The Federal Trade Commission (FTC)has been vaguely requiring financial institutions to use “reasonable” security controls since 1999. That is about to change.
What is the GLBA Safeguards Rule?
The Gramm Leach Bliley Act (GLBA) established one of the earliest U.S. federal regulations that require organizations to protect the personal information of their customers. Also known as the Financial Modernization Act of 1999, GLBA’s Safeguards Rule provided only general instructions for applying safeguards; information security controls are to be “reasonable” and should somehow be associated with risk assessments that the Safeguards Rule also requires.
The FTC has been challenged by its use of the term “reasonable” to set the standard for cybersecurity. While many complain that the word is overly vague, the FTC is reticent to be too specific in their list of required controls. They need to avoid over-stepping their rule-making authority, and they prefer that the marketplace determine what is reasonable.
The Fall of “Reasonable?”
In a decision by the 11th Circuit Court in 2018, the FTC was told that its use of the word “reasonable” was overly vague. And because it was vague, an organization, LabMD, was right to say that the FTC arbitrarily and unfairly enforced the regulation.
Nineteen years after issuing the Safeguards Rule and enforcing the Federal Trade Act using reasonableness as a standard, the FTC needed to re-think how it describes sufficient security that organizations must use to protect consumers.
So now the question arises; are we better off with a vague regulatory standard that allows the marketplace to define “reasonable” and the FTC to arbitrarily enforce the rule, or with a regulator telling everyone the specific controls they must apply to their business, regardless of how their business functions?
HALOCK is helping the FTC understand that there is a third, better option that supports both the public interest and the needs of the marketplace.
Recent Updates to GLBA
In 2019 the FTC proposed a set of changes to the Safeguards Rule to move past the 11th Circuit Court’s concerns. Some of these proposed changes are outlined below:
- The appointment of a Chief Information Security Officer (CISO) is now required. The role can be assigned to a qualified individual serving as an internal employee or working for an affiliate or service provider. Requirements vary on the parent organization of the individual. The CISO must present an annual report to the governing body of the organization concerning its compliance status and other summaries.
- The definition of “financial institution” is being expanded to include cover “finders” who charge a fee to connect consumers to lenders as well as other types of organizations.
- All customer information must now be encrypted when transmitted over external networks and encrypted while at rest as well. An alternative control can be substituted if reviewed and approved by the CISO.
- A multi-factor authentication (MFA) system must be implemented for any individual gaining access to customer information over the institution’s network.
- A written incident response plan must be created that outlines the internal processes of the institution in response to a cyber security incident. The plan must define roles, responsibilities, the proper channels for decision making and possible remediation steps.
- Institutions should instill regular testing concerning the effectiveness of the implemented information security controls that includes regular monitoring, annual penetration testing and biannual vulnerability assessments.
What HALOCK is Doing to Help
HALOCK Security Labs has been working with federal and state regulators, litigators, and information security leaders to establish a practical definition for “reasonable security” that does not require overly specific regulations, or overly vague standards that a regulator can arbitrarily enforce.
While working with defendants, plaintiffs, and covered entities HALOCK uses Duty of Care Risk Analysis (DoCRA) to test whether organizations balance the risk of harm to others against the burden of safeguards that reduce those risks. DoCRA is a simple balancing test that adheres to the objectives, history. and culture of regulations, litigation, and information security standards.
HALOCK will be working with FTC to introduce duty of care as a standard for reasonableness. This would allow regulators to provide specific guidance about how controls can be considered reasonable given the particulars of any business and its unique risk landscape.
Upcoming Workshop on GLBA Updates
The FTC will be offering an online workshop concerning all of its proposed changes on Monday July 13 at 9:00 EDT. The event will be webcasted live on the FTC’s website and can be viewed by anyone who wishes to attend. One of the panelists will be HALOCK partner Chris Cronin, who will be involved in the discussion. Some of you may be familiar with Chris’s work wth DoCRA, Center for Internet Security’s risk assessment method (CIS RAM), and through his many public speaking engagements and publications. Chris also serves the Sedona Conference, a legal think tank that develops guidance for regulators and litigators for interpreting and applying complex legal questions, such as the reasonableness of cybersecurity controls.
More information on the workshop is available here Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule. The workshop will be held online.
VIEW FTC WORKSHOP RECORDING
If you cannot make the online event, we invite you to review your compliance requirements with us and how we can help you achieve reasonable security.