GLBA Updated Safeguards Rule
The FTC’s revised Safeguards Rule is designed to help organizations ensure the security and confidentiality of customer information and protect against anticipated threats or unauthorized access to sensitive data.
CampusGuard is eager to help your organization understand how the GLBA and the updated Safeguards Rule apply to your environment and identify next steps in building an information security program to meet your organization’s ongoing compliance requirements.
Comprehensive Doesn't Have to Mean Complicated
All financial institutions are required to be compliant with the GLBA. For campus and community-based organizations with many end users and multiple payment systems and applications, it can be difficult to keep track of all the data that you are required to protect. We’ve got you covered with our GLBA Compliance Assessment.
CampusGuard's GLBA Compliance Assessment
Our goal for the assessment is to identify and analyze areas of risk, understand the impact of third party services, and evaluate the sampled areas against the appropriate industry-recognized information security frameworks. We will gauge your organization’s compliance with these key cybersecurity elements of the GLBA Safeguards Rule:
A documented information security program
Designated employee(s) to coordinate the program
Identify reasonably foreseeable internal and external risks to data security via formal, documented risk assessments
Employee training and management
Information systems, including network and software design, as well as information processing, storage, transmission, and disposal
Control the risks identified, by designing and implementing information safeguards and regularly test/monitor their effectiveness
Access the Higher Ed Guide to Achieving GLBA Compliance
This guidance document is designed to help higher education institutions understand how the GLBA and the updated Safeguards Rule apply to campus environments, and how best to meet the new compliance requirements which took effect June 9, 2023. The guide will help your institution effectively structure your information security program with tools to:
- Clarify GLBA impact and who it applies to
- Identify the information and systems in scope
- Outline best practices for protecting customer information
- Specify written information security program requirements
- Pinpoint next steps with a GLBA Compliance Checklist
- Understand the benefits of GLBA Compliance
- Learn more about CampusGuard’s GLBA online training course and assessment services
- Access additional resources, such as case studies and blog articles that provide GLBA guidance and insight
Why Choose CampusGuard?
At CampusGuard, our assessment methodology is designed specifically for complex, campus and community-based organizations. Our GLBA experts work directly in partnership with your organization to help you understand the requirements, identify vulnerabilities, and report recommended steps for remediation.
Cost per record of personally identifiable information lost
Customer PII is the most common type of record lost.
Average number of days to detect/contain a data breach
This number has increased annually over the last five years.
$ 9.44 M
Average cost of a data breach in the United States in 2022
Cost includes escalation, notification, response cost, and lost business.
Related Products and Services
"We have been working with CampusGuard for the past six years and their services have been invaluable. Our Chief Strategy and Technology Officer, Chris Boniforti, had a vision to increase IT Security and awareness at the university and the first step toward that was for us to formalize a PCI program and align with NIST standards. CampusGuard was instrumental in helping us achieve his goals. They helped us complete a PCI Assessment, which eventually helped us build our PCI compliance program. Next, we added a GLBA Compliance assessment, GDPR brainstorm sessions, review and updating of University IT Security policies and most recently an external penetration test.”
GLBA Frequently Asked Questions
The Gramm-Leach-Bliley Act (GLBA) is a federal law in the US that aims to protect the privacy of consumer financial information by requiring financial institutions to inform customers about their information-sharing practices and to allow customers to opt-out of certain types of information sharing. It also requires financial institutions to establish safeguards to protect the security and confidentiality of customer information.
The GLBA applies to a wide range of financial institutions, including banks, securities firms, insurance companies, and other financial service providers. It is enforced by several federal agencies, including the Federal Trade Commission (FTC) and the Federal Reserve Board.
The GLBA applies to a wide range of financial institutions, including:
- Banks and credit unions
- Securities firms, including broker-dealers, investment companies, and investment advisors
- Insurance companies, including life, health, and property and casualty insurers
- Mortgage brokers, loan servicers, and other non-bank lenders
- Financial service providers, including check-cashing and money-transmission businesses
- Any other entity that provides financial products or services to consumer
GLBA applies to both large and small financial institutions, and compliance is required regardless of the size of the institution.
The GLBA has three main rules that financial institutions must comply with to protect the privacy and security of customer information. These rules include:
- Financial Privacy Rule: This rule requires financial institutions to provide customers with a privacy notice that explains what information is collected, how it is used, and how it is shared. Financial institutions must also provide customers with the opportunity to opt-out of sharing their non-public personal information with third parties.
- Safeguards Rule: This rule requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect the confidentiality, integrity, and availability of customer information. The program must be appropriate to the size and complexity of the institution and the nature and scope of its activities.
- Pretexting Protection Rule: This rule prohibits the practice of pretexting, which is when someone uses false pretenses to obtain customer information from a financial institution. Financial institutions must have procedures in place to verify the identity of any person requesting customer information, and they must report any unauthorized attempts to obtain customer information to the appropriate authorities.
According to the FTC Safeguards Rule, there are numerous components that financial institutions must consider when developing their information security program. These include:
- Risk Assessment: Financial institutions must identify and assess the risks to customer information in their possession.
- Security Program: They must develop a written information security program to address the identified risks. This program should outline the procedures and measures in place to protect customer information.
- Designate a Coordinator: Appointing an individual or team responsible for coordinating and overseeing the information security program is necessary.
- Employee Training: Training employees to implement the information security program effectively and maintain the security of customer information is crucial.
- Access Controls: Implementing access controls to limit access to customer information to authorized individuals only.
- Service Provider Oversight: Financial institutions need to evaluate the security practices of their service providers who have access to customer information and ensure they implement appropriate safeguards.
- Regular Monitoring and Testing: Ongoing monitoring and periodic testing of the information security program are necessary to identify vulnerabilities and address them promptly.
- Adjustments and Updates: The information security program should be regularly reviewed, updated, and adjusted in response to changes in technology, the sensitivity of customer information, and other factors.
- Incident Response and Recovery: Establishing a plan to respond to and recover from security incidents involving customer information, including notifying affected individuals when necessary.
While the specific requirements may vary depending on the size and complexity of the financial institution, these components generally form the foundation of a comprehensive information security program under the Safeguards Rule. CampusGuard is ready to assist your organization in meeting GLBA compliance. Let us know how we can help!
Case Study GLBA
West Virginia University Achieves GLBA Compliance Partnering with CampusGuard
Learn how CampusGuard's remediation strategies enabled WVU to make decisions about security-related initiatives to accept, reduce, or eliminate risks. They also support longterm strategic risk management activities to ensure the protection of NPI.Read More about the West Virginia University Achieves GLBA Compliance Partnering with CampusGuard