Chapter 9: Financial Privacy
The GLBA Safeguards Rule
The Safeguards Rule (effective 2003, updated by the FTC in 2021) requires a written information security program with administrative, technical and physical safeguards, scaled to the institution's size and complexity. It mandates a designated coordinator, risk assessment, monitoring, vendor oversight and ongoing adjustment.
| Level | Covers |
|---|---|
| Administrative | Program definition, workforce risk management, employee training, vendor oversight |
| Technical | Computer systems, networks, applications, access controls, encryption |
| Physical | Facilities, environmental safeguards, business continuity, disaster recovery |
- Designate an employee to coordinate the safeguards.
- Make a written risk assessment and evaluate current safeguards.
- Design, implement, monitor and test the program.
- Select service providers and contract for safeguards.
- Evaluate and adjust the program as circumstances change.
Scaled and flexible
The program must be appropriate to the size, complexity, nature and scope of the institution and the sensitivity of the information, reasonably designed to ensure security/confidentiality, protect against anticipated threats, and protect against unauthorized access causing substantial harm.
Key terms - quick answers
What is “Safeguards Rule”?
GLBA rule requiring financial institutions to develop and implement a comprehensive written information security program with administrative, technical and physical safeguards.
What is “Information security program”?
A program containing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.