Protecting Customer Data
Under the Gramm-Leach-Bliley Act (GLBA), organizations defined as “financial institutions” must keep customer information secure and confidential. The Safeguards Rule, one of three sections of the GLBA, was updated on December 9, 2021. Under this revision, the Federal Trade Commission noted that an organization “engaging in an activity that is financial in nature or incidental to such financial activities” is considered a “financial institution” and must comply.
Key changes to the Safeguards Rule will take effect December 6, 2022. Penalties for noncompliance with the Safeguards Rule could be of a financial or non-financial nature. There is a maximum charge of $46,517 per consent order violation.
Examples of organizations determined to be “financial institutions” under the Safeguards Rule include:
- Retailers extending a credit card
- Dealerships leasing a car long term (longer than 90 days)
- Organizations appraising real estate or personal property
- Counselors helping individuals associated with a financial institution
- Businesses printing and selling checks on behalf of customers or wiring money
- Businesses engaging in cash checking services
- Income tax return preparers
- Travel agencies
- Real estate settlement services
- Mortgage brokers
- Colleges and universities accepting Title IV funds
Organizations classified as “financial institutions” will need to implement the following security practices and then review, and periodically update formal policies and procedures, including:
- Designating a qualified individual to oversee the information security program
- Developing, implementing, and maintaining a written information security program
- Completing a written information security risk assessment
- Design and implement safeguards to control the risks you identify through risk assessment
- Establishing continuous monitoring of information systems
- Engaging third-party penetration testing and vulnerability assessments
- Conducting security awareness training
- Assessing third-party service providers periodically
- Establishing a written information incident response program
- Providing the board or respective group with a written report periodically and at least annually from the qualified individual
Specific controls requirements regarding the implementation of safeguards include:
- Implementing and reviewing access control
- Inventorying the systems that handle customer information
- Identifying and managing data based on risk
- Encrypting data both in transit and at rest
- Securing software development practices
- Requiring the use of multifactor authentication for those accessing the information systems
- Establishing secure procedures for disposing data
- Developing change management procedures
- Implementing logging and monitoring procedures
While these elements must be implemented as part of an information security program, the revised rule is flexible enough to cover large and small “financial institutions.” Specific safeguards must be appropriate for the size and complexity of an organization and its operations, the nature and scope of activities involving customer information, and the sensitivity of the customer information handled by the organization. This means that organizations are permitted to implement different programs based on the scope of the operations and the assessment of potential security risks.
Depending on the sophistication and maturity of an organization’s personnel and security infrastructure, a comprehensive diagnostic assessment may be needed to get into compliance with the new and fast-approaching requirements. CLA’s Cybersecurity and Data Privacy Team has extensive experience providing guidance in developing such policies, procedures, and assessments, as well as helping organizations identify gaps in existing ones.
Thank you to Kadian Douglas for authoring this blog post and for the incredible information.
- Carey M. Heyman, CPA
- Managing Principal of Industry - Real Estate
- CliftonLarsonAllen LLP
- Century City (Los Angeles)
Carey is the Managing Principal of the Real Estate Industry at CLA. He is a trusted advisor with close to 20 years of experience providing accounting, assurance, tax, and consulting services to real estate industry owners, operators, family offices, developers and syndicators. Carey has a strong track record of helping clients build and retain capital by leveraging tax- and cost-saving strategies and employing tax credits and incentives. He also consults with high net worth individuals, large family groups, and owners of closely-held businesses on all aspects of tax planning, estate planning, and retirement planning.
Comments are closed.