The Final Rule: 3 Biggest Changes to the GLBA

Cole PrudenGLBA, Mandatory Data Compliance

The Final Rule: 3 Biggest Changes to the GLBA blog PII Tools

The clock is ticking before the GLBA looks to take sensitive data protection to the next level… or maybe the next few levels. And with a deadline just several weeks before the holidays, many companies are scrambling with more than just last-minute Christmas shopping. So, are you ready for the biggest cybersecurity regulation update in the past 20 years?

The GLBA is Calling

Hopefully, this isn’t the first you’re hearing of the Gramm-Leach-Bliley Act (GLBA for short), especially if you own or work for any sort of financial institution. But if you’re new to the GLBA or simply looking for a rundown on its latest amendment, then you’ve come to the right place.

What is the GLBA?

Good question. Let’s go for a little history lesson, back to the year 1999, when the GLBA was first enacted by the Federal Trade Commission to “require all financial institutions – companies that offer customers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data”.

The GLBA also requires that the FTC continuously update the regulation to meet modern demands. For instance, in 2002, the Safeguards Rule was added, which has since served as the driver for most financial institutions to create and uphold information security policies over the past two decades.

But now, or rather as of December 9th, 2022, the GLBA is scheduled to enforce its largest facelift yet, sinisterly dubbed “The Final Rule”. And because the GLBA applies to all banks, loan offices, and brokerage firms alike based in the US, it’s safe to say this concluding amendment is going to make some waves, especially if you’re not ready for it.

But the entirety of GLBA can’t be broken down in detail in a single article, so let’s focus on three of the biggest changes you can expect come December 9th.

#1: 314.4 (a) – Designating a “Qualified Individual”

Does the term “Data Officer” ring a bell? Maybe your company or employer already has a data office; that’d certainly be a step in the right direction. Especially considering the fact that the GLBA already required financial institutions to appoint an employee or employees to oversee and coordinate the company’s information security program.

That regulation, however, was left a little vague on purpose. Now, however, bank owners and insurance reps can’t get away with just pointing at a group of employees and saying, “Hey, if anybody asks, you guys are in charge of data security, okay?”

As of Dec. 9th, all financial institutions are required to identify a single individual who is ultimately responsible for the entire program. Not only that, but they also need to have the proper qualifications relevant to the size and complexity of the given institution. But because no specific certifications or education requirements are given by this new amendment, people like the company’s owner or the head of IT can easily be named “Data Officer”.

#2: 314.4 (b)(1) Written Risk Assessment

Maybe you noticed the term “information security program” mentioned above. In short, every financial organization is required to have a functional program of set activities, projects, and initiatives designed to protect the sensitive data of users and employees, as well as to support the institution’s technology framework.

The Final Rule aims to further specify this program by adding a formal risk management element to this program, with a written risk assessment as the main artifact. Although the GLBA already required organizations to take a risk-based approach when establishing security policies and controls, this new amendment throws three specific criteria into the mix (which can be a bit wordy, but they’re quite important, so try to stick with me):

This part of the updated GLBA is really all about identifying and mitigating security risks, now with the added requirement of the data officer writing a formal assessment, which, in many cases, will require financial organizations to seek the help of an authorized security professional.

#3: 314.4 (c) Specific Required Security Controls

Now, I’ve saved the biggest and baddest addition to the GLBA for last. If you really wanted to get into the weeds on 314.4, then you better cozy up next to the fireplace for a lengthy read. But for everyone else, let’s just brush over some of the more notable points.

And keep in mind that many of these new regulations weren’t required before for most smaller organizations, but they are now.

And That’s Not All…

If it isn’t obvious by now, the Final Rule to the Gramm-Leach-Bliley Act is making some serious changes. I’ve summarized three of the most important updates above, but I never even made it to vulnerability scanning, employee security training, vendor risk management, and so on.

Although the GLBA isn’t most people’s choice for a relaxing read on a Sunday afternoon, time really is running out for financial institutions to put the necessary changes in place. Everything from appointing a data officer, to running lengthy risk assessments on all customer sensitive data need to be implemented no later than December 9th, 2022.

The Right Choice for Your Customers

But in the end, caring for and protecting the private and sensitive data granted to financial institutions by their users is simply the right thing to do. They trust you with their information, and you provide them with services in return. 

Maybe it’s best to put those Christmas decorations down now and put planning this year’s holiday corporate holiday off until you’re done implementing “The Final Rule”. Come December, the GLBA waits for no man, or woman, or data officer. So… Are you ready?

Get Ready for the GLBA and Its Final Rule With PII Tools Data Discovery Software