06/26/2023

Revised FTC Safeguards Rule: Is your organization protecting consumer information?

government building

After originally taking effect in 2003, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, which outlines how certain “covered financial institutions” should be protecting customer information, was amended by the FTC in 2021 to help ensure that the rule continues to be aligned with rapidly evolving technologies, and to provide concrete principles and data security measures that all covered entities need to implement. However, due to the economic impact of the COVID-19 pandemic, a shortage of qualified information security personnel, and supply chain issues impacting the procurement of technology necessary to support compliance, the FTC delayed the effective date of eight subsections of the amended rule from December 2022 to June 9, 2023.

With the June 9 deadline having now passed, it’s imperative that organizations review their strategies to confirm that they are compliant with the additional requirements. The amendments authorize the FTC to impose fines and penalties for non-compliance, as well as to enforce other financial penalties for deceptive practices.

Which institutions are affected

The categories of organizations affected by this rule include, but are not limited to, banking and financial institutions. Some organizations may not consider themselves to be financial institutions and may not realize they are subject to this new regulatory landscape.

The rule applies to organizations referred to as “covered financial institutions,” organizations that while not “traditional financial institutions” are still significantly engaged in providing financial products or services. Examples of these include colleges, universities, and other higher education organizations that administer federal student aid programs. This may also include – depending on the products or services provided – mortgage brokers, check-cashing businesses, payday lenders, non-bank lenders, collection agencies, professional tax preparers,  personal property or real estate appraisers, and investment advisors that are not required to register with the Securities and Exchange Commission (SEC), among others. There is no minimum size for an organization to be subject to the rule.

This is not an exhaustive list, but if you fall into any of those categories, you may be required to comply – which means that you will need to develop, implement, and maintain a comprehensive security program to keep your customers’ information safe.

What is included in the amendments

As outlined by the FTC, the newly effective amendments require organizations to:

  • Designate a qualified individual to oversee their information security program
  • Develop a written risk assessment
  • Limit and monitor who can access sensitive customer information
  • Encrypt all sensitive information
  • Train security personnel
  • Develop an incident response plan
  • Periodically assess the security practices of service providers
  • Implement multi-factor authentication, or another method with equivalent protection, for any individual accessing customer information

While the amended rule imposes additional requirements and presents implementation complexities, it also provides covered entities with more detailed guidance regarding how to develop and implement specific aspects of their overall security program. The rule can be summarized into three main focus areas:

  • Ensure the security of customer information
  • Implement safeguards against anticipated threats to customer information
  • Prevent unauthorized access to information systems or technology that store customer information

What now?

Compliance can be difficult to achieve, and there is no shortcut around the time and resources needed to get there. 

If you haven’t already, the key is to start small and fast, by implementing simple and affordable tools that apply to your workforce. 

The first step in completing items on your FTC Safeguard Checklist is performing a gap assessment between your current state and the new compliance requirements. This will help you identify the exact scope of what needs to be done, and yield a detailed step-by-step roadmap for achieving compliance and maintaining it for years to come.

Due to the abnormal labor market trends of the past few years, covered organizations may be facing difficulties with maintaining the in-house expertise and bandwidth needed to cross the finish line to being compliant. It might make sense to look for a trusted third party with specific expertise and a proven track record of successfully guiding organizations through the necessary changes. 

History has shown us that just one data breach is enough to permanently damage an organization’s reputation, destroy trust in a recognized brand name, and damage relationships with customers, suppliers, and other affiliates. Complying with the new FTC GLBA amendments will not only help safeguard you from fines, but also help protect your and your clients’ data – and reputations. 

Contact

Thomas McDermott, CISA, CRISC, CGEIT, Principal, Cybersecurity, Technology Risk and Privacy

973.364.7836

Karla Barreto, Manager, Cybersecurity, Technology Risk and Privacy

973.364.7750

Subject matter expertise

  • Thomas McDermott
    Contact Thomas Thomas+McDermott thomas.mcdermott@cohnreznick.com
    Thomas McDermott

    CISA, CRISC, CGEIT, Principal, CohnReznick Advisory

    Go to Bio
    • Close

    Contact

    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic
people riding an escalator

Infographic: 5 ways to build a resilient business

Learn more

Related Insights

Tech logos illustrating cybersecurity
Insight

New SEC cybersecurity guidelines: Next steps for public companies

GCS_Federal-Agencies-Cybersecurity_web-banner
Insight

Federal agencies face complex cyber compliance – but relief is underway

shadows of people as coworkers/employees discussing and interacting with each other with a blue colorwash
Insight

Practical Infrastructure: A blueprint for program management success

Image illustrating cybersecurity SEC rules
Insight

Today’s boards need cyber expertise more than ever

This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.