On November 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some portions of the updated Safeguards Rule. The extension comes as a welcome relief to companies racing to meet the rapidly nearing effective date.

The FTC approved changes to the longstanding Safeguards Rule in October 2021.  The updated rule includes several components that could require significant operational modifications, such as encryption at rest and multifactor authentication whenever nonpublic personal information is accessed.  While some components went into effect 30 days after publication, the most substantive changes were set to go into effect on December 9, 2022. 

The FTC voted unanimously to extend that December 9 date to June 9, 2023.  Accordingly, subject companies will have an additional six months to:

  • Designate a qualified individual to oversee their information security program;
  • Develop a written risk assessment;
  • Limit and monitor who can access customer information;
  • Encrypt information in transit and at rest;
  • Train security personnel;
  • Develop a written incident response plan; and
  • Implement multifactor authentication whenever anyone accesses customer information.

While the new deadline certainly provides breathing room, companies should not take it as an opportunity to delay.  Indeed, between the holidays and state law compliance initiatives, the new deadline will also soon be rapidly approaching.