QUESTION
We are a mortgage broker in the Midwest. In our last state audit, the examiner told us that we did not comply with the Safeguards Rule. It's my understanding that it's required by the GLBA, which behooves us to have an information security program.
Well, we have one! Never had a problem before with it, yet now we've got an examiner saying that our information security plan is no good. I got it from a reputable manual company – at least I thought they were reputable until the banking department told me it was not in compliance.
Now we've got to figure out what this Safeguards Rule is all about! I hope you can enlighten me. My office manager tried to find something on it, but it reads like a bunch of legal mumbo-jumbo. And, anyway, I don't know how to change the information security plan. I will contact your company to get help. Here's my question!
What does the Safeguards Rule cover?
SOLUTION
RESPONSE
Thanks for writing me. I will try to get you past the legalese. I'll provide citations in case you or your office manager wants them. That said, you can contact me and we'll get you back on track!
Keep in mind that regularly assessing the Information Security Program, Plan, or Policy (ISP) is a function of the Second Line of Defense. A self-assessment or self-evaluation should be conducted at least once a year. If you have not already done so, you should conduct a risk assessment immediately. Alternatively, you can contact us for our Privacy Tune-up®, an audit that meets regulatory scrutiny. Or ask for our comprehensive Information Security Plan or the Privacy Policy.
The Federal Trade Commission's (FTC) Safeguards Rule, implemented under the Gramm-Leach-Bliley Act (GLBA), requires financial institutions to establish and maintain a comprehensive Information Security Program (ISP) to protect customer data. This includes developing written security plans with administrative, technical, and physical safeguards. The rule requires financial institutions to safeguard customer information against threats and unauthorized access.
A few years ago, a mortgage broker contacted us to find out if her company was required to comply with the GLBA. The short answer is yes, indeed. A wide range of financial institutions is covered. A "financial institution,"[i] for our purposes, means an entity that provides real estate settlement services (because providing real estate settlement services is a financial activity)[ii], and the statute specifically denotes a mortgage broker as a financial institution.[iii]
I'll get to your compliance responsibilities shortly. But first, you need to know what constitutes the Safeguards Rule ("Rule"). If your ISP does not have these key components textualized in some way, an examiner may find it defective.
Five Key Components
There are five Safeguards, as follows:
1. Administrative Safeguards
These involve policies and procedures for managing and overseeing the information security program.
2. Technical Safeguards
These include measures like firewalls, encryption, and access controls to protect data.
3. Physical Safeguards
These involve physical security measures to protect data storage locations and access to sensitive information.
4. Oversight of Affiliates and Service Providers
The Rule also mandates that financial institutions ensure their affiliates and service providers safeguard customer information.
5. Reporting Requirements
The amended Safeguards Rule[iv] requires financial institutions to report certain data breaches and security incidents to the FTC.
The purpose of the Rule is to protect the confidentiality, security, and integrity of customer information held by financial institutions. It does this by helping to prevent unauthorized access, data breaches, and identity theft.
Compliance
Now, to your compliance requirements, of which there are four, as follows:
1. Develop and implement a written information security program.
2. Establish and maintain appropriate administrative, technical, and physical safeguards.
3. Regularly assess the effectiveness of their security program and update it as needed.
4. Comply with the reporting requirements for security incidents.
Keep in mind that regularly assessing the ISP is a function of the Second Line of Defense. A self-assessment or self-evaluation should be conducted at least once a year. If you have not already done so, you should conduct a risk assessment immediately. Alternatively, you can contact us for our Privacy Tune-up®, an audit that meets regulatory scrutiny.
New Requirements
There are several new requirements involving cybersecurity events and data breaches. The compliance effective date for implementation was May 13, 2024.[v] The Rule requires financial institutions to report notification events, defined as the "unauthorized acquisition of unencrypted customer information," involving at least 500 customers to the FTC within 30 days after discovery of the notification event.
The notice to the FTC must include the following:
1. The name and contact information of the reporting financial institution;
2. A description of the types of information that were involved in the notification event;
3. If the information is possible to determine, the date or date range of the notification event;
4. The number of consumers affected;
5. A general description of the notification event; and, if applicable,
6. Whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.
Notification Event
Notification must be provided to the FTC within thirty (30) days of a data or cybersecurity breach electronically through a form located on the FTC's website.
Please note that timely notification is required. A law enforcement delay may preclude the public posting of the Notification Event by the FTC for up to 30 days, but it does not excuse timely notification to the FTC. We have a client that experienced a data breach; however, a law enforcement official sought another 60 days’ extension, which the FTC granted because it determined that public disclosure of the Notification Event continued to “impede a criminal investigation or cause damage to national security.”
Federal and State Guidelines
Numerous state data breach reporting statutes contain provisions regarding the “risk of harm.” A risk of harm provision is a clause or legal framework that addresses situations where there is a reasonable likelihood of someone experiencing harm, whether physical or psychological. It often involves assessing the severity and probability of potential harm and taking steps to mitigate those risks.
These state data breach reporting statutes excuse notice to individuals and/or state regulators where the unauthorized acquisition and/or access of personal information is unlikely to cause substantial harm (such as fraud or identity theft) to the individual.
This divergence between FTC notifications and state law may create the possibility that a reporting nonbank financial institution could be required to report to the FTC, but not to potentially affected individuals and/or state attorneys general, as required by state law. I suggest you work with counsel to navigate the federal and state notification requirements.
Please contact us if you need an Information Security Plan or Privacy Policy, or if you require a review of your Privacy Compliance with our Privacy Tune-up®, an audit that meets regulatory scrutiny.
Jonathan Foxx, PhD, MBA
Chairman & Managing Director
[i]
Title 16, Chapter I, Subchapter 314, § 314.2(h)(1)
[ii] Title
16, Chapter I, Subchapter 314, § 314.2(h)(2)(x-xi). See 12 CFR
225.86(b)(2) and referenced in section 4(k)(4)(G) of the Bank Holding Company
Act, 12 U.S.C. 1843(k)(4)(G).
[iii]
See also 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank
Holding Company Act, 12 USC 1843(k)(4)(F).
[iv] Final
rule to amend the Standards for Safeguarding Customer Information, FR 88 77499
(2023-24412), 11/13/2023, 16 CFR Part 314, Federal Trade Commission
[v] Pursuant
to a GLBA's directive, the Federal Trade Commission promulgated the Safeguards
Rule in 2002. See 67 FR 36483 (May 23, 2002). Subtitle A of Title V of the GLBA
required the Commission and other Federal agencies to establish standards for
financial institutions relating to administrative, technical, and physical
safeguards for certain information. The Safeguards Rule became effective on May
23, 2003. Id.
