your provider takes a comprehensive approach to guarding the clients’ entire environment. Is the solution utilizing advanced analytics and data collection 24 hours a day, 365 days a year? It requires significant resources to actively monitor, respond, AND resolve (with hands-on resources) any suspicious security events on behalf of the partner and customer. These resources include advanced information correlation and analysis and the actual security analysts with the right cybersecurity skills — whether they are members of the vendor’s team, the customer’s internal IT/Security Operations team, or both. Although these points seem nuanced, they highlight some critical differences in the marketplace. Decoding the R-words in cyber jargon can help you choose a holistic solution that protects clients from devastating cyber risks versus the over-sold capabilities of the alternatives advertised on airport billboards and the sides of race cars.
Wade Hoffman, founder of Blueprint Security in a suit and blue shirt is smiling for the camera

Wade’s Story of Transformation

By Wade Hoffman July 2, 2024
Wade Hoffman talks about the importance of providing security.