QUESTION
We are a mortgage broker in the Midwest. In our last state audit, the examiner told us that we did not comply with the Safeguards Rule. It's my understanding that it's required by the GLBA, which behooves us to have an information security program.
Well, we have one! Never had a problem before with it, yet now we've got an examiner saying that our information security plan is no good. I got it from a reputable manual company – at least I thought they were reputable until the banking department told me it was not in compliance.
Now we've got to figure out what this Safeguards Rule is all about! I hope you can enlighten me. My office manager tried to find something on it, but it reads like a bunch of legal mumbo-jumbo. And, anyway, I don't know how to change the information security plan. I will contact your company to get help. Here's my question!
What does the Safeguards Rule cover?
SOLUTION
RESPONSE
Thanks for writing me. I will try to get you past the legalese. I'll provide citations in case you or your office manager wants them. That said, you can contact me and we'll get you back on track!
Keep in mind that regularly assessing the Information Security Program, Plan, or Policy (ISP) is a function of the Second Line of Defense. A self-assessment or self-evaluation should be conducted at least once a year. If you have not already done so, you should conduct a risk assessment immediately. Alternatively, you can contact us for our Privacy Tune-up®, an audit that meets regulatory scrutiny. Or ask for our comprehensive Information Security Plan or the Privacy Policy.
The Federal Trade Commission's (FTC) Safeguards Rule, implemented under the Gramm-Leach-Bliley Act (GLBA), requires financial institutions to establish and maintain a comprehensive Information Security Program (ISP) to protect customer data. This includes developing written security plans with administrative, technical, and physical safeguards. The rule requires financial institutions to safeguard customer information against threats and unauthorized access.
A few years ago, a mortgage broker contacted us to find out if her company was required to comply with the GLBA. The short answer is yes, indeed. A wide range of financial institutions is covered. A "financial institution,"[i] for our purposes, means an entity that provides real estate settlement services (because providing real estate settlement services is a financial activity)[ii], and the statute specifically denotes a mortgage broker as a financial institution.[iii]
I'll get to your compliance responsibilities shortly. But first, you need to know what constitutes the Safeguards Rule ("Rule"). If your ISP does not have these key components textualized in some way, an examiner may find it defective.
Five Key Components
There are five Safeguards, as follows:
1. Administrative Safeguards
These involve policies and procedures for managing and overseeing the information security program.
2. Technical Safeguards
These include measures like firewalls, encryption, and access controls to protect data.
3. Physical Safeguards
These involve physical security measures to protect data storage locations and access to sensitive information.
4. Oversight of Affiliates and Service Providers
The Rule also mandates that financial institutions ensure their affiliates and service providers safeguard customer information.