By Mark Sanborn
Senior Product and Regulatory Counsel
Fact: Under the revised Safeguards Rule, the board of directors report must be presented “regularly and at least annually,” but the Rule does not set June 9, 2024 as a specific deadline. In other words, there is no universal deadline each year; the Rule only requires the reporting to occur once per year.
Fiction: The board of directors report under the revised Safeguards Rule is due specifically on June 9, 2024, this year.
The Details
Hello there, business leaders, compliance aficionados, and everyone who loves to stay on top of obscure regulatory requirements! Today, we’re diving into a topic that has been causing more head-scratching than a lice outbreak at a kindergarten: the requirement under the Gramm-Leach-Bliley Act Safeguards Rule (“Rule”) for your Qualified Individual to report to your board of directors or equivalent governing body. (16 C.F.R. § 314.4.)
This requirement initially became effective on June 9, 2023, and the date “June 9th” has become a source of confusion. Many have thought that a report is due June 9, 2024, but that’s not quite the case.
The Rule Decoded
The Rule states: “Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing authority.” Sounds straightforward, right? Well, not so much, based on the chatter surrounding this issue.
Here’s the scoop: If your Qualified Individual already reported before June 9, 2024, you’re in the clear! Your company just needs to ensure that it continues this reporting on at least an annual basis going forward. The rule does not mean everyone has to rush to prepare a report specifically by June 9, 2024. Arguably, the deadline for the first report might have been due at the end of the first calendar year following the rule’s effective date in 2023 (i.e., December 31, 2023). However, the FTC has not clarified this requirement, leaving uncertainty about the exact reporting timeline.
What You Really Need to Do
Let’s break it down with an example. Imagine your company’s last report was submitted on August 1, 2023. The conservative interpretation would say your next due date is simply August 1, 2024, while another reasonable interpretation would say that your next report is due anytime by the end of the 2024 calendar year. In either case, keep calm and carry on with your annual schedule. What the rule emphasizes is the regularity and the minimum frequency (at least once a year) of these reports.
So, why all the confusion? It appears that the date when the rule took effect (June 9, 2023) has been mistakenly interpreted as a universal reporting deadline. Remember, the key here is consistency and ensuring that there is a yearly check-in from your Qualified Individual with the “powers-that-be” (i.e. the board of directors, or equivalent).
Why This Matters
Compliance isn’t just about avoiding fines or getting slapped on the wrist by some stern-faced auditor. It’s about transparency, good governance, and making sure your organization is on track with its obligations and goals to protect and secure both organization and customer information. These reports are a vital tool for your board to get a pulse on how well the company is managing its regulatory environment and risks.
ComplyAuto Makes it Easy
ComplyAuto Privacy customers can have their Qualified Individual generate the annual report within their ComplyAuto account simply by following the instructions and the steps within the annual report wizard under the “Policies & Reports” tab. That’s it. How easy was that?
Wrap-Up Advice
To sum up, don’t let the date of June 9th become a boogeyman. Focus on what the Rule intends: regular, annual communication from your Qualified Individual. If you’ve been aligning with this rhythm already, great! Just continue as you were. If you need to set this up, consider your last report as the starting gun, and establish a cadence from there.
Remember, while compliance might not be the most thrilling part of running a business, it is absolutely crucial. It’s like dental hygiene for your company—nobody really enjoys flossing, but we all know what happens if you don’t!
Stay compliant, and keep those reports coming—not because you fear the calendar, but because it’s good for your business.