The Federal Trade Commission (FTC) recently announced a newly updated rule addressing data security safeguards that financial institutions are required to implement to protect their customers’ financial information. Recently, data breaches, and cyberattacks have become a growing concern and have resulted in significant harm to consumers. Therefore, the FTC is enhancing its Safeguards Rule in hopes that financial institutions and other entities that collect sensitive consumer data protect it better to reduce the risk of these breaches and cyberattacks. This further updates the Safeguards Rule that was mandated by Congress under the Gramm-Leach-Bliley Act in 1999— a much needed update considering the internet has grown tremendously over the past two decades.
This new final rule details the required risk assessments to the existing Safeguards Rule. The Final Rule requires that financial institutions address “access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. Training is still required but the Rule continues to allow financial institutions the flexibility of designing an information security program that is appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.
Second, the Rule now requires a designation of a single “Qualified Individual” who is responsible for the information security program. It also requires periodic reports to boards of directors or other governing bodies, which will provide senior management with better awareness of the information security programs.
The Rule also provides an exemption for financial institutions that collect information for fewer than 5,000 consumers from the above-mentioned updates to relieve small businesses of the additional burden. However, the definition of “financial institution” has been expanded to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This update includes finders/brokers since they often collect and maintain very sensitive consumer financial information. Finally, all of these definition changes are maintained only for this rule so that other rules are not impacted by the expansion of the definition of “financial institution.”
Many technical changes were made in this updated Safeguards rule, but one of the most important ones to keep track of is the one regarding reporting security events to the Commission. It was not implemented in this Final Rule because the FTC did not find reporting the incident to the FTC to be helpful and the initial proposed rule did not include such a requirement for notification. Therefore, it has been left out of this Final Rule, but the FTC has also issued a Notice of Supplemental Rulemaking (Direct Link) that proposes that financial institutions that have determined misuse of customer information has occurred or is reasonably likely and that at least 1,000 consumers have been affected or reasonably may be affected would have to be reported to the FTC. The time frame would be no later than 30 days after the discovery of the event.
This update to the Safeguards Rule is one of the first for the regulations to catch up to the changing digital world that we live in today. It seems that many other regulations would eventually follow in adjusting to the rapidly changing times.