A Closer Look at the Gramm-Leach-Bliley Act (GLBA): Updates to the Safeguards Rule

By on June 6th, 2023 in Compliance, Industry Insights

Protecting personal and financial information is critical in today’s digital age. Where data has its own intrinsic value and where data breaches and cyberattacks are a risk for every business, the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) provides financial institutions, including those in the accounts receivable management industry, with guidance on how to safeguard customer information.

The existing Safeguards Rule provided financial institutions with much flexibility and discretion when determining what kinds of safeguards were best for their organizations and risks. With the amendments which go into effect on June 9, 2023 financial institutions now have a more prescriptive recipe for what those safeguards need to be.

What is the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act, or GLBA, is a federal regulation to control how financial institutions collect, store, and transmit consumer information. Although GLBA was enacted by the Federal Trade Commission (FTC) in 1999, changes have been anticipated for the last few years.

In October 2021, the FTC announced new amendments coming to the Standards for Safeguarding Customer Information, known as the “Safeguards Rule,” and an issuance of a final rule, referred to simply as the “Final Rule.” Originally set to go into effect in 2022, financial institutions—a designation that has also been updated—now need to prepare for the changes or risk non-compliance and its consequences before they go into effect on June 9, 2023.

What is the Safeguards Rule?

The Safeguards Rule took effect January 10, 2021, and its requirements were first set to go into effect beginning December 9, 2022, but the FTC announced it would extend the deadline for financial institutions to develop, implement, and maintain a comprehensive information security program by June 9, 2023.

There are five overarching modifications to the existing Safeguards Rule:

  • Provides covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program
  • Improves the accountability of these security programs, such as requiring financial institutions to designate a qualified individual responsible for overseeing, implementing and enforcing the program
  • Exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the board of directors
  • Expands the definition of “financial institution” within the scope of the Safeguards Rule – see the expanded definition in the next section below
  • Includes several other definitions and related examples in the amended Safeguards Rule itself in an effort to make it more self-contained and to enable readers to understand its requirements without referencing the FTC’s Privacy of Consumer Financial Information Rule

Along with these updates to the Safeguards Rule, let’s examine a few other specifications of the updates.

What are other updates to the Safeguards Rule?

The expanded scope of financial institutions that are subject to the Safeguards Rule is significant. Under the new Final Rule, “financial institutions” now include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, such as:

It is important to note that the Final Rule does not apply to national banks, savings and loan institutions, and federal credit unions, as these institutions are not subject to the FTC’s jurisdiction.

The Final Rule requires these covered financial institutions to comply with specific new requirements, such as:

  • Encrypt all customer information held or transmitted in transit over external networks and at rest
  • Multi-factor authentication for any individual accessing any information system, unless the use of reasonably equivalent or more secure access controls has been approved in writing by a qualified individual at the financial institution
  • Conduct periodic written risk assessments, and the results of such risk assessments should drive the information security program
  • Create procedures for evaluating, assessing or testing the security of externally developed applications used to transmit, access or store customer information
  • Set procedures for secure disposal of customer information no later than two years after the last date the information is used
  • Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users
  • Provide personnel with security awareness training, and provide information security personnel with training to address relevant security risks; and that key information security personnel take steps to maintain knowledge of changing information security threats and countermeasures
  • Written incident response plan designed to promptly respond and recover from any security event affecting the confidentiality, integrity, or availability of customer information
  • Qualified individual to regularly, and at least annually, report in writing to an organization’s governing body (e.g., board of directors) regarding the status and material matters of the information security program
  • Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, and conduct required penetration testing annually and vulnerability assessments at least every six months and whenever there are material operational or business changes

Given the expanded definition of “financial institutions,” some of these organizations may be unfamiliar with the extent of these requirements, and even those familiar with GLBA previously must be ready to comply or face the consequences.

What are the penalties for non-compliance with GLBA?

Whether it’s GLBA, Regulation F, or any of the numerous state laws, companies can face serious penalties for compliance failures—monetary, reputational, and even criminal. When it comes to GLBA, non-compliance penalties include:

Section 5 of GLBA grants the FTC the authority to audit policies to ensure they are developed and applied fairly—all the more reason to follow the Safeguards Rule’s provisions of self-audits and testing. 

Learn More About Compliance and Collections

Now that you have the breakdown of the Gramm-Leach-Bliley Act updates to the Safeguards Rule, are you familiar with the other laws and regulations governing debt collection? Check out our Collections & Compliance resources to see what other regulatory guidelines may impact your business or schedule a consultation to get started»»

Coast to Coast: the State of Privacy and Compliance in 2023

By on April 20th, 2023 in Compliance, Industry Insights, Webinars
Coast to Coast: The State of Privacy and Compliance in 2023

Disclaimer: The information provided in this blog post does not, and is not intended to, constitute legal advice. 

