The Gramm-Leach-Bliley Act (“GLBA”) was a bi-partisan regulation passed by Congress in 1999 in an attempt to update and modernize the financial industry. One component of the GLBA, its Safeguards Rule, requires financial institutions to establish measures to keep their customers’ private information secure.
On December 9, 2022, certain provisions of the Federal Trade Commission’s amendments to the GLBA’s Safeguards Rule become effective. Other provisions expanding the scope of the Safeguards Rule took effect in January, so all businesses that handle consumer financial information should pay attention to these changes. Importantly, under the FTC’s new amendments to the Safeguards Rule, “finders,” or those that bring together buyers and sellers of a product or service, are now governed by the Safeguards Rule and must comply with its heightened data protection requirements. Therefore, companies offering third-party financing—such as car dealerships, furniture stores, and the like—should pay close attention to their new privacy and data protection obligations under the GLBA.
As part of the FTC’s amendments, multiple changes will become effective on December 9, including:
Qualified Individual Appointment. This amendment will require businesses to identify a “qualified individual” to oversee and implement their information security programs. This will typically be the firm’s Chief Information Security Officer and changes the prior requirement that any employee or representative could be designated.
Criteria for Risk Assessments. While risk assessments were required by the original rule, the amended rule sets forth mandatory criteria, including (1) criteria for evaluating and categorizing information security risks; (2) criteria for assessing confidentiality, integrity, and availability of the business’s information systems and customer data; and (3) requirements for identifying how to mitigate risks.
Additional Criteria for Implementing Safeguards. The amended rule now specifies additional requirements for implementing safeguards for risks identified by assessments, including access controls, data inventory, data disposal, change management, and monitoring, among other things.
IS Monitoring & Penetration Testing. The amended rule provides that information system monitoring must take the form of either “continuous monitoring” or “periodic penetration testing.” This change adds specific criteria to the rule’s general requirement that financial institutions regularly test or monitor the effectiveness of information security safeguards.
Other Requirements. The amended rule requires training for security personnel, periodic assessments of service providers, written incident response plans, and periodic reports from the qualified individual to the board of directors.
Under this amended rule, “financial institutions” includes a wide array of businesses, including those that engage in the following: (1) traditional banking functions; (2) making, brokering, or servicing extensions of credit; (3) property appraising; (4) collection services; (5) credit reporting; (6) asset management; (7) leasing property; (8) real estate settlement; and (9) bringing together buyers and sellers of any product or service that the parties negotiate and consummate.
Businesses that have not historically been required to comply with this rule must now do so. For example, if a retail business offers third-party financing for its purchases, it could be considered a “finder” under the amended rule and would have to comply with the Safeguards Rule. Failure to comply with these rules could open firms up to legal risk from regulators or others.
- Partner
Ella A. Shenhav is a partner in the Tampa office of Shutts & Bowen LLP, where she is a member of the Business Litigation Practice Group. She is a Certified Information Privacy Professional (CIPP/US), accredited by the International ...
