Persistent cyberbreaches are compelling government responses to protect consumer data, particularly consumer financial information. Laws passed in California, Colorado, and Virginia are among the most influential at the state level, but federal regulators are also moving to implement additional privacy provisions.
The Federal Trade Commission in late October set out its expectations for how financial institutions should protect consumer data, which was published on Dec. 9, 2021. The FTC’s amended rule (Safeguards Rule) comes at the heels of the Consumer Financial Protection Bureau’s October 2020 advanced notice of proposed rulemaking under the Dodd-Frank Act that would give consumers more control over their financial data.
The commission’s amended Safeguards Rule substantially overhauls requirements initially promulgated in 2002 under the Gramm-Leach-Bliley Act, imposing new obligations for non-banks’ information security programs. Specifically, the Safeguards Rule was amended in the following notable ways, among others:
Definition of Financial Institution
The FTC expanded the scope of the Safeguards Rule by borrowing the definition of financial institution directly from the Bank Holding Company Act. Companies that are “significantly engaged in financial activities” or “activities incidental to such financial activities” are subject to the amended rule.
Notably, finders—companies that bring together buyers and sellers of a product or service that were previously outside the scope of the rule—are now subject to the amended version. Other entities specifically subject to the rule include mortgage lenders and brokers, payday lenders, collection agencies, and non-federally insured credit unions.
The amended rule also adds a number of definitions (e.g., “authorized user,” “security event,” “encryption,” “information systems,” “multi-factor authentication,” and “penetration testing”) for clarity and ease of use.
The requirements for a written risk assessment, incident response plan, and annual reporting to the board of directors will not apply to financial institutions that collect information on fewer than 5,000 consumers.
Information Security Program
The current Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program that consists of certain safeguards. The amended rule provides financial institutions with more details regarding how they should develop and maintain an information security program that addresses, among other things, “access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.”
In addition to identifying one or more responsible employees, the amended Safeguards Rule requires the designation of a single qualified individual responsible for the information security program and periodic reports to the board of directors or other governing boards.
Financial institutions, particularly those that now fall within the expanded scope of the rule, should be aware of the specific requirements and plan to modify their information security programs accordingly.
What Financial Institutions Should Do
Companies involved in financial activities, even incidentally, should review their information security programs to identify and address gaps so that their programs meet the FTC’s new expectations. There is no one-size-fits-all approach, and regulators will expect companies to implement safeguards appropriate to their risks.
Those that meet the definition of “financial institution” should consider the following, among other things, in advance of the Jan. 10 effective date.
Information Security Programs and Systems
Financial institutions should review their information security programs, as defined by the amended rule, to ensure that they include the new elements required by the rule, including requirements related to, among other things:
- written risk assessment,
- change management,
- regular testing,
- employee and security personnel training and verification,
- a written incident response that addresses a number of areas, and
- reporting to the board of directors.
Financial institutions also should review whether its physical and electronic information systems are inventoried, monitored, and properly secure as required by the amended rule.
Financial institutions should think about who to designate as the qualified individual based on the complexity and size of the institutions’ information systems.
Encryption and Multi-Factor Authentication
Financial institutions should ensure that all customer information is encrypted, and it is able to implement multi-factor authentication for any individual accessing consumer information.
Financial institutions should determine whether they have policies in place to comply with the requirement for periodic review of data retention policies and procedures to securely dispose customer information that is no longer necessary for business purposes.
Financial institutions should ensure that they will be able to periodically assess service providers “based on the risk they present and the continued adequacy of their safeguards.”
While some elements of the amended rule are effective Jan. 10, 2022, the more substantive provisions are effective Dec. 9, 2022. The FTC is also requesting public comment on whether to further amend the Safeguards Rule to require reporting for security events.
If the FTC’s recent actions are any indication of the future of federal privacy regulation, a continued focus on cybersecurity and incident response can be expected.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Elizabeth E. McGinn, a partner at Buckley LLP, focuses her practice on assisting clients in identifying, evaluating, and managing the risks associated with cybersecurity, internal privacy, and information security practices, as well as those of third-party vendors.
Amanda R. Lawrence is a partner at Buckley LLP, where she assists clients in managing cybersecurity, privacy, information security, and vendor risks and compliance, as well as evaluating and addressing potential data security incidents, including drafting consumer and regulator notifications.
Sherry-Maria Safchuk is counsel in the Los Angeles office of Buckley LLP, and assists clients on privacy and data security issues, including matters related to federal and state privacy and data security laws such as the GLBA, FCRA, Safeguards Rule, RFPA, CFIPA, and CCPA.
Lauren Bomberger is an associate in the Washington, D.C., office of Buckley LLP where she assists financial services clients on a variety of regulatory, enforcement, and transactional matters.