Return to list of client alerts

Feds Make Significant Changes to Gramm-Leach-Bliley

Gramm-Leach-Bliley (GLBA) is the federal law that governs the security practices of financial institutions security practices.

The Federal Trade Commission is responsible for enforcing GLBA and last week they released the final rule amending its standards for safeguarding customer information (AKA the Safeguards Rule).

These changes mostly impact non-bank financial institutions including finance companies, mortgage companies, brokers, motor vehicle dealers, small dollar lenders and debt collectors.

Not surprising in this day and age, the democratic commissioners voted for the rule change and the republicans voted against it. The republican commissioners issued a written dissent, in part saying Congress should be the bad guy and change the rules or that more regulation is not better regulation.

They also issued a notice of proposed rulemaking (by a 5-0 vote) about a rule that would require covered institutions to report security incidents to the FTC. They also issued a change to the privacy rule, which based on the Federal Register notice, explains some seriously convoluted federal regulations that divvy up the enforcement pie. As a result of this pie making, that change only affects motor vehicle dealers.

Back to the changes to the safeguard rule. Some of those changes, which do impact mortgage lenders and brokers, among others, are:

• A new requirements for a written risk assessment to be done with specific criteria. Following on New York’s lead, the new rule adds requirements for what must be addressed by the institution’s safeguards based on the findings of the risk assessment.
• It also adds requirements to ensure the effectiveness of employee training and service provider oversight. Both of these are critical to reduce risk and both are hard to do.
• The rule also adds a “one throat to choke” rule, also like New York. This person must be qualified and must provide reports to the board of directors or equivalent, at least annually (again like New York).
• There is a small business (very small) exemption. For institutions that maintain data on less that 5,000 consumers, they don’t have to do the risk assessment, incident response plan and annual reporting to the board.
• Finally, it expands the definition financial institutions to include a more expansive definition.

The notice of proposed rulemaking would require institutions to report a security events that affects at least 1,000 people and which misuse is likely. Comments on this part are due 60 days after publication.

According to Glenn Brown of Squire Patton Briggs, the current safeguard rule says that you need to develop safeguards that are reasonably designed (whatever that means-undefined), comprehensive (again undefined), written (okay, I know what that means), program with appropriate administrative, technical and physical safeguards (again undefined).

The new rule requires the written risk assessment to address safeguards covering:

• Access controls
• Data inventory and classification
• Encryption
• Secure Development practices
• Authentication
• Information disposal procedures
• Change management
• Testing, and
• Incident response

As long as they cover these areas, they can design programs appropriate to their size and risk.

Again, this is very much like New York.

The bullets that will probably cause the most trouble for covered institutions like mortgage lenders and brokers are DATA INVENTORY, ENCRYPTION, SECURE SOFTWARE DEVELOPMENT PRACTICES AND CHANGE MANAGEMENT.

This is the finalization of the notice of proposed rulemaking issued in 2019 and goes into effect one year after publication in the federal register (so around December 1, 2022), but a few of the provisions go into effect in 30 days.

It also appears that the new rule is going to require either annual penetration testing, INCLUDING SOCIAL ENGINEERING TESTING or continuous monitoring. Neither article below mentions that minor detail but the text of the rule uses the word penetration 35 times. The challenge of writing a summary to a 145 page rule quickly. This will also be a challenge for most lenders.

Credits:

Ballard Spahr

Mondaq