GLBA Significant Changes that the Experienced Attorney May Have Missed

Last month, the Association of Corporate Counsel (ACC) invited me to lead an online training event for their Financial Services Network to discuss the significant changes to GLBA that the experienced attorney might have missed.?

That training (and this article) was catered for legal counsel supporting financial institutions processing consumer personal data.?

For the benefit of those that might have missed that training session, let’s articulate that here.?

At a high-level, these are the significant changes that the experienced attorney needs to be aware of:?

Privacy Rule (Part 313)

• Clarifies that the privacy notice needs to be revised and/or delivered upon changes in data processing
• Clarifies rule covers financial institutions where the Commission has rulemaking authority (vs enforcement jurisdiction)?

Safeguards Rule (Part 314)

• FTC Notification of events impacting >500 consumers
• Annual report to Board
• Introduces IT security terminology
• Qualified individual is responsible for information security program
• Written risk assessment + management response
• Implementation of specific safeguard measures?
• Clarifies who the consumer is and concept of the customer relationship

If you weren’t aware of some (or all of these), you’re not alone! It’s been a slow roll (24 years to be exact) of developments. The proposed rule changes were published in 2001 and 2002, open for public comment in 2019, socialized with stakeholders in April 2020, finalized in Q4 of 2021 and Q4 of 2023 and parts went into effect at various points in 2022-2024.

These are changes that I monitor closely, to ensure that our GC/Legal Counsel/Compliance Officer clients are on top of the developments. I was also part of an industry panel discussion at the April 2020 event hosted by the FTC and cited 15 times in the analysis of the finalized Safeguards Rule, because not all FinTechs have access to an in-house CISO and wanted to make sure that the changes were framed in a clear manner.?

In reflecting on the last 4 years, these changes trigger for GCs and Compliance Officers to play a more active role in the company’s information security/cybersecurity/data security function. The previous versions of Part 313 (Privacy Rule) and Part 314 (Safeguards Rule) were general and provided organizations with flexibility on satisfying the requirement. The addition of the IT security terminology requires GCs and Compliance Officers to understand IT jargon to a level that they can confidently advise and collaborate with their IT and business teams.?

Let’s switch gears and take some action on what we just covered.?

Are you willing to take part in exercises to check-in on your company’s GLBA compliance/ readiness? Add a 50 minute session to your calendar, call it 2024/2024 GLBA Check In/Planning and copy/paste the exercises to the calendar invite. Future you will thank you.?

Exercise 1: Write in dates for your organization

1. Date the security incident response plan was last reviewed by Legal to confirm that events impacting more than 500 consumers trigger a notification to the FTC: _______________________
2. Date the Board received (or is scheduled to receive) the 2024 GLBA compliance report? (Annual requirement): _______________________
3. Date the Compliance Officer confirmed that the CMS Program has been updated to capture GLBA updates (went into effect in 2023 and 2024):_______________________
4. Date Legal last review the written information security risk assessment:_______________________
5. Date Legal last confirmed that management response to outcomes of the written information security risk assessment are on file: ___________

Exercise 2: Reflection time

• If you have already presented the GLBA compliance report for 2024 to your Board: What was their reaction?
• If you haven’t? presented the GLBA compliance report to your Board: What is your most pressing need to feel good about delivering a quality report??
• Send an email to your GC and/Board with the completed worksheet and identify?

In case you’re exploring outside help to file the annual GLBA compliance filing to your Board, this is a service that we offer. It’s available at $5,000 (normally $7,000) with a 30-day turnaround. To learn more, you can reach out directly as a direct message or via our contact us form https://cybersecuritybase.com/contact/ .?

If you are an ACC member, you’re invited to join the upcoming online training sessions, included in your ACC membership!! More information and registration forms are available:?

• 10/24/2024 at 3PM EST: 3 Part Series on GLBA: Session 2: Satisfying the 2024 Reporting Requirement (Oct. 24)
• 11/13/2024 at 3PM EST: 3 Part Series on GLBA: Session 3: Areas of Focus to Avoid Unknowingly Misrepresenting the Handling and Security of Consumer Information to Your Consumers and Regulators

In the event that you want to take a deep dive on the redlines of the authoritative text within the eCFR system provided by Code of Federal Regulations:?

• Part 314 Redlines for 9/20/24 vs 12/08/2021
• Part 313 Redlines for 9/20/24 vs 12/01/2021