7 minute read
Time is up
Key amendments to the GLBA Safeguard Rule become effective in December.
The Gramm-Leach-Bliley Act, passed in 1999, requires the protection of non-public personal information by financial institutions, specifically outlining “an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality” of that information. The Federal Trade Commission’s Safeguards Rule — formally, the Standards for Safeguarding Customer Information — details the requirements outlined in the GLBA. Originally published in 2001, the rule outlines “the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.” Due to significant changes in technology over the last 20 years, amendments to the rule have been made. The clock started ticking Jan. 10, 2022, when these amendments became effective. Knowing that the implementation of some of those provisions would take time, portions of the amendment have an effective date of Dec. 9, 2022.
By Jeffrey T. Who must comply with this rule?
Lemmermann, CPA, There are two main qualifiers: You must comply if you
CISA, CITP, CEH 1) are a “financial institution” under the GLBA’s definitions or 2) receive information about customers of financial institutions. The definition of “financial institution” under the rule is wider than most definitions. There are 13 specific examples in Section 314.2(h) of the rule, including the following:
• Mortgage lenders • Payday lenders • Finance companies • Mortgage brokers • Account servicers • Check cashers • Wire transferors • Collection agencies • Credit counselors and other financial advisors • Tax preparation firms • Non-federally insured credit unions • Investment advisors that aren’t required to register with the SEC Size also matters. The FTC has exempted from certain provisions of the rule entities that maintain customer information concerning fewer than 5,000 consumers.
The Safeguards Rule basics
At the heart of the Safeguards Rule are several key elements involving the development, maintenance and enforcement of a written information security plan (ISP). Following are the keys aspects and notable amendments: A single qualified individual must be designated to oversee, implement and enforce the ISP. This is a change from the original language, which allowed for one or more employees to coordinate the program. (Note: If your organization doesn’t have a qualified individual on staff, a third-party company can be utilized for this function. This does require the designation of a senior member of the organization to direct and oversee the third party, and all compliance obligations remain with the hiring organization.) A risk assessment process must be in place. This process must identify and assess risks to customer information in each relevant company area and evaluate the effectiveness of current controls implemented to mitigate those risks. This is not a new requirement; however, for companies maintaining information on 5,000 or more customers, the amendments now require the following elements: • The criteria used to evaluate and categorize risks and threats to information systems • The criteria used to assess the confidentiality, integrity and availability of information and systems used to process customer information and adequacy of the existing controls • A description of how identified risks will be mitigated or accepted and how the ISP will address those risks Design and implement a safeguards program, and regularly monitor and test it. This is not a new requirement; however, the amendments added eight specific types of safeguards that must be part of this program: 1. Physical and technical access controls, including a review of authorized users 2. Identification and evaluation of the data, personnel, devices and systems used that interact with customer data 3. Encryption of all customer information, both in transit and at rest 4. Secure development practices and security testing for applications used for transmitting, accessing or storing customer information 5. Implementation of multifactor authentication for any information system that contains customer information accessed by any individual. (This requirement can also be met if the qualified individual noted in item 1 has approved an equivalent or stronger control.)
6. Procedures for the secure disposal of customer information no later than two years after the last date the information is used unless retention is otherwise required or necessary for legitimate business purposes 7. Implementation of change management policies 8. Implementation of policies, procedures and controls to monitor and log authorized user activity and detect unauthorized use Routine testing and monitoring of controls enforcing the safeguards program must be conducted to evaluate their effectiveness. This is not a new addition; however, two specific control tests are now required for companies above the 5,000 records threshold: They must conduct vulnerability scanning at least every six months and undergo penetration testing at least annually. There must be specific policy requirements for training information systems personnel and general security awareness training. The amendments add specificity to the existing training requirements that were already in place and require formal documentation of the policies. These include: • Security updates and training procedures to address new risks specific to systems that are running in the enterprise’s environment, • Verification that key personnel are maintaining their knowledge of threats and available defenses against those threats, and • General security awareness training requirements and procedures for all employees and engaged third parties utilizing the enterprise’s information systems. The requirement to oversee service providers that assist in the preparation, maintenance and use of the environment handling consumer data was part of the original rule. This requires the selection of service providers capable of maintaining appropriate safeguards and that contract language mandates these safeguards. The amendments add an additional requirement that the service providers must be periodically assessed on the risks associated with their use and the adequacy of the safeguards they have implemented. For entities above the 5,000 records threshold, a new requirement involves a written incident response plan. There are seven requirements for this plan in the new amendments: 1. Stated goals of the response plan 2. A description of internal procedures for responding to a security event 3. The definition of roles, responsibilities and levels of decision-making authority for individuals involved in the incident response process 4. Plans for handling internal and external communications and details on the use of information-sharing resources
5. Procedures for the remediation of identified weaknesses in information systems and associated controls 6. Requirements for documenting and reporting security events, procedures classifying incidents and the activation of the incident response plan 7. A defined process for post-incident performance, evaluation and revision of the incident response plan following an event Another new requirement for entities above the 5,000 records threshold is a written report, presented to the enterprise’s governing body or senior/executive, done at least annually. This report should be created by the qualified individual responsible for oversight of the ISP, as noted in item 1. Two elements must be in the report: 1) the overall status of the ISP, including its compliance with the updated Safeguards Rule, and 2) recommendations for changes or improvements and any other material matters related to the ISP.
Noncompliance penalties
The real-world penalties for not having the types of controls in place that are part of the Safeguards Rule would be information breaches, successful malware attacks, ransomware payments and the like. In addition, there are penalties that can be assessed by the FTC on the enterprise and/or individuals responsible for compliance. They are as follows: • The institution will be subject to a civil penalty of not more than $100,000 for each violation. • Officers and directors of the institution will be subject to and personally liable for a civil penalty of not more than $10,000 for each violation. • The institution and its officers and directors will also be subject to fines in accordance with Title 18 of the U.S. Code or imprisonment for not more than five years or both. Covered financial institutions should be in compliance with the nonamended components of the Safeguards Rule already, since the formal effective date of the rule was Jan. 10. So, if this does apply to you and your organization, hopefully you are already compliant and none of this was a surprise. If it applies and you are completely surprised by the requirements and amendments, that holiday shopping list may have to wait.
Jeffrey T. Lemmermann, CPA, CISA, CITP, CEH, is a senior information assurance auditor and consultant with SynerComm Inc. in Brookfield. Contact him at 262-373-7100 or jeffrey.lemmermann@synercomm.com.
TRACK YOUR CPE WITH THE WICPA’S CPE TRACKER
The CPE Tracker is an easy to use tool created to keep track of all your CPE in one convenient location.
• Automatically tracks WICPA formal learning activities • Add any non-WICPA CPE courses • Print reports for any reporting period
