So this morning, a mortgage broker sent me a stranger’s trust document. This afternoon, a real estate title agency asked for my social security number, address, and full name by email. By 2 pm I had lost my cool. These companies are responsible for guarding their client data and doing their jobs without risking your identity with a careless click. My identity isn’t worth it. Unfortunately, Molly didn’t seem bothered that she had sent me the info of a lady in Ohio and that I could see her details, full name, address, and more. Thanks, Molly.
I asked both companies if they had secure portals, and both replied, that they did in fact have these tools. Neither had sent me the link or invite to use them. They just weren’t using them! WTF?
You wouldn’t leave your storefront unlocked overnight, would you? The same care should go into protecting your customers’ sensitive data.
How is a portal different than an email? If Molly had used her portal, she could have deleted or recalled the document and cut off my access. But now that it’s in my email, she can’t get it back. She’s got to rely on me deleting it. I think we all know a creep who wouldn’t delete it. Someone who would be on Facebook looking you up in a second.
That’s where the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule comes in. It’s not just for banks or big corporations—it applies to a wide range of entities, including some you wouldn’t expect. And on June 9 of 2024, further rules went into place, clearly neither of these places are following them.
Here’s the good news: compliance isn’t as overwhelming as it sounds. By the end of this post, you’ll know what the Safeguards Rule is, why it matters, and the simple steps to safeguard your business and customers. You’re small business will be in better shape than these 2 so-called professional companies.
What Is the Gramm-Leach-Bliley Act Safeguards Rule?
The GLBA Safeguards Rule is part of a U.S. law designed to ensure businesses handle sensitive customer information responsibly. It applies to a broad array of entities engaged in financial activities, including:
1. Traditional Financial Institutions:
Banks
Credit unions
Insurance companies
Investment advisors
2. Non-Traditional Entities Engaged in Financial Activities:
Mortgage lenders and closing agents
Financial advisors, lawyers, tax pros
ATM operators, payment processors
Debt collectors
Car rental companies
Courier services
Credit reporting companies
3. Educational Institutions:
Universities and colleges that handle financial activities such as student loans.
4. Other Businesses:
Companies that receive personal information from financial institutions.
Organizations outside the U.S. offering financial services to individuals within the country.
In short, the GLBA applies to any institution "significantly engaged" in providing financial products or services, such as lending, brokering, financial advising, or insurance.
💡 Pro Tip: If your business collects or processes customer financial data in any way, it’s worth double-checking whether the GLBA applies to you. Even if you are just a small business but you have a big client list, or you keep client payment methods on file, you need to check yourself.
Why the GLBA Safeguards Rule Matters for Small Businesses
Imagine this: A small tax preparer skipped encryption to save costs. A data breach exposed hundreds of customers’ personal details, resulting in lawsuits, lost trust, and financial ruin. Or perhaps a mortgage broker sent a trust document to the wrong person, exposing someone’s details to a stranger. Unfortunately, scenarios like this are more common than you’d think:
60% of small businesses close within six months of a major data breach.
Data breaches cost businesses an average of $4.35 million globally in 2022.
Beyond the risks, protecting customer data builds trust, which can set your business apart. When customers know their information is safe, they’re more likely to stick with you.
What’s New in the Updated Safeguards Rule?
Here’s what changed with the most recent updates to the Safeguards Rule:
Encryption Requirements: Businesses must encrypt all sensitive customer information, both in transit and at rest.
Multi-Factor Authentication (MFA): Passwords alone are no longer enough. MFA adds an extra layer of security.
Breach Notifications: If a data breach affects 500+ customers, you must notify the FTC within 30 days.
💡 Keep in mind: These changes are already enforceable, so don’t wait to act. The penalties are also huge and can be loss of licenses, $100,000 fine, and/or 5 years in jail.
How to Make Compliance Simple and Stress-Free
You don’t need a massive IT budget to comply. Follow these three steps to keep things manageable:
1. Develop a Written Security Plan
Think of this as your business’s playbook for protecting customer data. Here’s how:
Identify what types of data you collect.
Determine how and where you store it.
Create a plan to respond to breaches, including FTC notification requirements.
2. Use Affordable Tools
Compliance tools don’t have to break the bank. Here are some recommendations:
Encryption: Tools like BitLocker (Windows) or FileVault (Mac).
MFA: Duo Security offers user-friendly, low-cost solutions.
The Google Authenticator App is free.Use the Security Settings on your Email. You can encrypt emails on Google and other email services offer custom security settings.
Secure Portals: Smartvault and Encyro are easy ways to offer client file sharing.
💡 Helpful tip: Many cloud services include built-in encryption—check your current software for this feature.
3. Train Your Team & Yourself
Make training engaging. Compare phishing emails to “too-good-to-be-true” spam offers or use role-playing scenarios to teach employees how to spot risks. It’s a bit more complicated than “don’t click any links”, but that’s a good start. Take care to choose software vendors who know what they are doing to host your CRM and payment details. Ask your insurance agent what your responsibilities are.
Actionable Checklist to Stay Compliant
Here’s a quick compliance checklist:
✅ Encrypt all sensitive customer data.
✅ Implement multi-factor authentication for logins.
✅ Draft a written information security plan.
✅ Train your employees and yourself on data security best practices.
✅ Set up a breach notification protocol.
✅ Hire an IT consultant if you need more support.
Conclusion: It’s not that hard to get this right.
Protecting customer data isn’t just about avoiding fines—it’s about building trust that keeps your customers coming back.
Start small. A written plan and a few affordable tools can go a long way. And if you need guidance, we’re here to help you secure your business for the future.
💡 Contact us for a consultation on GLBA compliance and data security solutions.