On June 9, 2023, the Federal Trade Commission (FTC) rolled out significant updates to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, requiring financial institutions and organizations to take immediate action to ensure compliance.
Since this summer update, the team at McClintock has been working with institutions to review compliance risks and recommend updated procedures. In our initial assessments, we’ve identified several key issues that warrant careful review.
Expanded Consumer Definition
Under the new GLBA Safeguards Rule, the definition of “consumer information” has been defined but is not quite crystal clear. It indicates “any record containing nonpublic personal information of a financial institution.” This definition has broad implications, and institutions should consider their handling of student files, including lead generation data, accreditation records, state agency requirements, and any other regulatory body requirements when counting their total number of consumers. If your institution handles the data of more than 5,000 consumers, additional steps must be taken to ensure compliance. This change highlights the importance of reassessing data management practices and ensuring that all records containing nonpublic personal information are treated with the utmost care and security.
Designated vs. Qualified Individual
The updated regulations have introduced a fundamental change in terminology and responsibility. The “designated individual”, from the initial implementation of the GLBA policy, was only responsible for coordinating the information security program for the institution. This has been replaced by the “qualified individual” who is tasked with more responsibilities, such as overseeing and implementing the institution’s information security program and enforcing it. Institutions are required to clearly specify the individual’s name and/or title in their policy, ensuring the individual is qualified for the role. Moreover, institutions meeting the consumer definition noted previously are obligated to ensure that this qualified individual reports at least annually to the executive team. As a result, it is paramount for institutions to identify the right person for this role, as they play a pivotal part in ensuring compliance.
Enhanced Oversight of Servicers
The new GLBA Safeguards Rule mandates institutions to conduct periodic assessments of their servicers’ information security policies and confirm that appropriate safeguards are being maintained. This update places the responsibility on educational institutions to ensure that servicers and third-party vendors maintain and enforce robust information security policies and procedures. The review of servicers is a critical aspect of compliance, as it directly affects the security of their students and their consumer information.
Next Steps for Institutions
These revisions to the GLBA Safeguards Rule emphasize the critical importance of safeguarding consumer data and aligning with the ever-evolving landscape of data protection. By now, institutions should have already revised their policies and procedures to ensure compliance with these updated regulations, thereby sustaining an ongoing commitment to data security. It’s imperative to note that non-compliance could lead to severe consequences, highlighting the urgency for institutions to act promptly and diligently in response to these changes.
Does Your Institution Need to Prepare for an Audit?
While this article has covered three essential updates, it’s also important to recognize that 16 CFR Part 314 (Standards for Safeguarding Customer Information) contains a total of nine crucial elements that demand attention. Have you taken the necessary steps to address all of them?
Our team at McClintock is here to help ensure your institution is fully prepared and compliant. Your institution’s compliance and data security are paramount, and taking proactive steps to address these elements is a crucial aspect of that commitment. Connect with us today to schedule a thorough audit procedure review.