The FTC recently announced an update to the existing Safeguards Rule (16 CFR 314.1) that will strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information. The Safeguards Rule was mandated under the 1999 Gramm-Leach-Bliley Act. The update to the regulation is the result of years of public input which began in 2016 and helps bring the regulation in line with other agencies safeguards rules. The update is effective on January 10, 2022 and contains five main modifications to the existing rule.
First, the update provides more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption. While the current regulation requires institutions to undertake a risk assessment and develop and implement safeguards to address the identified risks, the update sets forth specific criteria for what the risk assessment must include and requires the risk assessment be set forth in writing. As to particular safeguards, the update requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. Although the update retains the requirement from the current regulation that financial provide employee training and appropriate oversight of service providers, it adds mechanisms designed to ensure such training and oversight are effective. Though the update has more specific requirements than the current regulation, it still provides institutions the flexibility to design an information security program appropriate to the size and complexity of the individual institution.
Second, the update improves the accountability of institutions' information security programs, such as by requiring periodic reports to boards of directors or governing bodies. While the current regulation allows a financial institution to designate one or more employees to be responsible for the information security program, the update requires the designation of a single qualified individual. The update requires periodic reporting to boards of directors or governing bodies, which will provide senior management with better awareness of the institutions' information security programs, increasing the likelihood the programs will receive the resources required to run a successful program.
Third, the update exempts institutions that collect less customer information from certain requirements, recognizing the burden on smaller institutions. The update exempts institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the board of directors.
Fourth, the update expands the definition of “financial institution” to include entities engaged in activities incidental to financial activity. The update also adds companies that bring buyers and sellers of a product or service together, referred to as “finders,” within the scope of the regulation. Finders often have access to sensitive consumer information, and this change will require them to comply with the Safeguards Rule's requirements to protect that information.
Fifth, the update adds definitions and examples in the regulation itself rather than cross-referencing other FTC rules, which allows the regulation to be self-contained and more understandable by itself, rather than having to visit other regulations to understand this regulation.