Co-authored by Alison Bird
On March 5, 2019, the FTC proposed changes to the Safeguards Rule of the Gramm-Leach-Bliley Act (GLB) which would create new, prescriptive security obligations for companies regulated under GLB, similar to those under the New York State Department of Financial Services. While most people think of GLB as applicable only to financial institutions, the FTC defines a financial institution very broadly. An entity is a “financial institution” if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act, provided such entities are not subject to other regulators under GLB. Some examples of financial institutions mentioned in the proposal are:
- A retailer that extends credit by issuing its own credit card directly to consumers;
- An automobile dealership that, as a usual part of its business, leases automobiles on a non-operating basis for longer than 90 days;
- A personal property or real estate appraiser is a financial institution because real and personal property appraisal is a financial activity;
- A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company;
- A business that prints and sells checks for consumers, either as its sole business or as one of its product lines;
- A business that regularly wires money to and from consumers is a financial institution;
- A check cashing business (because cashing a check is exchanging money, which is a financial activity);
- An accountant or other tax preparation service that is in the business of completing income tax returns;
- A business that operates a travel agency in connection with financial services;
- A mortgage broker;
- A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate
While these examples are specifically mentioned, one of the other activities of interest captured under GLB is “Data Processing”, which is defined as:
(i) Providing data processing, data storage and data transmission services, facilities (including data processing, data storage and data transmission hardware, software, documentation, or operating personnel), databases, advice, and access to such services, facilities, or data-bases by any technological means, if:
- The data to be processed, stored or furnished are financial, banking or economic; and
- The hardware provided in connection therewith is offered only in conjunction with software designed and marketed for the processing, storage and transmission of financial, banking, or economic data, and where the general purpose hardware does not constitute more than 30 percent of the cost of any packaged offering.
(ii) A company conducting data processing, data storage, and data transmission activities may conduct data processing, data storage, and data transmission activities not described in paragraph (b)(14)(i) of this section if the total annual revenue derived from those activities does not exceed 49 percent of the company’s total annual revenues derived from data processing, data storage and data transmission activities.
This clearly captures many Fin-Tech companies.
Some of the new, proposed requirements for regulated entities are as follows:
- Appointment of a Chief Information Security Officer (CISO). A single person must be accountable for overseeing the institution’s entire information security program. For companies that maintain data of more than 5,000 consumers, the CISO would be required to report at least annually to the board of directors or equivalent governing body. Unlike the NYSDFS, there is no certification requirement.
- Information Security Program Based on a Written Risk Assessment. A risk assessment based on criteria for evaluating the risks of the company’s information systems and the customer information it holds would be required to be performed periodically. Such risk assessment would have to address how the financial institution would mitigate or accept any identified risks. Such risk assessment would have to address how the financial institution would mitigate or accept any identified risks. A written risk assessment would be mandated only for companies that maintain data of more than 5,000 consumers.
- Access Control Requirements. Controls to authenticate and permit only authorized access to individuals would have to be in place and would have to be reviewed periodically. Data, personnel, devices, systems and facilities would be part of the access control program. An inventory of data and the systems on which data is collected, stored, or transmitted would be required. Restricted access to physical locations containing customer information, including those where paper records are stored as well as security of physical devices that contain personal information, such as laptops, tablets, phones, and removable media would be required.
- Encryption of Customer Information in Transit and at Rest. Encryption of customer information would be required in transit and at rest. If infeasible, alternative means would be permitted if reviewed and approved by the CISO.
- Security of In-House Developed Applications. Adoption of secure development practices for in-house developed applications used for transmitting, accessing, or storing customer information as well as procedures for evaluating, assessing, or testing the security of externally developed applications used to transmit, access, or store customer information would be required. This requirement is explicitly distinct from network security requirements.
- Implementation of Multi-Factor Authentication (MFA). Multi-factor authentication would be required for any individual accessing customer information unless the CISO has approved in writing the use of reasonably equivalent or more secure access controls.
- Audit Trails. Audit trails designed to allow the detection of actual and attempted compromises and provide sufficient information to allow for a reasonable response to the event would be required. Specific retention periods are not specified.
- Data Minimization. Customer information would have to be discarded when it is no longer necessary for a “legitimate business purpose,” an undefined term in the proposed regulations.
- Change Management. Procedures governing the addition, removal, or modification of elements of an information system would have to be adopted.
- Monitoring Authorized Users. Distinct from the proposal’s Audit Trail requirement, financial institutions would have to implement policies and procedures to monitor the activity of authorized users, detect unauthorized access, use of, or tampering with customer information, and identify inappropriate use of customer information by authorized users.
- Continuous Monitoring. Regular monitoring of an information system’s security, including monitoring for security threats, misconfigured systems, and other vulnerabilities would be required. For companies that process the data of 5,000 or more consumers, monitoring and testing would have to be continuous or periodic penetration testing and vulnerability assessments would be required
- Personnel Requirements. Security awareness training updated to reflect risks identified by the Risk Assessment would be required of personnel who have the ability to handle, access, or dispose of customer information. Only “qualified information security personnel” could be utilized to manage security risks or perform or oversee the information security program. Financial institution would have to verify that security personnel take steps to maintain current knowledge of cyber security threats and countermeasures.
- Assessment of Service Providers. Service providers would have to be assessed on an ongoing basis, not just at on-boarding, to ensure that they are maintaining adequate safeguards to protect customer information they possess or access.
- Incident Response Plan. For companies with access to the data of five thousand or more individuals, an Incident Response Plan would be specifically required.
Next Steps and Recommendations
Written comments to the proposal will be due within 60 days of its publication in the National Register, and it is possible that certain proposed amendments will be modified. Nevertheless, the proposal is similar to and consistent with a growing national trend of regulations requiring financial institutions to address cyber security in a comprehensive, top-down way. Even for currently unregulated entities, it seems clear that such regulations are likely to become a default industry standard. Financial institutions – and their business partners – should not wait for the regulatory hammer to come down to address their cyber security issues in line with this regulatory trend. First step should include filling the CISO role, conducting a risk assessment, and developing an incident response plan.