Close this search box.

GLBA: Proposed Changes

Cybersecurity staff sitting at desk reviewing security protocols.

On March 5th, the Federal Trade Commission (“FTC”) proposed amendments to the Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act (“GLBA”).  These amendments are significant in several ways. However, the most impactful will be the changes to the Safeguards Rule which governs the information security programs of financial institutions. 

Proposed Revisions

Until now, the Safeguards Rule, which first went into effect in 2003, provided general guidance requiring companies to develop, implement and maintain a “comprehensive information security program.”  The proposed revisions now provide prescriptive requirements intended to provide greater protection to consumers and greater certainty to businesses. These changes include requiring:

  • The designation of a Chief Information Security Officer (CISO), responsible for overseeing and implementing the program.
  • The CISO to report at least annually to the board on issues related to the information security program.
  • Additional requirements to risk assessments, mandating that the report be written, performed regularly and include recommendations for addressing identified risks.
  • Accession control (physical security) to limit access to locations containing customer data to authorized individuals.
  • Customer data to be encrypted at rest and in transit.
  • Multi-factor authentication (MFA) for any individual accessing customer data.
  • Audit logs to include information events designed to detect and respond to security events
  • Regular testing and continuous monitoring of critical controls, systems, and procedures.
  • Appropriate training and education.
  • Key personnel take steps to maintain current cybersecurity knowledge.
  • Companies to utilize qualified security personnel.
  • Companies to oversee and assess service providers based on the risk they present to information security.
  • Companies to implement and maintain an Incident Response Plan.
  • Procedures that clearly define the secure disposal of customer information.
  • Policies and procedures for change management.
  • Policies and procedures for monitoring authorized and unauthorized access, use and modification of customer information.

Who Will Be Affected

The proposed changes also expand the definition of “financial institutions” to include finders (those who charge a fee to connect consumers to lenders) and companies who engage in activities “incidental to financial activities.” As with any prescriptive cybersecurity guidelines, those organizations who have not previously been governed by GLBA, those that did not already have a strong governance plan as well as smaller entities will be affected the most.

Responses to the Proposed Revisions

Until now, GLBA has offered general guidelines. It is unlikely that the proposed changes will be accepted with open arms. There are also concerns about the impact on smaller organizations as well as the FTC’s ability to measure and enforce these new guidelines. Those wishing to weigh in on the proposed changes have 60 days after the publication in the Federal Register.¹

Take Away

  1. This is the opportunity to review your current information security program.
  2.  If you haven’t already, reconsider your current partnerships and any processes by which you evaluate vendors.
  3. Establish a relationship with a reputable security vendor.

We Can Help

If your organization is concerned about compliance or feels there may be a gap in your current security posture, we would love the opportunity to earn your business.  You can speak with a member of our team by contacting us below.  

CALL US: (877) 486-8056 EMAIL US 

¹ https://www.ftc.gov/news-events/press-releases/2019/03/ftc-seeks-comment-proposed-amendments-safeguards-privacy-rules

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

Unlimited IT Support Services - Corsica Technologies

The End Of Metered Billing In Technology Services

Let’s be honest. When it comes to technology services, something is broken. Customers aren’t getting the consistency, responsiveness, and cost transparency they deserve. Meanwhile, MSPs (managed IT service providers) promise the moon with “all-in” pricing, yet they still allow tons

Read more
CPCSC - Canadian Program for Cyber Security Certification - Corsica Technologies

CPCSC For Canadian Defense Contractors: What We Know Today

With cybersecurity threats evolving rapidly, governments are taking steps to protect sensitive but unclassified information that they must share with their suppliers. This is a critical undertaking, as hackers can use sensitive information to inform their strategies—plus they can execute

Read more
EDI Software - 5 steps to choosing the right solution - Corsica Technologies

5 Steps To Choosing The Right EDI Software

How do you understand EDI and choose the right solution for your business? Whether you’re just starting with EDI or replacing an outdated solution, it’s crucial to get this right. Picking the wrong EDI software for your situation can saddle

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.