Protecting consumer privacy is not an unfamiliar concept in our industry and it’s something that should already be woven into our policies, procedures, and practices. With the rapid increase of state privacy laws across the United States, any company that collects, uses, transmits, or receives consumer data has to stay up-to-date on all related compliance issues.

In a previous webinar, Coast to Coast—the State of Privacy and Compliance in 2023, TrueAccord’s legal experts discussed the newest federal privacy laws and all the related compliance issues. Watch the full webinar on-demand now!

The passage of the FTC’s Safeguards Rule, amending the Gramm Leach Bliley Act (GLBA), has been a big topic in data security conversations across the financial services industry as businesses prepare to be in compliance on or before the extended effective date of June 9, 2023. Meanwhile, several states have actively been considering and passing new legislation requiring additional policies, controls, and practices not only in the data security space but also for data privacy and data breaches. It is important for Chief Information Security Officers, Privacy Officers, and Chief Compliance Officers to stay on top of this legislation, as well as Chief Executive Officers since we have seen many federal and state actions naming the CEO in their individual capacity for failing to properly secure and protect data or to properly delegate these responsibilities to the appropriate persons within their organizations. 

**Please note this article is not legal advice. This is not an exhaustive list of all laws. You should consult a lawyer if you have questions about federal and state data security, privacy or breach laws.

Data Breach Laws

All 50 states have data breach notification laws on the books. In 2022, 19 states considered enhancing their data breach laws.

Those states that passed revised data breach laws, tightened up notification timelines, added additional definitions of what constitutes personal information, and expanded the notification requirements to include additional state agencies. For example, Arizona’s law HB 2146, amending Arizona Revised Statutes section 18-552, not only requires that notification be made to consumers but also to the Director of Arizona’s Department of Homeland Security. If the breach impacts more than one thousand people, then the law requires the notification also be given to the three largest nationwide credit reporting agencies, the attorney general, and now the Director of Arizona’s Department of Homeland Security. 

While most states are shortening the time frame in which a consumer must be notified of a data breach to 45 days or less, some of these laws include exceptions or a short list of situations in which a delay in notification is permissible. For example, Indiana’s revised law, H.B. 1351, amending Indiana Code 24-4.9-3-3, limits a permissible delay in notification three circumstances: (1) when the integrity of the computer system must be restored, (2) when the scope of the breach must be discovered, or (3) when the attorney general or a law enforcement agency asked to delay disclosure because disclosure will impede a criminal or civil investigation, or jeopardize national security.

Both Maryland (H.B. 962, amending Maryland Personal Information Protection Act and section 14-3501 of the Annotated Code of Maryland)and Pennsylvania (S.B. 696, amending the Pennsylvania Breach of Personal Information Notification Act) expanded the definition of “personal information” to include medical and health information, including a definition of “genetic information” in Maryland’s law.

Since the webinar, Utah Governor Spencer Cox signed into law Senate Bill 127 on March 23, 2023, which amends the state’s data breach notification statutes. The amendments go into effect May 2, 2023.*

Along with updates to states’ laws, Federal regulators are also providing additional guidance too. For example, the Office of the Comptroller of the Currency (OCC) recently released more information regarding when banks need to know from their vendors about data breach including ransomware notifications.

Data Privacy Laws

In addition to creating and updating laws to help consumers in the event of a data breach, states have also been enacting laws dedicated to protecting consumer privacy. There are six states with comprehensive data privacy laws: California, Connecticut, Colorado, Iowa*, Virginia, and Utah. These laws give consumers various rights over their personal information, such as the right to know what information companies collect and use, a right to correct their information, a right to opt-out of the sale of such information, and a right to request deletion. 

In 2022, Congress introduced a federal privacy law, HR 8152, the American Data Privacy and Protection Act; however, it did not make it to the finish line despite having bipartisan support. It contained some preemption of state privacy and data protection laws, which would have been a relief to many companies navigating the existing patchwork of state laws.  As of January 2023, many states have introduced privacy-related bills and this is likely to continue throughout the years to come. 

California took the privacy law lead in passing the California’s Consumer Privacy Act of 2018 (CCPA) that went into effect in January of 2020 to protect the use and sharing of personal data. California recently expanded the CCPA with the California Privacy Rights Enforcement Act (CPRA) that took effect on January 1, 2023. The law created the new California Privacy Protection Agency and gave it the power, authority, and jurisdiction to implement and enforce CRPA. Additionally, businesses must regularly submit their risk assessment on the processing of personal information to this new agency. 

The four other states that followed suit have substantially similar laws with broad definitions of personal information. These laws typically apply to persons that conduct business in the state and processing a set minimum of consumer data records (typically 25,000 or more) or businesses who earn at least 50% of their revenue from the sale of consumer data. 

