Last week, the Federal Trade Commission (the “FTC”) released a final rule amending the Standards for Safeguarding Customer Information (commonly referred to as the “Safeguards Rule”) promulgated under the Gramm-Leach-Bliley Act (“GLBA”). The final Safeguards Rule, approved by the FTC Commissioners along party lines, will require financial institutions to make significant changes in their information security programs. The FTC issued a Notice of Proposed Rulemaking proposing these changes in 2019.

The FTC has enforcement authority under the Safeguards Rule over financial institutions that are not banks, credit unions, insurance carriers, or SEC-registered investment advisers and investment companies.  Such financial institutions include non-bank lenders, check-cashing businesses, mortgage brokers, personal property or real estate appraisers, professional tax preparers and credit reporting agencies.

Under the current Safeguards Rule, these financial institutions are required to develop, implement, and maintain a reasonably designed, comprehensive, written information security program with appropriate administrative, technical, and physical safeguards relating to customer information. The final Safeguards Rule represents a significant shift towards more prescriptive requirements for information security, something towards which the FTC has been working for years.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

The final Safeguards Rule amends the current rule in five primary ways:

  • By including more detailed requirements for the development and establishment of an information security program. The current rule requires financial institutions to undertake a risk assessment and develop and implement safeguards to address identified risks.  The final Safeguards Rule requires that such risk assessment be written and that such safeguards address:
    • access controls;
    • data inventory and classification;
    • encryption;
    • secure development practices;
    • authentication;
    • information disposal procedures;
    • change management;
    • testing; and
    • incident response.
  • Although financial institutions must comply with more specific requirements than under the current Safeguards Rule, they retain the flexibility to design an information security program that is appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of any customer information they possess.
  • By requiring the designation of a single individual responsible for implementing and overseeing the financial institution’s information security program (referred to as a “Qualified Individual”) and requiring periodic reports to boards of directors or other governing bodies by such Qualified Individual that will provide senior management with awareness of their financial institutions’ information security programs.
  • By exempting financial institutions that maintain information on fewer than 5,000 consumers from the requirements to perform a written risk assessment, conduct continuous monitoring or annual penetration testing and biannual vulnerability assessments, prepare a written incident response plan, and prepare annual written reports for boards of directors or other governing bodies.
  • By expanding the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. The final Safeguards Rule now applies to “finders,” e., companies that bring together buyers and sellers of a product or service. Because the Safeguards Rule applies only to relationships and transactions that are “for personal, family, or household purposes,” finding services involving consumer transactions for customers (i.e., consumers with whom a financial institution has an ongoing relationship) will now be covered by the Safeguards Rule. This change will also bring the Safeguards Rule into harmony with other federal agencies’ safeguards rules, which include activities incidental to financial activities in their definition of financial institution.
  • By including several definitions and related examples, including of “financial institution,” in the Safeguards Rule itself rather than incorporate them by reference from the Privacy of Consumer Financial Information Rule promulgated under the GLBA (commonly referred to as the “Privacy Rule”). This will make the Safeguards Rule more self-contained and will allow readers to understand its requirements without having to reference the Privacy Rule.

Certain provisions of the final Safeguards Rule, including those relating to implementing safeguards, undertaking a written risk assessment, appointing a Qualified Individual, and conducting continuous monitoring or annual penetration testing, are effective one year after the date of publication of the final rule in the Federal Register; the remainder of the provisions are effective 30 days following publication.

In addition to the amendments to the Safeguards Rule described above, the FTC is also seeking comment on whether to amend the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the FTC. The proposed amendment would require financial institutions to report a data breach affecting or reasonably likely to affect at least 1,000 consumers.  This notice must be provided via a webform on the FTC’s website within 30 days of discovery of the breach and must include certain specified disclosures. The FTC announced that it would soon publish a supplemental Notice of Proposed Rulemaking, after which the public will have 60 days to submit comments.