Legislative Updates: Gramm-Leach-Bliley Act and California Consumer Privacy Act

On March 5, 2019, the FTC proposed a number of revisions to the Gramm-Leach-Bliley Act (GLBA). As we know, the current GLBA Safeguards Rule provides somewhat general security requirements and is not overly prescriptive when it comes to how organizations need to protect sensitive information. The proposed changes will have more detailed guidance and will instruct institutions to implement more specific information security controls.

These changes are not immediate. There is a designated comments period, and then a revised final version of the rule will be approved by the FTC. They are predicting that the new version of the rule will be out by the end of 2019. A few of the proposed changes include:

• Updates to the definition of a security event: an event resulting in unauthorized access to, or disruption or misuse of, an information system or information stored on such information system. This new definition will include ransomware or DoS attacks as cyber incidents that will need to be monitored and resolved.
• Placing access controls on information systems, designed to authenticate users and permit access only to authorized users.
• Requiring information systems to include audit trails designed to detect and respond to security events.
• Monitoring the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
• Requiring the development of procedures for secure disposal of customer information in any format that is no longer necessary for business operations.
• Regularly testing or otherwise monitoring the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks. Continuous monitoring or periodic penetration testing and vulnerability assessments.
• Expanding the risk assessment process, and requiring that institutions inventory and classify all data and then have a plan that identifies threats, evaluates the risk to their information systems and data, and determine how these risks will be mitigated.
• Requiring an incident response plan. No breach notification requirements at this time, although those could potentially be added.
• The Chief Information Security Officer should produce an annual report regarding the overall status of the information security program, material matters related to the program, addressing items like the risk assessment, results of testing, security events or violations, and management’s response.

Many of these updates come directly from the New York Department of Financial Services Cybersecurity Regulation, and are similar to the requirements from the EU General Data Protection Regulation (GDPR). Data security legislation from individual states seem to leading the way in the US, with the New York regulation, the Ohio Data Protection Act, and now the California Consumer Privacy Act. How you meet these different legal requirements is most often determined by your institution, but following a comprehensive information security framework is recommended. One of the more recent amendments to the California Privacy Act links reasonable security procedures and practices to the NIST standards, either the Framework for Improving Critical Infrastructure Cybersecurity or the NIST SP 800-171. Ohio’s Safe Harbor Law also recently referenced the NIST standards, as well as the CIS Controls and the ISO 27000. You may remember the OCR ‘Dear Colleague’ guidance regarding FY Audits for Higher Education also specifically referenced the NIST SP 800-171.

Is your information security program clearly defined? How are you ensuring appropriate controls have been implemented and are being monitored across campus? Are you performing an annual risk assessment or gap analysis to determine if required controls are in place?

As the new GLBA Safeguards Rule is published, we will keep you updated on final rules and requirements to be aware of. Please don’t hesitate to reach out to us for assistance.

Some additional guidance from the CampusGuard Security Advisor team:

[Hopkins]: While it appears that the GLBA Safeguards Rule provides some national guidance on data protection, no such standard exists for the emergence of rules for data privacy such as GDPR and CCPA. The landscape for new privacy regulations is far-ranging. In addition to the state regulations previously listed, eleven states are also implementing data privacy legislation. For organizations doing commerce and education in multiple states, new and different regulations can be problematic.

At the Federal level, there are several initiatives to provide data privacy protections. Congress, both the House and the Senate, have submitted several bills relating to privacy. Additionally, several Federal agencies have weighed in on the need for privacy legislation. The promise of Federal privacy regulations may provide welcome standardization.

Educational institutions should become familiar with emerging regulations in their home state and consider privacy regulations when evaluating their enterprise risk assessments. It is incumbent when engaging service providers that have access to individual’s data, that clear restriction for the compliant use and management of the data is included in the master service agreement.