What is GLBA / the FTC Safeguards Rule?

GLBA was originally aimed at banks and traditional financial institutions. The FTC's updated Safeguards Rule (effective June 2023) dramatically expanded the definition of "financial institution" and the specific security controls required. If your Tennessee business handles any meaningful volume of consumer financial information, you're probably covered.

Who's covered under the updated Safeguards Rule

• Traditional banks, credit unions, brokerages, insurance companies
• Mortgage lenders and brokers
• Tax preparation services
• Auto dealers (financing arrangements)
• Real estate appraisers
• Career counselors providing services to financial institutions
• Companies that print and sell checks
• Many fintech and SaaS businesses serving financial customers

What the Safeguards Rule requires

• Designate a Qualified Individual to oversee the information security program (CISO equivalent)
• Written Information Security Program (WISP) with risk-based controls
• Risk assessment conducted and documented regularly
• Access controls — MFA, least-privilege, periodic access reviews
• Encryption — customer information encrypted at rest and in transit
• Multi-factor authentication required for any individual accessing customer information
• Disposal procedures — secure disposal of customer information
• Logging and monitoring of authorized user activity
• Change management for material system changes
• Penetration testing annually, vulnerability assessments every 6 months
• Security awareness training for all employees
• Vendor management — assess and contractually require security from service providers
• Incident response plan with documented procedures
• Annual report to the board on the security program

Enforcement

The FTC can impose civil penalties of up to $50,120 per violation (2024 amounts, adjusted annually). State attorneys general can also enforce. The 2023 Safeguards Rule update added specific breach reporting requirements: notify the FTC within 30 days of discovery of any incident involving unauthorized access to information of 500+ consumers.