Organizations that are significantly engaged in the financial industry must comply with the Gramm-Leach-Bliley Act (GLBA) when protecting and handling financial information. This law was passed by U.S. Congress in 1999, and targets not just banks and other financial institutions, but can also target law firms, tax preparers, accounting firms, loan preparers, and other organizations servicing the financial industry. Since Congress vested the Federal Trade Commission (FTC) with the authority to enforce GLBA, the FTC enacted the FTC Safeguards Rule to ensure that organizations falling under the GLBA’s purview uphold their duties to protect customer data. While the Safeguards Rule gives organizations flexibility when implementing data security safeguards, companies that fail to follow the rule’s tenets could face severe civil or criminal penalties for violating it and, in turn, the GLBA.
The Safeguards Rule allows the FTC to enforce sections 505(b)(2) and 501 of the GLBA, which both address the steps companies and firms significantly engaged in the financial industry must take to protect their consumers’ personally-identifiable data and address potential data security vulnerabilities. The Safeguards Rule requires companies to establish and maintain cybersecurity plans that account for various physical, administrative, and technical security-related considerations pertinent to the company based on its size and the type of data it handles.
Companies are encouraged to adopt security plans and execute measures that fit their specific needs. These include incorporating comprehensive employee training, cycling in strong password hygiene, and providing frameworks for supporting secure remote data access. The FTC strongly encourages companies to establish policies and procedures for securely transmitting and disposing data, as well as taking reasonable steps to respond to imminent data breaches and notify customers, federal authorities, and state authorities about discovered or ongoing breach activities. To learn more, the FTC has published a short compliance primer that outlines certain features and steps that companies should look out for. Organizations can also work with service providers that are capable of implementing reasonable and commensurate protections for their data. That being said, these organizations advised to use contracts that require providers to maintain the quality of their safeguards and allow them to monitor how providers are handling their customers’ information.
Businesses and firms that fail to comply with the Safeguards Rule could risk facing FTC enforcement actions. In one early Safeguards Rule case, a mortgage company that improperly secured clients’ social security numbers and other data was forced to face biennial audits for 10 years, along with related compliance reporting. As part of this, the company was required to take steps to upgrade its security infrastructure to ensure GLBA and Safeguards Rule compliance. A similar action against a mortgage group not only required the company to face these same sanctions, but also required its president to notify the FTC about any changes in his employment or any decisions to start new ventures.
Companies and firms can avoid these consequences by migrating their software and data to the cloud. With Abacus Private Cloud, you can safely and securely work with your customers’ data in a 256-bit-AES-encrypted environment you can access anywhere from any device. all while leveraging three layers of physical, server, and data security; 2FA; and our international network of geographically-redundant, SSL-A-rated servers.