As a member of the consumer lending industry, you make a living collecting, processing and analyzing peoples’ personal data. And with identity criminals getting smarter by the day, it’s imperative that your consumers’ personal information is protected. The Gramm-Leach-Bliley Act (GLBA) is a federal law that requires financial institutions to disclose how they share this information and how it’s protected.
Also known as the “Privacy Act”, the GLBA states that financial institutions must notify consumers about their privacy policies and practices; describe the conditions for which they may disclose nonpublic personal information, or NPI, to third parties; and provide a way for consumers to “opt out” of having their information shared with these third parties.
NPI can include anything from phone numbers, addresses and names to social security numbers and bank account information.
The Safeguards Rule
The Safeguards Rule is a portion of the GLBA which requires financial institutions to back up their program to protect consumer information with a written plan. This “information security plan” must be tailored directly to the size of the institution and the nature of the consumer information that is used. Among the requirements in the Safeguards Rule, an institution must:
- Assign one or more employees to manage their information security program
- Identify the risks to consumer data in each area of the business
- Establish and implement a safeguards program, and monitor it regularly
- Choose third party providers that can adhere to these safeguards, and include in their contract that they must enforce these safeguards
- Analyze and adjust the program in the event of major changes in the business’s operations
Updates to the Safeguards Rule
The Safeguards rule has not been amended in over a decade, but new provisions may be on the way. The Federal Trade Commission (FTC) proposed changes to the safeguards rule in April of 2019. These new rules will require financial institutions to:
- Assign a Chief Information Security Officer (CISO) role, which can be an employee of the organization or of a service provider
- Create a data map of all devices containing sensitive consumer data
- Encrypt all consumer data that is stored or exchanged over external networks
- Implement multifactor authentication for any parties accessing consumer data
- Implement vulnerability management, including vulnerability scanning, as well as ongoing monitoring or annual penetration testing
While no official announcement has been made regarding the update, financial institutions should be prepared to update their information security plans accordingly.