These laws give consumers various rights, such as the right to access their personal data, correct inaccurate personal data, delete personal data, in certain circumstances, obtain a copy of the personal data they previously provided to a controller, opt-out of the processing of their personal data if related to targeted advertising, sale of personal data or certain profiling activities, appeal a controller’s refusal to take action on a request, and submit a complaint to the attorney general if an appeal is denied. Interestingly, Colorado’s law makes clear that a consumer’s consent is not valid if obtained through the use of a “dark pattern.” 

These laws do not give consumers a private right of action but are enforced by the state’s attorney general with civil monetary fines calculated per violation. These laws also contain exemptions for data already protected by other laws, such as HIPAA, FCRA, and GLBA.

Virginia’s law took effect January 1, 2023. Both the Connecticut and Colorado Data Privacy Acts will go into effect July 1, 2023. The Utah Consumer Privacy Act takes effect December 31, 2023. The Iowa privacy bill (SF 262) was signed into law by Gov. Kim Reynolds on Tuesday, March 28, 2023. The legislation is set to take effect Jan. 1, 2025.*

Best Practices for the Future of Data Security & Privacy 

Having good security practices in place is not only beneficial for both consumers and businesses, but is absolutely critical to stay compliant with all the new laws and amendments being introduced. 

So what are some of the best privacy and security practices to implement to protect customers, companies, and stay compliant? 

  • Practice data minimization.
  • Know where personal information lives at all times by creating a data map of where the data goes and is stored throughout your systems, which includes knowing your vendor’s data security and privacy practices and controls. 
  • Know who has access to personal information and routinely examine if that access is necessary to complete that job function.
  • Be intentional with how data is organized and stored so it can be easily segmented and treated differently if need be (think network segmentation). 
  • Have a public facing Privacy Notice–and make sure it accurately reflects your practices for use, collection, deletion and correction.
  • Conduct an annual data security and privacy risk assessment to continually reassess areas for improvement and where you may need additional controls.
  • Ensure contracts with parties whom you receive and/or give personal information to specifically address each parties’ obligations and restrictions for how personal information is used, shared, disclosed, stored, and sold (if permitted).

Compliance with data privacy and data security requirements will continue to progress as new laws and regulations are passed. Best practices will continue to evolve as well, as we continue to learn more about the expectations from Federal and state legislators and regulators, and as companies navigate evolving threats and vulnerabilities. Watch the full Webinar: Coast to Coast— the State of Privacy and Compliance in 2023 here »»

Learn more in our Compliance & Collections Resource Center or schedule a consultation today

Footnotes: 

*The Iowa privacy bill (SF 262) was signed into law by Gov. Kim Reynolds on March 28, 2023 after TrueAccord’s Coast to Coast webinar. 

*The data breach law for Utah was passed on March 23, 2023 after TrueAccord’s Coast to Coast webinar

Patchwork of Compliance Regulations

By on September 29th, 2022 in Compliance, Industry Insights, Product and Technology

Anyone working in the collections space should be familiar with the federal Fair Debt Collection Practices Act (“FDCPA”) and its regulation, Regulation F; but did you know that there are multiple debt collection laws and regulations at the state and local level too?

State and local laws and regulations often mirror aspects of the FDCPA, however, there are a handful which are remarkably different from the FDCPA. In fact, the FDCPA makes clear that it is not designed to “annul, alter, or affect, or exempt any person” from “complying with the laws of any State with respect to debt collection practices, except to the extent that those laws are inconsistent with any provision of [the FDCPA], and then only to the extent of the inconsistency” (refer to 15 USC § 1692n). The FDCPA goes on to clarify that “a State law is not inconsistent with [the FDCPA] if the protection such law affords any consumer is greater than the protection provided by [the FDCPA].” Therefore, debt collectors collecting nationally have to grapple with and reconcile a patchwork of federal, state, and municipal debt collection laws and regulations when collecting in multiple states.

It is no simple feat to build and maintain a compliance program which keeps a debt collector in compliance with this patchwork of differing and competing debt collections laws and regulations. Debt collectors take different approaches to stay in compliance—from training their collectors on each and every state law and regulation, to deciding not to collect all together in a particular state/locality. Ten years ago when I first started in the industry, I remember compiling a job aid of all the state and local laws debt collectors had to remember and abide by—it was long and nuanced.

