New Cyber Regulations That Can Get You Fired, Fined, or Locked Up!

GLBA

The Gramm–Leach–Bliley Act (GLBA) requires financial institutions to protect customer data and honestly disclose all data-sharing practices with customers.

Under this U.S law, financial entities must establish security controls to protect customer information from any events threatening data integrity and safety. This includes strict financial information access controls to mitigate the chances of unauthorized access and compromise.

Entities expected to comply with GLBA are also likley required to comply with the FTC Safeguards rule (a subset of the GLBA).

IS GLBA COMPLIANCE MANDATORY?

Yes. GLBA compliance is mandatory for all U.S organizations selling financial products or services.

The financial entities that must comply with GLBA include those that:

• Sell financial products.
• Sell or offer financial services.
• Offer financial loans.
• Offer any financial or investment advice.
• Sell insurance.

WHAT ARE THE PENALTIES FOR NOT COMPLYING WITH THE GRAMM–LEACH–BLILEY ACT (GLBA)?

There are separate penalties for non-compliance, applicable tothe violating organization and its officers and directors.

The penalties for violating organizations are:

• A civil penalty of up to $100,000 per violation.
• Fines in accordance with Title 18 of the United States Code.

The penalties for violating officers and directors are:

• A civil penalty of up to $10,000 per violation.
• Imprisonment up to 5 years.

HOW TO COMPLY WITH THE FTC SAFEGUARDS RULE

The FTC’s Standards for Safeguarding Customer Information (Safeguards Rule) first became law in 2003. Late last year, these standards were finally updated to suit the modern threat landscape, and on the 9th of December 2022, compliance with the revised Safeguards Rule is expected to become mandatory.

Failure to comply with the Final Rule could result in hefty fines, class action lawsuits, and even imprisonment in severe cases.

Though a petition has been put forward to delay the Safeguards Rule enforcement until December 2023, entities subject to the FTC’s jurisdiction should assume the regulation will be enforced on schedule and start implementing compliance strategies immediately.

To learn how to establish a cybersecurity program that complies with the FTC Safeguards Rule, read on.

FTC Safeguards Rule

WHO NEEDS TO COMPLY WITH THE FTC SAFEGUARDS RULE?

Entities expected to comply are still classified with the very misleading title of a “Financial Institution,” where the term “finance” refers to any relations with customer financial data, either through lines of credit, loans, or general financial information.

Some examples of businesses classified as “Financial Institutions” by the FTC include:

• Automobile dealerships
• Financial career counselors
• Credit counselors
• Personal property or real estate appraisers
• Collection agencies
• A business that prints and sells checks for consumers
• A business that wires money between consumers
• Check cashing businesses
• Retailers providing store credit cards
• Accountants and tax preparation services
• A business that operates a travel agency in connection with financial services
• Mortgage brokers
• Credit unions
• any business that charges a fee to connect buyers with consumers or loans with lenders and is involved in any financial transactions between these parties (a new financial institution category defined as “finders” by the FTC).

The Federal Trade Commission may continue broadening its definition of a Financial institution as digital transformation shortens the divide between third-party service providers and their influence on financial operations. So if your business isn’t currently classified as a Financial institution, it could be in the future. Regularly reference the FTC’s definition of a Financial Institution to learn if you’re suddenly expected to comply.

The FTC Safeguards rule is a subset of the Gramm-Leach-Bliley Act (GLBA)

An effective compliance program for FTC’s new rules can be summarised with three primary objectives:

Objective 1: Ensure the security of customer information.

Objective 2: Implement safeguards against anticipated threats to customer information.

Objective 3: Prevent unauthorized access to information systems linked to customer information.

Kost, Edward. "Top 12 Cybersecurity Regulations for Financial Services." Web blog post. Compliance and Regulations. www.UpGuard.com, 20 October 2022. Web. 20 October 2022.