Do you know about the latest business compliance deadline, that takes effect December 2022?



When the topic of data privacy and cyber security comes up, most people automatically think of data breaches, especially given the high-profile nature of so many of them. A lot of confusion arises around this area because many businesses do not fully appreciate the specific laws and regulations with which they are required to comply or how to best do so. For those in the healthcare field, typically have to comply with HIPAA/HITECH, which means complying with the Privacy Rule and the Security Rule. Entities in the education field have to comply with FERPA and, sometimes, COPPA. But what about other compliance obligations in other industries? Take, for example, those in the financial industry, such as banks that have to comply with the Gramm-Leach-Bliley Act (GLBA). Many businesses assume that “financial institution” for purposes of GLBA compliance means a bank and assume that GLBA does not apply to them. This, however, may not be correct. GLBA applies to far more businesses than just banks. The misunderstanding seems to come from two main sources. First, many businesses simply do not understand they are considered to be a “financial institution” under GLBA. Second, many businesses believe they are simply too small to warrant such federal regulatory oversight. What businesses does GLBA cover? Businesses that must comply with GLBA are “financial institutions,” but what is considered a “financial institution” goes much further than banks and credit unions under GLBA. Under GLBA, a financial institution includes businesses that are “significantly engaged” in providing financial products or services, including: check-cashing businesses, payday lenders, mortgage brokers, non-bank lenders (such as auto dealers), personal property or real estate appraisers, professional tax preparers such as CPA firms, courier services, credit collection agencies, etc. just to name a few. As for the business size requirement, there is NONE, whether you are 3 employees or 30,000. So, if you are in one of those businesses, there are some things about GLBA you need to know.

Step 1: Complying with the Safeguards Rule The first compliance hurdle under GLBA is complying with the Safeguards Rule, which was issued by the Federal Trade Commission (FTC), and requires financial institutions to have measures in place to protect and keep secure the consumer information they collect.

Requirement 1: Written Information Security Plan (WISP) The first requirement of the Safeguards Rule is that financial institutions must have a written information security plan (WISP) that describes the company’s processes for protecting customer information. The WISP should not be one-size-fits-all because it must include administrative, technical, and physical safeguards appropriate to the business’ size, the nature and scope of its activities, and the sensitivity of the customer information at issue.

The requirements are flexible, but they are nevertheless requirements. Requirement 2: Securing Information The Safeguards Rule also requires companies assess and address risks to customer information in all areas operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures.

There are many different ways to assess and address these various risks through a Risk Assessment which helps to review HR, operational and technological risks. Step 2: Complying with the Privacy Rule Financial institutions must also comply with the Privacy Rule which requires they give their customers a “clear and conspicuous” written notice describing their privacy policies and practices. When the notice is provided and what the notice says depends on what the financial institution does with the information. This is important because the FTC, which enforces GLBA, is doing just that…it is enforcing it, especially in the context of data privacy non-compliance issues.

The FTC’s recent complaint against TaxSlayer provides a good roadmap of the level of security the FTC expects financial institutions to have under GLBA and what will be expected. What to do now? If you are a business that knows or are just discovering that you are one under GLBA, and are not in compliance with the Safeguards Rule and/or the Privacy Rule, whether it be because you don’t have a WISP or proper notices, or you are just unsure as to your level of compliance in line with the FTC’s standards, please contact us so we can help you review your current compliance status and assist you in checking-off the compliance requirements you must meet.

8 views0 comments