On October 27, the Federal Trade Commission (FTC) announced a final rule (Final Rule) and supplemental notice of proposed rulemaking (NPRM) to amend the Safeguards Rule promulgated under the Gramm-Leach-Bliley Act (GLBA), which requires covered financial institutions to implement certain security safeguards to protect their customers’ financial information against data breaches and cyberattacks. The FTC also issued another rule adopting largely technical revisions to the scope of its Privacy Rule, a separate GLBA rule that requires financial institutions to inform customers about their information-sharing practices and allow customers to opt out of having their information shared with certain third parties.

Adopted Amendments to the Safeguards Rule

The culmination of a multi-year solicitation of public input, the FTC’s Final Rule revamps the Safeguards Rule to include more specific criteria for safeguards that covered financial institutions must implement as part of their comprehensive information security program. The Final Rule applies to non-banking financial institutions, such as mortgage lenders and brokers, motor vehicle dealers, payday lenders, collection agencies, finance companies, and entities acting as “finders” in bringing together buyers and sellers of products or services for transactions that the parties themselves negotiate and consummate.

The updated Safeguards Rule would still require such entities to develop, implement, and maintain a comprehensive information security plan containing administrative, technical, and physical safeguards that are appropriate to the entity’s size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue. But where the Safeguards Rule previously required only certain high-level elements to be included in the information security plan, the amendments reflect the agency’s shift over the years towards more prescriptive security requirements.

Among other things, covered financial institutions must:

  • Designate a single qualified individual to oversee, implement, and enforce the information security program and report, at least annually, to the financial institution’s board of directors, or equivalent governing body, or to the senior officer responsible for the information security program. Currently, the Safeguards Rule allows entities to designate multiple employees to coordinate the information security program. In their joint statement, FTC Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter identified Equifax’s division of authority over its information security program between two people as one of the major causes of the 2017 data breach, due to failures in communications, oversight, and enforcement.
  • Include specified criteria in the risk assessment and memorialize such risk assessment in writing.
  • Develop and implement particular safeguards that address access controls, data inventory and classification, encryption, secure development practices, multi-factor authentication, information disposal and retention procedures, change management, testing, and incident response.
  • Periodically assess their service providers based on the risk they present and the continued adequacy of their safeguards

The FTC’s two Republican commissioners, Noah Joshua Phillips and Christine S. Wilson, criticized in their dissenting statement the burden imposed by the new rules, especially on smaller firms that may be less able to absorb the financial costs of the added requirements. They asserted that a “hallmark” of the current Safeguards Rule is “its recognition that, in a world of continuously evolving threats and standards, a one-size-fits-all approach to data security may not work.”

 

In response, FTC Chair Khan and Commissioner Slaughter emphasized in their joint statement that financial institutions would still retain flexibility under the amended rule, which requires that the information security program address areas such as access control, change management, information disposal, and monitoring user activity, but does not require the institution to take any particular action in those areas. Should financial institutions with smaller and simpler systems determine that minimal procedures are required in those areas, they may follow that route. Additionally, in recognition of the impact of the additional requirements on small businesses, the Final Rule provides a partial exemption from various requirements for financial institutions that collect information on fewer than 5,000 consumers from the requirements.

Certain provisions of the Final Rule, including those relating to the appointment of a qualified individual, written assessment, continuous monitoring, penetration testing, and vulnerability assessments, among other safeguards, are effective one year after the date of publication of the Final Rule in the Federal Register. The remainder of the provisions are effective 30 days following publication.

Proposal to Require Reporting of Certain Cybersecurity Events

In addition to the updates above, the FTC issued an NPRM seeking public comment on amending the Safeguards Rule to also require financial institutions to notify the agency of a security event in which the misuse of customer information has occurred or is reasonably likely and affects, or reasonably may affect, at least 1,000 consumers. Such notice would be provided electronically via a form on the FTC’s website within 30 days of discovery of the breach. The information the FTC receives would then be entered into a publicly available database.

Once the NPRM is published in the Federal Register, the public will have 60 days to submit comments.

Updates to the Scope of the Privacy Rule

The FTC also issued a separate rule to align the Privacy Rule with changes made under the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, which narrowed the FTC’s jurisdiction under the Privacy Rule to apply only to motor vehicle dealers. The changes would also reflect amendments made to the GLBA as part of the 2015 Fixing America’s Surface Transportation Act, which provided an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers. This rule is effective 30 days after the date it is published in the Federal Register.