Search Blog
Follow Us
Recent Posts
- Construction Contractors Should Prepare for the Effects of Potential New Tariffs on Construction Material Prices and Availability
- Federal Court Strikes Down the DOL’s Increased Salary Thresholds for Executive, Administrative, Professional, And Highly Compensated Employee Overtime Exemptions
- Breaking News: FinCEN Postpones Beneficial Ownership Reporting Deadlines for Companies Impacted by Recent Major Storms
- What You Need to Know About the U.S. Department of Transportation’s Build America TIFIA Loan
- Breaking News: Federal Judge Blocks Nationwide Implementation of the FTC’s New Rule Banning Noncompete Agreements
- September 4th is Almost Here: How Employers Can Prepare for the Upcoming Effective Date of the FTC’s Non-Compete Rule
- Florida’s New Statutory Home Warranty: What Home Builders Need to Know
- Orange County Proposes Temporary Suspension Ordinance on New Development Applications
- Raising the Roof: The U.S. Department of Labor Announces Rule Raising Salary Thresholds for Overtime Exemptions
- New Guidelines Anticipated Following HHS’s Health Cybersecurity Concept Paper
Popular Categories
- Construction
- Construction Litigation
- Employment and Labor
- Litigation (Labor & Employment)
- Construction
- Business of Real Estate
- Landlord-Tenant
- Department of Labor
- Real Estate Law
- Competition
- Cybersecurity
- Intellectual Property
- Salary
- Appeals
- Contracts
- Litigation
- Trusts and Estates
- Data Security
- Business
- Supreme Court
- Development/Land Use
- Public Private Partnership
- IP Litigation
- Technology
- Privacy
- Patents
- Litigation (Appellate)
- Business
- Public Finance
- Regulatory Compliance
- Florida Government Contracts
- Foreclosures
- Trademark
- Contracting
- Health Care
- Financial Institutions
- Compliance
- Estate planning
- International Dispute Resolution
- Florida Public Contracts
- Government Contracting
- Government Contracts
- Property Tax
- Government
- Lease
- Conveyances
- Appellate Blog
- Patent Office
- Insurance
- Wealth planning
- Federal Government Contracting
- Florida Bid Protests
- Public Contracts
- Infringement
- Cyber fraud
- Proposal Writing
- Public Bidding
- GAO
- Bid Protest
- International Arbitration and Litigation
- Americans with Disabilities Act
- Arbitration
- International
- Restrictive Covenants
- Grant Writing
- Copyright
- Promissory Notes
- Title
- Small Business
- Florida Procurement
- Public procurement
- PTAB
- General Liability
- Technology
- Consumer Privacy
- International Arbitration
- Liens and encumbrances
- Liens
- Creditor's Rights
- Bidding
- Attorneys' Fees
- Inter Partes Review
- Consumer Protection
- Regulation
- Venue
- Power Generation
- Contracting
- Government Vendor
- State Government Contracts
- Ad Valorem Assessments
- Florida Administrative Law
- Attorneys' Fees
- Florida Rules of Appellate Procedure
- Bankruptcy
- Florida Public Procurement
- Russia-Related Arbitration
- Mortgages
- Record on Appeal
- FINRA
- Rehearing
- Eviction
- Loan guaranties
- Patents - Assignor Estoppel
- Statute of limitations
- Statute of repose
- Dispute Resolution
- Liens
- Damages
- Maritime
- Briefing
- Request for Proposal
- Patents - Obviousness
- Commercial Brokerage
- Trade Secrets
- Bid Writing
- Florida Bidding Strategies
- Renewal
- Attorneys' Fees
- Florida County Lands
- Florida Economic Incentive Packages
- Jury Instructions
- Design Professionals
- Stay
- Certiorari
- email hacking
- Forum Selection
- Offers of Judgment
- Prevailing Party
- Settlements
- Assignment of Contract
- Assignment of Proceeds
- Lis Pendens
- Appellate Jurisdiction - Deadlines
- Banking
- Designer Liability
- Federal Rules of Appellate Procedure
- Finality
- Fintech
- Marketing/Advertising
- Unlicensed Contracting
- Evidence
- Evidence
- Expert
- Expert Science
- Federal Supply Schedule
- Florida Public Records Law
- Mootness
- Preservation
- Socio-Economic Programs
- Sunshine Law
- Veteran Owned Business
- Homestead
- Partnerships and LLCs
- Standing
Editors
- Of Counsel
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Associate
- Partner
- Partner
- Associate
- Partner
- Partner
- Partner
- Partner
- Senior Associate
- Partner
- Associate
- Partner
- Senior Associate
- Partner
- Associate
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Of Counsel
- Senior Associate
- Partner
- Associate
- Partner
- Partner
- Associate
- Partner
- Partner
- Partner
Archives
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- June 2024
- May 2024
- February 2024
- November 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- October 2019
- August 2019
- July 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016