11/11/2021
The Federal Trade Commission (FTC) recently announced its long-awaited update to the Standards for Safeguarding Customer Information, the Safeguards Rule, to strengthen data security requirements for covered businesses. The Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA), a federal law that applies to non-banking financial institutions and requires safeguards to ensure the confidentiality and security of consumers’ nonpublic personal information.[1]
Much like the New York State Department of Financial Services Cybersecurity Regulation, the new Safeguards Rule contains both risk-based and prescriptive requirements. Most of the updated requirements call for compliance within 30 days of the rule’s publication in the Federal Register. Other requirements must be implemented within one year.[2]
The “Final Rule” includes five main modifications:
1. More detailed requirements for information security programs
The updated rule includes more detailed requirements for covered businesses’ information security programs, including specific criteria for risk assessments and the new requirement that the risk assessment be in writing.[3] After conducting a risk assessment, covered businesses, must, within one year, design and implement the following safeguards:
Additionally, covered businesses are required to provide effective employee training and oversight of third party service providers. Covered businesses have one year to implement employee training, but only thirty days to oversee service providers, including requiring, by contract, that the service providers implement safeguards. The FTC acknowledged that covered businesses have flexibility to design an information security program that is appropriate to the business’ size and complexity, as well as the nature and scope of its activities, and the sensitivity of its customer information.
2. New accountability requirements
Within one year of the effective date of the modified rule, covered businesses must appoint a single designated Qualified Individual, who may be employed by the covered business, an affiliate or a service provider, to coordinate the information security program.[4] Additionally, periodic reporting to the board of directors or governing body is now required with one year.[5] The FTC noted that this periodic reporting will provide senior management with better awareness of the information security program and improve the allocation of resources to better protect consumer information.[6]
3. New exemptions for small businesses
Recognizing the potential impact of the new requirements on small businesses, the rule provides exemptions from the following requirements for covered businesses that collect information on fewer than 5,000 consumers:
4. Expanded definition of “financial institution”
Acknowledging that many businesses that collect and maintain sensitive consumer information may not be covered by the rule, the FTC has expanded the definition of “financial institution” to include entities engaged in activities deemed by the Federal Reserve Board to be “incidental” to financial activities.[11] Specifically, the updated rule now includes “finders”, companies that bring together buyers and sellers of a product or service. This brings the Safeguards Rule into line with other federal agencies’ safeguard rules.
5. Definition amendments
The FTC also amended the certain definitions in the following key ways:
Notice of supplemental rulemaking
Apart from its update to the Safeguards Rule, the FTC issued a notice of supplemental rulemaking to announce that it is considering implementation of a reporting obligation for covered financial institutions.[14] This reporting obligation would be for cybersecurity events where customer information has been or is reasonably likely to be misused and one thousand or more consumers are affected or are reasonably likely to be affected by it.
Key takeaways
Covered businesses should carefully review the updated rule and move quickly to assess the adequacy of their information security programs. Critically, businesses should be particularly mindful of the 30 day compliance deadline for certain requirements and prioritize their compliance efforts accordingly.
[1] Examples of non-banking financial institutions subject to the FTC’s enforcement authority are mortgage lenders, pay day lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and financial advisors, tax preparation firms, non-federally insured credit unions, and entities acting as finders. 16 C.F.R. § 314.1(b)
[2] Requirements for which covered businesses will have one year to comply are: designation of a Qualified Individual, a written risk assessment, the design and implementation of safeguards to control risks identified in the risk assessment, continuous monitoring and period penetration testing, employee training, periodic assessments of service providers, and the identification of required remediation measures for known weaknesses.
[3] See generally 16 C.F.R. § 314.4 Elements
[4] 16 C.F.R. § 314.4(a)
[5] 16 C.F.R. § 314.4(i)
[6] 16 CFR Part 314: Standards for Safeguarding Customer Information (Final Rule), at 6, https://www.ftc.gov/system/files/documents/federal_register_notices/2021/10/safeguards_rule_final.pdf
[7] 16 C.F.R. § 314.4(b)(1)
[8] 16 C.F.R. § 314.4(d)(2)
[9] 16 C.F.R. § 314.4(h)
[10] 16 C.F.R. § 314.4(i)
[11] 16 C.F.R. § 314.2(h)(1)
[12] 16 C.F.R. § 314.2(a)
[13] 16 C.F.R. § 314.2(p)
[14] 16 CFR Part 314: Standards for Safeguarding Customer Information (Final Rule), at 100-101, https://www.ftc.gov/system/files/documents/federal_register_notices/2021/10/safeguards_rule_final.pdf
