FTC Proposes Changes to the GLBA to Strengthen Cybersecurity
It has been more than 20 years since Congress passed the Financial Services Modernization Act of 1999, Pub. L. 106-102. Better known as the Gramm-Leach-Bliley Act (GLBA), the law opened the door to mergers of banks, securities firms, and insurance companies. It was touted as a means of increasing competition and consumer choice by repealing portions of the Glass-Steagall Act of 1933, which prohibited commercial banks from dealing in securities and securities firms from accepting deposits.
But the GLBA is better known for the consumer privacy rules it introduced. The Financial Privacy Rule, 15 U.S.C. § 6801, et seq., requires financial institutions to take steps to ensure the security and privacy of customer information, and to notify customers as to what information is collected and how it is used and shared. The Safeguards Rule, 16 C.F.R. § 314, establishes physical, technical, and administrative security standards for implementing these rules.
Promulgated in 2002 by the Federal Trade Commission (FTC), the Safeguards Rule is ancient by technology standards. The FTC began reviewing the rule in August 2016, and in March 2019, it published notice of sweeping changes in the Federal Register. The agency says the proposed rulemaking would better protect against cybersecurity threats and bring the GLBA in line with other, more stringent privacy regulations.
The deadline for public comment on the proposed changes was August 2, 2019. Section 533 of the Administrative Procedure Act, 5 U.S.C. § 533, requires agencies to consider “the relevant matter presented” by interested persons, and explain why some comments are incorporated into the rule and others are rejected. This is often a lengthy process given the vast record produced during the comment period. The FTC has not stated a timeframe for publication of the final rule.
How the GLBA Protects Privacy
The GLBA defines “financial institution” as any organization engaged in the activities described in 12 U.S. § 1841(k)(4), which broadly lists lending, insuring, providing advisory services, and any other activity that is “incidental to” such activities. As such, financial institutions include not only banks and credit unions but brokers, title companies, tax preparers, and other companies that are “significantly engaged” in providing financial products or services.
Customer information includes name, Social Security number, account number, credit history, and any other nonpublic information that is used to obtain or provide financial services, or that results from any transaction. Under the Safeguards Rule, financial institutions must develop a written plan detailing how this information will be protected against unauthorized access and any threats to its security, confidentiality, or integrity.
The security program must be evaluated and updated based on regular monitoring and testing or as dictated by operational changes. The financial institution must also provide employees with training and oversight, and ensure that any third-party service providers maintain appropriate safeguards.
Proposed Changes to the Safeguards Rule
The FTC’s proposed changes would greatly expand upon these requirements. While the current rule requires the designation of at least one employee to manage and coordinate information security efforts, the new rules would require a “qualified” chief information security officer (CISO) to oversee and implement the program and report to the institution’s board of directors in writing at least annually. The CISO can be an outside consultant.
Currently, § 314.4(c) requires institutions to “design and implement information safeguards to control the [identified] risks.” The proposed rules would specify that financial institutions must:
Implement access controls that allow only authorized users to access customer information
Identify systems that store customer information and understand how those systems are connected
Restrict physical access to both information systems and hard copy files containing customer information
Encrypt all customer information both “in flight” and “at rest”
Adopt application development practices that ensure the security of in-house software
Implement multi-factor authentication
Maintain audit trails of system access and activities
Develop procedures for disposing of customer information that is no longer needed
Assess the risk of changes to information systems or operational processes
Monitor systems for unauthorized access and inappropriate use of customer information by authorized users
Additionally, financial institutions would be required to create an incident response plan that would enable them to quickly respond to a security event involving customer information. The incident response plan would establish goals and outline detailed processes, roles and responsibilities, and documentation and reporting requirements. Proposed § 314.6 would exempt smaller financial institutions that store information on fewer than 5,000 customers from the incident response requirement and several other provisions.
Pros and Cons
The proposed rulemaking sparked concern from a variety of industries, from software providers to convenience stores, that they might be brought into the ambit of the Safeguards Rule. Some groups, such as colleges and universities, oppose the new requirements as overly burdensome, while others, including credit unions, say the new rules are in line with modern standards for combating cybersecurity threats.
FTC Commissioner Noah Joshua Phillips and Commissioner Christine S. Wilson published a dissent, arguing that the proposed rules are less flexible and substitute the agency’s judgment for that of private entities. They also argue that the proposed rulemaking is premature as it overlaps with New York state financial services regulations and proposed privacy legislation being considered by Congress.
However, the FTC proposed the new rules in part to better align with other regulations and provide more certainty for financial institutions. Like it or not, organizations that collect and store sensitive consumer information should be prepared to implement stricter data governance policies and stronger cybersecurity tools.
Learn More About Cybersecurity and the Law
As privacy laws continue to change to better react to modern threats, cybersecurity and privacy legal experts will be increasingly needed in both the public and private sector. If you’re interested in learning more about cybersecurity and the law, or if you want to earn a California law license, visit Purdue Global Law School. We offer an online Executive Juris Doctor program with a law and technology track that provides advanced legal training on cybersecurity issues and an online Juris Doctor for those who wish to become a practicing attorney in California. Single courses in technology and the law are also available. Request more information today.