For example, the FDCPA explicitly permits debt collectors to speak to a consumer’s spouse without such communication resulting in a third party disclosure (see 15 USC § 1692c(d)), whereas some states such as Arizona and Connecticut are silent on this issue and other states, such as Iowa, consider spouses as third parties. In those states, a consumer must provide their consent in order for a debt collector to speak with their spouse. Another example is communication frequency limitations. While Regulation F provides parameters for call frequency (i.e., calls made in excess of 7 times in a 7 day consecutive period, and calls within 7 days of having had a phone conversation, are presumed harassing), Massachusetts has an entirely different call frequency regime. Massachusetts outright prohibits debt collectors from engaging any consumer in a communication by phone (i.e., calls and texts) more than twice in a 7 day period. While these phone restrictions are similar, they are nuanced nonetheless (e.g., one applies only to calls while the other applies to calls and texts; one in a presumption of harassment and the other is an outright prohibition, etc.) These are just a few examples to illustrate how there may be little distinctions and differences between the FDCPA/Regulation F and state/local laws.

In an effort to simplify how many rules debt collectors have to learn and abide by, some debt collectors design and adopt policies which reconcile as many of the laws and regulations as it can for a particular topic. For example, choosing to adopt the strictest law/regulation as a company policy so that it applies across the board is one strategy some companies may adopt. While this approach will help a debt collector meet or exceed a state law requirement, this approach can unnecessarily limit a debt collector’s ability to communicate and/or collect in more places than necessary, thereby undermining those state economies that have no such restrictions.

While the patchwork may seem daunting, this is an area ripe for compliance innovation—where technology can be leveraged to automate controls and guardrails. For example, instead of requiring debt collectors to memorize multiple state laws/regulations, controls can be designed to automate guardrails for state laws in a collection system. Here at TrueAccord, compliance has a close partnership with its product and engineering teams, to help leverage technology when laws and regulations are introduced or changed. While technology will not replace a compliance monitoring team, it has the potential to increase the efficiency and efficacy of any human monitoring by helping front line agents understand their state by state requirements and compliance teams focus their auditing and monitoring efforts.

*Lauren serves as TrueAccord’s Associate General Counsel. This blog is not legal advice. Legal advice must be tailored to the particular facts and circumstances of each unique matter.

What do the CFPB’s Updates to the Regulation F Electronic Communications FAQs Mean for Your Debt Collection Strategy?

By on August 16th, 2022 in Compliance, Industry Insights, User Experience

The Consumer Financial Protection Bureau (CFPB) quietly published on its website additional frequently asked questions (FAQs) on the Debt Collection Rule (i.e. Regulation F) relating to electronic communications and communicating during unusual or inconvenient times or places.

The FAQ answers multiple questions, ranging from “is a debt collector required to honor a consumer’s request to opt out of electronic communications if the request does not conform to the debt collector’s opt-out instructions?” to “does an automatically generated electronic communication (such as a payment confirmation) sent at a time the debt collector knows or should know is inconvenient to the consumer, which is sent in response to a consumer action (such as a payment), meet the limited exception for responding to consumer-initiated contact?”

While many of the responses to the FAQs can be found in the Official Interpretation section of Regulation F, there are some points worth highlighting:

  • A consumer is not required to use the debt collector’s preferred or stated opt-out method. This means, for example, an email opt-out can come from a non-email channel, an SMS opt-out can from a non-SMS channel, etc.
  • A consumer does not need to use specific terms contained in a debt collector’s opt-out instructions in order for their opt out to be effective. For example, if the instructions tell a consumer to reply with “stop” to opt-out, and the consumer replies with “quit” instead of “stop,” the debt collector must still honor that opt-out.
  • Email addresses and mobile telephone numbers are not necessarily associated with a “place.” This means that the prohibition on communicating or attempting to communicate at unusual or inconvenient places does not prohibit a debt collector from communicating or attempting to communicate with a consumer through email or mobile phone. However, if the debt collector knows, or should know, that the consumer is at an unusual or inconvenient place, then the prohibition still kicks in.

What should creditors look for in their debt collection partners?

Creditors should check to see if their debt collection agencies train their staff and design their processes so that they promptly and effectively identify and process opt-out requests. Since opt-out requests can come in various forms and fashions, debt collectors need dynamic procedures to capture any and all opt-outs. Debt collection agencies also need processes and technologies to help them implement controls for inconvenient time and place restrictions – which may be a little tricky when applied to email and mobile phone numbers.

What is TrueAccord’s take?

At TrueAccord, our goal is to make the debt collection experience friendly and easy for consumers. That is why we engage consumers on their preferred communication channels and make it easy to opt-out of electronic communications. We take a broad approach to honoring a consumer’s opt-out request no matter how we get it or what specific words they use.

While the new FAQs clarified that the Debt Collection Rule does not require debt collectors to communicate electronically with consumers, we pose this question back:

If a consumer reaches out to you electronically, why wouldn’t you want to communicate with them on the channel they prefer?

Start evolving your consumer engagement and communication strategy to meet your customers where they will be most receptive. Schedule a consultation to learn how TrueAccord can help you get started»