The recent, unnoticed, amendment by the Federal Trade Commission to the long-running Gramm-Leach Act could lead to more business for small and medium-sized businesses and more oversight of certain institutions.
One of the challenging aspects of being an MSP is navigating the ever-changing legal landscape. Between HIPAA, GDPR, CCPA, and more, there are always new laws and regulations to be aware of, most of which govern data collection, protection, and dissemination.
And usually, once you learn the laws and are comfortable with them, they either change, or new laws are enacted. There are 18 different pieces of legislation in the US Congress that are only considered and relate to cybersecurity.
“Sometimes it seems like an MSP needs an attorney on the quick to keep up with everything,” admits Colin Banks, a cybersecurity and law specialist in Seattle. “The Gramm-Leach mod is a great example of how to get around the new regulations and new requirements.”
Congress passed the Gramm-Leach-Bliley Act in 1999 in the early days of the internet, intended to protect financial data. But as the internet has evolved into something that pulsates into every aspect of life, the law has been amended several times.
Recent changes to Gramm-Leach broaden the definition of what a “financial institution” is. In addition to banks, the rules now cover anything from payday lenders, pawnshops, brokerages, mortgage clearinghouses, and auto dealers.
The expanded umbrella of companies covered by Gramm-Leach is important because it requires these newly covered companies to develop, implement and maintain a comprehensive security system to keep their customers’ information secure. An FTC press release summarizing the changes:
“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, director of the Federal Trade Commission’s Office of Consumer Protection. “The updates approved by the commission outline the common sense steps these organizations should take to protect consumer data from cyberattacks and other threats.”
Notable Gramm-Leach Updates for MSPs
The new rules also require that financial institutions appoint a “qualified individual” to oversee their cybersecurity compliance. The new law does not expressly state what qualifications an individual must have. However, it may not be enough for a company to have an in-house IT person dealing with cybersecurity. In many cases, MSP may make the most sense.
- Companies covered by Gramm-Leach must now create, implement and maintain a comprehensive information security program.
“It will no longer be enough to put cybersecurity in the background at companies covered by Gramm-Leach and companies that are now covered by a much larger group. An MSP client may have an insurance office. They are now likely to be included in the new directives and should plan to implement Gramm-compliance. Leach,” Banks said.
The new Gramm-Leach also requires a Qualified Individual to regularly report to the Board of Directors or equivalent on any security events during the previous calendar year.
“This is a good requirement because by force of law it pushes talk of cybersecurity to the highest levels,” Banks says.
Companies must also perform a risk assessment that identifies internal and external risks that can reasonably be expected to the security, confidentiality, and integrity of customer information.
“Again, this is something that forces companies to do things that should have been done all along. However, some companies don’t have the in-house expertise to do a risk assessment, and it’s likely that it will reach medium and small businesses,” Banks expect.
If you are not sure if one of your clients is now subject to the new Gramm-Leach rules, you should contact the FTC for guidance. For businesses that are now covered, other steps to take now include:
- Implement and review access controls periodically
- Create inventory and manage data, employees, and devices that affect data privacy and security
- Encryption of all customer information held or transmitted by the Company during transmission over external networks and in storage (in storage)
- Adopting safe development practices for internal software development applications
- Multi-factor authentication application for individuals who access the corporate information system
- Adopt a written incident response plan
- Dispose of customer information safely by following written policies and procedures.
- Implement a data retention policy to reduce unnecessary data retention
- Adopting procedures to manage and monitor changes to the company’s data security protection procedures
- Monitor and record the activity of authorized users to detect unauthorized use or manipulation of customer information
- Test and monitor the effectiveness of an organization’s data security program
- Conduct training and awareness exercises for all relevant staff
- Overseeing vendors and service providers regarding data security safeguards and controls
- Evaluate and adjust the information security program as needed due to changes in the organization and security threats
“All of these steps should be done by most companies that store data anyway. The only difference is that Gram Leach has now changed to require it,” Banks said. Companies that do not comply could face heavy fines by the Federal Trade Commission.
Photo: MIND AND I / Shutterstock