News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
January 23, 2024 compliancestrategy

GLBA Compliance in 2024 - Reporting directly to the FTC

By Roman Krasnov

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

The U.S. Federal Trade Commission (FTC) approved amendments to its Safeguards Rule that require FTC-regulated non-banking financial institutions to report data breaches and other security events directly to the FTC. It was originally proposed to add a breach notification requirement back in late 2021. The rule requires financial institutions to report “notification events” to the FTC within 30 days of discovery of the notification event where the private information of 500+ consumers is involved. The FTC has also indicated that it will make incident reports publicly available and non-banking financial institutions are expected to be prepared for increased media exposure and litigation risk.

The final amendment was published on November 13, 2023, and will take effect on May 13, 2024, according to the Federal Register. Let’s see how an effective log collection solution can contribute to your Gramm-Leach-Bliley Act (GLBA) compliance strategy in 2024.

What is the Safeguards Rule?

“Standards for Safeguarding Customer Information Rule” is a part of the Financial Modernization Act of 1999, known as The Gramm-Leach-Bliley Act (GLBA) - a US federal law that requires financial institutions “to explain their information-sharing practices to their customers and to safeguard sensitive data“. It’s an example of early legislation enacted to ensure transparent and secure handling of customer’s private information.

The Safeguards Rule took effect in 2003 and was first amended in 2021 to match the level of modern technologies. The rule is general in scope and reflects common data security principles that companies need to implement to protect the Nonpublic Personal Information (NPI) of their customers (name, address, income, Social Security number, payment history, loan or deposit balances, and credit or debit card purchases).

Nonpublic Personal Information means:

(i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information about them) that is derived using any personally identifiable financial information that is not publicly available.

The FTC provides details and examples of NPI with additional articles available as business guidance.

Coverage and Penalties

The Safeguarding Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities”:

Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.

While the term is quite broad, the rule provides some direct guidance on what companies are covered by the regulation. According to 16 CFR 314.2(h), the following entities are obligated to comply with the GLBA Safeguards Rule:

  • Automobile dealerships

  • Real estate settlement services

  • Mortgage brokers

  • Travel agencies in financial services

  • Retailers issuing credit cards

  • Property appraisers

  • Career counselors

  • Check printing businesses

  • Money transfer services

  • Check cashing businesses

  • Tax preparation services

  • Investment and credit counseling services

  • Higher education institutions

It’s worth noting that a financial institution company may be exempt from certain requirements if it maintains fewer than 5,000 consumer records.

GLBA imposes penalties for non-compliance on organizations that fail to adhere to the law’s requirements. In addition to reputation damage, the penalties for non-compliance include:

  • Civil Penalties: The GLBA authorizes the FTC to impose civil penalties on financial institutions that violate the law’s privacy and security requirements. The maximum penalty for each violation is $100,000.

  • Criminal Penalties: The GLBA includes criminal penalties for financial institutions that knowingly and willfully violate the requirements. These penalties can include fines of up to $10,000 for each violation and imprisonment for up to 5 years.

There are a set of cases where the FTC fined financial institutions for GLBA non-compliance. The most notable notices were against PayPal in 2018 and crypto services provider Celsius Networks in 2023 reaching a total of $4.7B in fines.

Requirements

According to 16 CFR 314.4, in order to develop, implement, and maintain an information security program, an institution shall perform several steps, including:

  • (a) Designate a Qualified Individual responsible for overseeing, implementing, and enforcing your information security program.

  • (c) Design and implement safeguards to control the risks identified, including:

    • (1) Implement and periodically review access controls

    • (3) Protect by encryption all customer information held or transmitted

    • (8) Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.

  • (d)

    • (1) Regularly test or otherwise monitor the effectiveness of the safeguards

    • (2) For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.

  • (h) Establish a written incident response plan designed to promptly respond to, and recover from, any security event.

  • (i) Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. The report shall include the following information:

    • (1) The overall status of the information security program and your compliance with this part; and

    • (2) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the information security program.

How can NXLog help?

Log collection is a key part of any modern cybersecurity program. Proper log collection enables core security processes like monitoring, incident response, and reporting. NXLog helps organizations stay compliant by providing a centralized security observability solution. With NXLog, you can build a robust log collection architecture and analyze logs across disparate systems to boost threat detection, minimize response time, and ensure you always stay compliant with regulations.

  • Enable audit log centralization with nothing missed

NXLog supports all popular and advanced log data collection methods. It seamlessly integrates with various data sources, including databases, network appliances, SIEM, and APM systems to ensure a compliant log management process.

  • Simplify processes with unified log collection infrastructure

NXLog allows an organization to define a unified log collection mechanism across an entire infrastructure, including system and operational components. Unified log collection helps design comprehensive technical solutions and simplify routines and policies that must be documented and communicated to staff.

  • Keep data safe while in transfer

Log data may include sensitive information, like NPI. To make transfers secure, NXLog provides TLS/SSL encryption support to prevent data in transit from being viewed or modified by a malicious actor.

  • Enforce audit log & system file monitoring against unauthorized changes

NXLog provides a File Integrity Monitoring (FIM) module that detects when files are changed and promptly triggers a security event. This helps to protect both critical system files and retained logs from unauthorized tampering.

  • Enable cost-efficient audit log retention

Nowadays, IT systems generate tons of logs and audit trails. All that data has to be available for real-time analysis and also capable of being quickly re-hydrated from long-term storage for faster response in the case of a security event. NXLog provides log filtration, flexible retention, and routing mechanisms, creating a robust and cost-efficient retention process.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • compliance
  • legislation
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

The story of the $1,900,000 penalty for insufficient log management
4 minutes | January 11, 2024
Meeting HIPAA Compliance with NXLog
10 minutes | August 30, 2023
How can I monitor file access on Windows?
6 minutes | May 26, 2023

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us