A Quick Look at the Recent FTC GLBA Amendment Proposals

Show of hands: how many people wish they could comment on Congressional bills and/or speak directly to the lawmakers responsible? Unfortunately, the insular nature of formal Congressional lawmaking makes this highly unlikely.

However, the FTC’s proposed amendments to the Gramm-Leach Bliley Act’s Safeguards and Privacy Rules provide just such an opportunity to directly interact and help shape the regulations that govern our organizations. Through Notice of Public Rulemaking (NPRM), the FTC has been soliciting comments and feedback about these upcoming changes. The first comment period, for the Privacy Rule, ends on June 3^th. But don’t fret, the Safeguard’s Rule comment period has just been extended until August 2^nd.

The two NPRMs, which were published to the Federal Register in March, have set off a firestorm of blog commentary and conjecture about regulatory intent and the potential impacts these changes may represent. The Privacy Rule NPRM (84 FR 13151) largely focuses on alignment with the Dodd-Frank Act’s revisions to and transfer of GLBA rule-making authority, and thus hasn’t worried most organizations. However, the more significant of the two is the Safeguard’s Rule NPRM (84 FR 13158).

The amendments to the Safeguards Rule propose extensive changes and  add a degree of rigor some organizations may find challenging. However, while the changes and additions are significant, they are not a departure from what most cybersecurity professionals would consider core best practices. The majority of the proposed additions were taken directly from NY State Department of Financial Services’ 23 NYCRR 500 and the National Association of Insurance Commissioners’ NAIC Model Law 668.

It is also very likely that most organizations are already fulfilling most of the proposed requirement which are, in essence, a codification of current cybersecurity best practices into GLBA. Links to the complete NPRMs are provided above,  but here is a quick synopsis of the more important changes your organization should be preparing for in the coming months:

16 CFR §314.4(a)

• The proposed amendment removes the allowance for designation of multiple employees to coordinate the CISO role, “employee or employees to coordinate your information security”, and requires designation of “a single qualified individual” responsible for overseeing and implementing the financial institution’s security program and enforcing its information security program.
• The use of an “outside expert” to fill the CISO role is specifically allowed. However, the allowance requires that all responsibility is still centered on the financial institution.

16 CFR 314.4(c):

• 16 CFR §314.4(c)(4): Encryption of Non-Public Information would be required in transit over external networks and at rest. There is an allowance for a reasonable alternative.

• 16 CFR §314.4(c)(6): Multi-factor authentication would be required to access customer information but, unlike 23 NYCRR 500, would exclude SMS as a possession factor based on the definition in §314.2(i). Again, allowance is made for a reasonable alternative.

• 16 CFR §314.4(c)(7): Security event logging and auditing, aka “audit trails”, designed to detect and respond to security events would be required but with no specifications on the type of logs or the length of retention.

• 16 CFR §314.4(c)(8): Development of processes for secure disposal of data after business necessity ends would be required.

• 16 CFR §314.4(c)(10): Formal policies, procedures, and controls to monitor user access and detect any anomalous behavior would be required.

Nothing listed above is shocking or set in stone. Each of these new requirements allows for alternative means of compliance meant to give organizations the ability to select the option(s) most reasonable for their budget and infrastructure. However, it is important to note that this type of legislation does seem to be the current trend. Case in point, for those living in Illinois, IL HB 2829 is a near carbon copy of 23 NYCRR 500 currently working its way through the Illinois legislature.

For anyone interested in commenting on the Safeguards Rule, here is the link: Regulations.gov.