If you operate in the financial services industry, your data security practices are governed by the Graham-Leach-Bliley Act’s Safeguards Rule, as enforced by the Federal Trade Commission. This rule is far-reaching and detailed, so we have prepared the following compliance guide for you.
What is the Graham-Leach-Bliley Act?
The Graham-Leach-Bliley Act (GLBA) is a United States regulation that governs business practices within the financial services industry. When it comes to secure file transfer, the GLBA’s Safeguards Rule requires financial services institutions to take certain steps to protect their customer information. These steps are detailed and enforced by the US Federal Trade Commission (FTC).
What is the Safeguards Rule?
The Safeguards Rule requires financial institutions to detail and implement plans to protect their clients’ information. These plans must include risk assessments, as well as information security plans that must be adapted and upgraded as security conditions change.
As well, the Safeguards Rule requires financial institutions to take steps to mitigate data theft through social engineering efforts (also known as pretexting or phishing) that attempt to trick employees into divulging customer information.
What types of data does the Safeguards Rule cover?
The Safeguards Rule applies to any “nonpublic personal information,” which includes:
- Personally identifiable financial information
- Any consumer list that is built using the above personally identifiable financial information (for example, a marketing list or customer segment)
This includes information such as:
- Account numbers and balances
- Products purchased and the prices paid
- Interest indicated in any products
- Household Income levels Sfe
- Social security numbers
- Asset valuations
Who must comply with the Safeguards Rule?
The Safeguards Rule pertains to any organization engaged in an activity that is primarily financial in nature or conducts business that is incidental to those financial activities. As such, its definition of which companies must comply is quite broad and includes:
- Mortgage lenders, brokers and servicers
- Any company that offers consumer credit (such as retailers, auto dealerships, etc.)
- Appraisal companies
- Travel agencies
- Payment companies (such as check cashing or wire transfer companies)
- Collection agencies
- Tax preparers
- Financial and investment advisors (including credit counselors)
- Credit unions
- Brokers
Of note, organizations with data on fewer than 5,000 consumers are not required to comply with the Safeguards Rule.
How must financial institutions comply with the Safeguards Rule?
At a high level, organizations must create a written information security program that details how they will ensure the security of their customer information while protecting against threats and unauthorized access to that information.
The specific compliance elements appear in Section 314.4 of the U.S. Code. Broadly, these requirements are:
- Assign a “Qualified Individual” to implement and supervise your information security program and report on its status to your Board of Directors
- Perform a risk assessment inventory of your data and security threats
- Implement safeguards to mitigate those threats
- Monitor and test your safeguards on a regular basis
- Train your staff on your information security program
- Detail security expectations for your service providers
- Create a written incident response plan
- Regularly update your information security plan as environment changes warrant
What best practices exist for Safeguards Rule-compliant file transfer?
Financial institutions transferring electronic files such as statements, receipts, and other information must comply with several information security program safeguards:
- Encrypt data at rest and in transit
- Best practice: use the FIPS 140-2 standard for data encryption during file transfer, which complies with all current federal guidelines.
- Best practice: use PGP encryption to protect your data at rest.
- Require multi-factor authentication for anyone within your organization who must access customer information
- Best practice: Set up two-factor authentication for your file transfer users.
- Best practice: Enable SSO for more stringent security environments that require additional security, such as biometric access.
- Securely dispose of customer information within two years
- Best practice: create an automated file retention policy to ensure compliance with event-driven rules that allow exceptions for data that remains active.
- Maintain a log of all authorized user data access to detect unauthorized access
- Best practice: enable audit trails on your file server and regularly review this information for any irregularities. Configure email alerts that are triggered by any potentially suspicious activity.
For more information
We hope that this guide has helped you understand how to configure your secure file transfer environment to comply with the Safeguards Rule. For more information, you can review Cerberus FTP Server by Redwood’s information on file transfer for financial services, or contact our support team to inquire about specific use cases.