Search results for: safeguards rule

On October 27th, the Federal Trade Commission (the “FTC”) announced that it approved an amendment to the Safeguards Rule promulgated under the federal Gramm-Leach-Bliley Act (the “Safeguards Rule”) requiring non-bank financial institutions subject to the FTC’s jurisdiction to report to the FTC data breaches affecting 500 or more people (the “Amendment”). 

The Safeguards Rule requires non-bank financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep customer information safe. In the process of adopting certain amendments to the Safeguards Rule in October 2021, the FTC also sought comment on a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the FTC. The Amendment is the final version of the 2021 proposed supplemental amendment.

The Amendment requires financial institutions to notify the FTC as soon as possible and no later than 30 days after the discovery of a security breach involving the information of at least 500 people. A security breach will trigger the notification requirement if unencrypted “customer information” has been acquired without the authorization of the individual to which the information pertains. The Safeguards Rule defines “customer information” as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of [the financial institution or its] affiliates.” Note that the terms “nonpublic personal information” and “customer” have nuanced definitions in the Safeguards Rule.

The Amendment provides that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless there is reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

The notice to the FTC required by the Amendment must be submitted electronically on a form found on the FTC’s website, and it must include certain information about the event, including: 

  • a description of the types of information involved;
  • the date or date range of the data breach (if known);
  • a general description of the data breach; and
  • the number of consumers affected or potentially affected.

The Amendment becomes effective 180 days after publication in the Federal Register.

Last week, the Federal Trade Commission (the “FTC”) released a final rule amending the Standards for Safeguarding Customer Information (commonly referred to as the “Safeguards Rule”) promulgated under the Gramm-Leach-Bliley Act (“GLBA”). The final Safeguards Rule, approved by the FTC Commissioners along party lines, will require financial institutions to make significant changes in their information security programs. The FTC issued a Notice of Proposed Rulemaking proposing these changes in 2019.

The FTC has enforcement authority under the Safeguards Rule over financial institutions that are not banks, credit unions, insurance carriers, or SEC-registered investment advisers and investment companies.  Such financial institutions include non-bank lenders, check-cashing businesses, mortgage brokers, personal property or real estate appraisers, professional tax preparers and credit reporting agencies.

Under the current Safeguards Rule, these financial institutions are required to develop, implement, and maintain a reasonably designed, comprehensive, written information security program with appropriate administrative, technical, and physical safeguards relating to customer information. The final Safeguards Rule represents a significant shift towards more prescriptive requirements for information security, something towards which the FTC has been working for years.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

The final Safeguards Rule amends the current rule in five primary ways:

  • By including more detailed requirements for the development and establishment of an information security program. The current rule requires financial institutions to undertake a risk assessment and develop and implement safeguards to address identified risks.  The final Safeguards Rule requires that such risk assessment be written and that such safeguards address:
    • access controls;
    • data inventory and classification;
    • encryption;
    • secure development practices;
    • authentication;
    • information disposal procedures;
    • change management;
    • testing; and
    • incident response.
  • Although financial institutions must comply with more specific requirements than under the current Safeguards Rule, they retain the flexibility to design an information security program that is appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of any customer information they possess.
  • By requiring the designation of a single individual responsible for implementing and overseeing the financial institution’s information security program (referred to as a “Qualified Individual”) and requiring periodic reports to boards of directors or other governing bodies by such Qualified Individual that will provide senior management with awareness of their financial institutions’ information security programs.
  • By exempting financial institutions that maintain information on fewer than 5,000 consumers from the requirements to perform a written risk assessment, conduct continuous monitoring or annual penetration testing and biannual vulnerability assessments, prepare a written incident response plan, and prepare annual written reports for boards of directors or other governing bodies.
  • By expanding the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. The final Safeguards Rule now applies to “finders,” e., companies that bring together buyers and sellers of a product or service. Because the Safeguards Rule applies only to relationships and transactions that are “for personal, family, or household purposes,” finding services involving consumer transactions for customers (i.e., consumers with whom a financial institution has an ongoing relationship) will now be covered by the Safeguards Rule. This change will also bring the Safeguards Rule into harmony with other federal agencies’ safeguards rules, which include activities incidental to financial activities in their definition of financial institution.
  • By including several definitions and related examples, including of “financial institution,” in the Safeguards Rule itself rather than incorporate them by reference from the Privacy of Consumer Financial Information Rule promulgated under the GLBA (commonly referred to as the “Privacy Rule”). This will make the Safeguards Rule more self-contained and will allow readers to understand its requirements without having to reference the Privacy Rule.

