The Federal Trade Commission (‘the FTC’) has set a compliance date of June 09, 2023, for amendments under § 314 to the Gramm-Leach-Bliley Act's Safeguards Rule. These amendments require organizations in the United States of America (‘the USA’) that gather, store, process, or share personal information (including names, addresses, social security numbers, bank account information and other personally identifiable information of residents and citizens) to institutionalize specific data security measures.

Accountants and accounting firms that handle sensitive client information (such as their income tax returns, financial statements and financial records) have been brought under the ambit of the safeguards rule.

Is this another complex set of regulations for data protection; or do these provide an opportunity for organizations to reassess and institutionalize a sound security framework that mitigates privacy risks for their clients?

This thought leadership explains…

Context

The safeguards rule from the FTC seeks to safeguard personal data from external threats. This rule, which came into effect in 2002, was amended in 2021 (‘the revised rule’) with specific data security guidelines and a deadline of June 9, 2023 for compliance.

The safeguards rule requires non-banking financial firms to create, implement and manage an extensive security program to protect financial data relating to their clients. Pursuant to the foregoing, specified organizations need to assess and institutionalize a security framework to address concerns emanating from the nature, frequency and impact of data breaches, while safeguarding the privacy of personal information relating to their clients. 

Applicability

The safeguards rule first applied to those organizations in the USA that were largely engaged in financial activities, such as banks. The revised rule has expanded the FTC's definition to encompass organizations that engage in tasks, which are incidental to such financial activities and these include the following:

• Accountants and tax preparation service providers.
• Automobile dealerships.
• Financial career counsellors.
• Credit counsellors.
• Personal property or real estate appraisers.
• A business that wires money between consumers.
• Cheque cashing businesses.
• A business that prints and sells cheque for consumers.
• Retailers providing store credit cards.
• A business that operates a travel agency in connection with financial services.
• Mortgage brokers.
• Credit unions.
• Any business that charges a fee to connect buyers with consumers or loans with lenders and is involved in any financial transactions between these parties (a new financial institution category defined as “finders” by the FTC).
• The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971.

Compliance requirements

The revised rule lists the ensuing 9 requirements for compliance.

1. Appointing a capable person or team to direct & execute the information security program | This could be a trustworthy service provider or a member/s of the organization’s own staff.
2. Undertaking a risk analysis, as the foundation of the information security program | The security, confidentiality and integrity of client information needs to be assessed for both internal and external risks. The assessment needs to be documented and the organization needs to undertake regular risk assessments.
3. Creating and implementing effective measures to mitigate risks | Organizations need to (a) implement access restrictions and examining the same on a regular basis; (b) make a regular inventory of the locations where data is gathered, kept & transmitted; (c) have in place a system, device & platform asset profile; (d) encrypt client data, both when it is stored on the system & in transit; (e) assess the security of applications (owned by the organization as well as those of those of third parties) that access or transfer client data; & (f) Set up access protocols for all users in the organization who access consumer data, by implementing a multi-factor authentication.
4. Regularly monitoring and testing the effectiveness of safeguards | Organizations need to establish a process for tracking & analyzing security events, such as attempted or successful unauthorized access to client information. This process should facilitate the identification of patterns & trends, in addition providing valuable insights on the ongoing improvement of security measures.
5.  Conducting training programs | The training programs need to be comprehensive & delivered regularly.
6. Monitoring service providers or vendors | This relates to outsourcing various functions such as data storage, IT support, or payment processing, all of which require entrusting sensitive data to external parties. The outsourced service provider needs to adhere with stringent security standards that should be monitored.
7. Keeping the information security program current | Organizations need to update security applications (such as anti-virus and firewalls) regularly and periodically review & update their security policies with procedures to ensure they remain relevant and effective in addressing the organization's unique risks.
8. Creating an incident response plan | The plan should outline the necessary steps, roles & procedures to ensure a coordinated and timely response. 
9. Reporting to the board of directors | These reports should include an overall assessment of the organization’s risks & compliance measures with its information security program/s. This report should include service provider arrangements, test results & security trainings conducted.

Penalties

Failure to comply with the revised rule could result in hefty fines, class action lawsuits, and even imprisonment in severe cases. The fines can be upto US$ 100,000 or imprisonment for each violation. In addition, officers and directors can be fined up to US$ 10,000 for each violation. 

We expect that the FTC would continue broadening its definition of a financial institution, with digital transformation narrowing the divide between third-party service providers and their influence on financial operations. What this means is that if your organization does not currently fall within the definition of a financial institution stated in the revised rule, it could well get covered in future.

The revised rule sets out fundamental measures to develop, implement and maintain an information security program; with administrative, technical and physical safeguards designed to protect personal financial information. While compliance with the same may seem to be onerous, the same presents a relatively unique opportunity to reassess and institutionalize a sound data security framework.

Should you require any assistance, please do not hesitate to write to us at contactus@mgcglobal.co.in. Our IT risk advisory experts will be pleased to support you.

Have a great Memorial Day.

Best wishes

Markets Team

MGC Global Risk Advisory

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 4.98 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in 105 countries, and 261 member firms across the globe.

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.