Unlike Europe, the United States does not have a uniform national privacy law. Instead we have a patchwork of state laws and federal regulations that apply to one industry or another.
One of those regulations is Gramm-Leach-Bliley or GLBA. GLBA was signed into law in 1999 and written over the years prior to that. It is probably a bit long in the tooth, so to speak.
The Federal Trade Commission (FTC) is responsible for creating the rules that implement GLBA. One of those rules is called the Safeguards Rule, written in 2003. Last month the FTC held a workshop to discuss proposed changes to the Safeguards Rule.
The Safeguards Rule only applies to companies regulated by GLBA. That includes banks, insurance companies, lenders and investment advisors, among others. These companies AND THEIR VENDORS AND BUSINESS PARTNERS will make an important contribution to the security and privacy of all Americans.
So what is the FTC proposing? Are they radical? No. Are they a silver bullet? No. But what they do is elevate the security and privacy conversation in businesses. Here are some of the proposed changes:
- Designate ONE QUALIFIED person to be responsible for overseeing the company’s information security program. They use the term Chief Information Security Officer or CISO, but the person does not have to have that title. They do, however, have to be qualified.
- Base the information security program on a written risk assessment that must include certain criteria for determining risk and address how the information security program will address these risks. These risk assessments must be done on a routine basis according to FTC staff.
- Provide security awareness training to to all personnel with extra training for people in more sensitive positions like information security. While this doesn’t sound profound, many companies still do once a year boring after lunch Powerpoints that staff quickly forgets, assuming they didn’t sleep through them.
- Implement encryption and multi-factor authentication. If you can’t do MFA then you must implement alternative security controls.
- They want the controls not to be based on how many employees you have or how many dollars you make but rather how much data you have access to.
- There was a comment period which ended earlier this month, but it will still take a while before anything becomes mandatory.
If you are part of the regulated industries, these are the things that you should be doing already, but if you are not, now is a good time to start doing these things.