Certain provisions of the final Safeguards Rule, including those relating to implementing safeguards, undertaking a written risk assessment, appointing a Qualified Individual, and conducting continuous monitoring or annual penetration testing, are effective one year after the date of publication of the final rule in the Federal Register; the remainder of the provisions are effective 30 days following publication.

In addition to the amendments to the Safeguards Rule described above, the FTC is also seeking comment on whether to amend the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the FTC. The proposed amendment would require financial institutions to report a data breach affecting or reasonably likely to affect at least 1,000 consumers.  This notice must be provided via a webform on the FTC’s website within 30 days of discovery of the breach and must include certain specified disclosures. The FTC announced that it would soon publish a supplemental Notice of Proposed Rulemaking, after which the public will have 60 days to submit comments.

If you are a financial institution, you likely won’t want to miss this FTC All Day Workshop today (Monday, July 13, 2020) because it will be a day full of panelist discussing all things information security and what proposed changes are being discussed.  Namely, “the workshop will continue to focus on some of the issues raised in response the FTC’s proposed amendment to the Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program.”  The FTC will be streaming it live from its website.

In 2019, the FTC published its request for public comment on its proposal to amend the Safeguarding Customer Information (“Safeguards Rule”).  In the Notice, the FTC outlined five “main modifications” to the current rule:  (1) “add provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program”; (2) “add[] provisions designed to improve the accountability of financial institutions’ information security programs;” (3) “exempt[] small businesses from certain requirements; (4) “expand[] the definition of ‘financial institution’; and (5) “include the definition of ‘financial institution’ and related examples in the Rule itself rather than cross-reference them from a related FTC rule, the Privacy of Consumer Financial Information Rule.”  And, here in July, 2020, these changes are still being discussed.

Indeed, the FTC extended the comment deadline until August 12, 2020 to allow for more input.  So, there is time to still get engaged if you want to have a voice in the proposed changes.  That first starts with watching today to learn where things stand, and then being on lookout for Consumer Privacy World’s detailed follow up on this important FTC update.

 

On November 13, 2025, the Government of India formally brought into effect the much-awaited Digital Personal Data Protection Rules, 2025 (Rules). The Rules enforce the Digital Personal Data Protection Act, 2023 (DPDP Act) and provide practical guidance on how to comply with certain provisions of the DPDP Act. Together, they implement binding legislation that regulates the management of digital personal data[1] in and from India.

Continue Reading India Passes the Digital Personal Data Protection Rules, Ushering in a New Digital Age in India 

The Ministry of Electronics and Information Technology (MeitY) has recently released the much-awaited draft of the Digital Personal Data Protection Rules, 2025 (Rules) for public consultation. These proposed Rules provide important insights into the upcoming implementation of India’s new data protection law, which has been under development for some time.

The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant shift in India’s data privacy landscape, laying the foundation for a comprehensive framework governing the collection, use and management of personal data.

Continue Reading The Impact of India’s New Digital Personal Data Protection Rules

After what seems like forever, the most recent (and last?) public comment period for the draft California Consumer Privacy Act (CCPA) regulations finally closed on February 19, 2025. (Read Privacy World coverage here and here.) 

Following an initial public comment period on an earlier draft, the formal comment period for the current version of the proposed CPPA regulations (Proposed Regulations) began on November 22, 2024. The Proposed Regulations include amendments to the existing CCPA regulations and new regulations on automated decision-making technology, profiling, cybersecurity audits, requirements for insurance companies and data practice risk assessments. The California Privacy Protection Agency (CPPA) may either submit a final rulemaking package to the California Office of Administrative Law (OAL, which confirms statutory authority) or modify the Proposed Regulations in response to comments received during the public comment period.

