A recent and little-noticed tweak by the FTC to the long-standing Gramm-Leach law could result in more business for MSPs and more oversight for specific enterprises.
One of the tricky aspects of being an MSP is navigating the constantly shifting legal landscape. Between HIPAA, GDPR, CCPA, and more, there are always new laws, regulations, and mandates to be aware of, most of which govern data harvesting, protection, and dissemination.
And usually, once you learn the laws and are comfortable with them, they either change, or new ones are enacted. There are 18 different pieces of legislation in the U.S. Congress alone being considered that have to do with cybersecurity.
“Sometimes it seems that an MSP needs to have a lawyer on speed dial to keep up with everything,” admits Colin Banks, a cybersecurity and law specialist in Seattle. “The tweak to Gramm-Leach is a perfect example of how new regulations and requires can sort of sneak in there.”
Congress passed the Gramm-Leach-Bliley Act in 1999 in the early days of the internet, and it was meant to protect financial data. But as the internet has grown into something that pulses through every aspect of life, the law has been modified a couple of times.
The recent changes to Gramm-Leach expand the definition of what a “financial institution” is. In addition to banks, the rules now cover anything from payday lenders, pawnshops, brokerages, mortgage clearinghouses, and motor vehicle dealers.
The expanded umbrella of businesses covered under the Gramm-Leach bill is significant because it requires these newly covered businesses to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. A press release from the FTC sum up the changes:
“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”
Notable updates to Gramm-Leach for MSPs
The new rules also require that financial institutions designate a “qualified individual” to oversee their cybersecurity compliance. The new law doesn’t state expressly what qualifications an individual must have. Still, it may not be enough for a company to have an in-house IT person handling cybersecurity. In many cases, an MSP may make the most sense.
- Companies covered under Gramm-Leach now must create, carry out, and maintain a comprehensive information security program.
“It won’t be enough anymore to place cybersecurity on the back-burner in businesses covered under Gramm-Leach and the businesses now covered at a much larger group. An MSP may have an insurance office client. They are now likely included in the new guidance and should be planning to implement Gramm-Leach compliance,” said Banks.
The new Gramm-Leach also requires the “qualified individual” to regularly report to the board of directors or equivalent on any security events within the previous calendar year.
“This is a good requirement because it by force of law pushes the conversation of cybersecurity to the highest levels,” states Banks.
Originally passed to protect data in financial institutions, the Gramm-Leach bill was recently expanded to include other organizations such as lenders, brokerages, and vehicle dealerships that now have greater #DataSecurity requirements. #MSP
Companies must also execute a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.
“Again, this is something that forces companies to do things that should have been done all along. Some companies, however, don’t have the internal expertise to conduct a risk assessment and will likely be reaching out to MSPs,” predicts Banks.
If you are not sure whether one of your clients now falls under the new Gramm-Leach rules, you should contact the FTC for guidance. For companies now covered, other steps that now must be taken include:
- Implement and periodically review access controls
- Create an inventory of and manage data, personnel, and devices that impact data privacy and security
- Encrypt all customer information held or transmitted by the company both in transit over external networks and at rest (in storage)
- Adopt secure development practices for in-house software development applications
- Implement multifactor authentication for individuals accessing the company’s information system
- Adopt a written incident response plan
- Securely dispose of customer information following written policies and procedures.
- Implement a data retention policy to minimize unnecessary retention of data
- Adopt procedures for managing and controlling changes to the company’s data security safeguards
- Monitor and log activity of authorized users to detect unauthorized use of, or tampering with, customer information
- Test and monitor effectiveness of the organization’s data security program
- Conduct training and awareness exercises for all relevant personnel
- Oversee vendors and service providers with respect to data security safeguards and controls
- Evaluate and adjust the information security program as needed due to changes in the organization and security threats
“All of these steps are ones that most businesses that store data should be doing anyway. The only difference is that Gramm-Leach has now been changed to require it,” Banks said. Businesses that don’t comply could face hefty fines by the FTC.
Photo: MIND AND I / Shutterstock