Continue Reading Light at the End of the Tunnel – Are You Ready for the New California Privacy and Cybersecurity Rules?

Summary

On December 27, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) published its Notice of Proposed Rulemaking (“NPRM”) titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. HHS seeks comments on proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart C, commonly known as the “Security Rule”, to address modern breach and cybersecurity risks to electronic protected health information (“ePHI”)[1] and common deficiencies observed by HHS in Security Rule compliance investigations, and to incorporate current industry best practices[2] and court decisions affecting enforcement of the Security Rule[3].[4] As summarized below, the proposed modifications signal HHS’s commitment to aligning the Security Rule requirements with current cybersecurity standards and addressing areas of non-compliance with more prescriptive measures to enhance ePHI security in the face of evolving cyber threats and technological advancements. HHS invites interested parties to submit comments by March 7, 2025.

Continue Reading HHS Publishes Notice of Proposed Rulemaking to Amend HIPAA Security Rule Requirements – Comments Due March 7, 2025

Originally posted on Squire Patton Boggs’ The Trade Practitioner blog 

On October 15, 2024, the U.S. Department of Defense (DoD) released its final rule to establish the Cybersecurity Maturity Model Certification (CMMC) Program (Final CMMC Program Rule). The CMMC Program allows the DoD to verify that defense prime contractors and subcontractors (defense contractors) have implemented security safeguards for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and are maintaining required safeguards during the contract period of performance. The CMMC requirements apply to defense contractors that process, store or transmit FCI or CUI in the performance of a DoD contract or subcontract.

In a parallel effort, the DoD also has proposed an acquisition rule – 48 C.F.R Part 204 CMMC Acquisition Rule or (DFARS rule) – that will amend the Defense Federal Acquisition Regulation Supplement (DFARS) and contractually implement the CMMC Program (32 C.F.R. part 170) through DoD solicitations and contracts. In September we described the proposed DFARS rule, for which the comment period closed on October 15, 2024. The DoD estimates it will publish the final DFARS rule by mid-2025. The effective date of the final DFARS rule (which is 60 days after it is published in the Federal Register) is a key date since that effective date will initiate the CMMC Program’s phased rollout discussed below.

Continue Reading Navigating DoD’s CMMC Program Final Rule

The Consumer Financial Protection Bureau (the “CFPB”) recently issued a Notice of Proposed Rulemaking to implement Section 1033 of the Dodd-Frank Act (“Section 1033”). Section 1033 generally requires covered persons to make information concerning a financial product or service that a consumer has obtained from such person available to the consumer, subject to CFPB rulemaking.

The rule recently proposed by the CFPB to implement Section 1033 (the “Proposed Rule”) would require that certain entities make transaction and other account data more readily available to consumers and authorized third parties. It also would impose privacy and information security obligations and limitations on these entities, as well as on third parties authorized to collect and use that data. These requirements and limitations are discussed in more detail below.

Continue Reading CFPB Issues Notice of Proposed Rulemaking on Open Banking

The Federal Communications Commission (“FCC”) has adopted rules to address two fraudulent practices that “bad actors use to take control of consumers’ cell phone accounts and wreak havoc on people’s financial and digital lives without ever gaining physical control of the consumer’s phone.”

In its recent Report and Order and Further Notice of Proposed Rulemaking released November 16, 2023, the Commission first addressed the practice where bad actors are able to swap a consumer’s subscriber identity module (“SIM”) card to a wireless device associated with a different SIM (i.e., SIM card swap fraud). The agency also acted on wireless number porting fraud, where bad actors impersonate a customer and convince the provider to port the real customer’s telephone number to a new wireless provider and a device that the bad actor controls (i.e., port-out fraud). 

Continue Reading FCC Acts to Protect Consumer Data by Strengthening Customer Proprietary Network Information and Number Porting Rules