FTC Updates Security Requirements for Financial Institutions

Oct. 27, 2021, 7:49 PM

The Federal Trade Commission announced Wednesday updates to the Safeguards Rule that strengthen security for consumer financial information following an uptick in data breaches.

The updates outline specific criteria financial institutions must meet, including limiting access to consumer data and using encryption to secure that data.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

Financial institutions under the updated rule must explain their information-sharing practices and designate an individual to oversee their information security program and report periodically to a board of directors or senior officer in charge of information security.

Congress mandated the Safeguards Rule under the 1999 Gramm-Leach-Bliley Act, and in 2020 the FTC held a public workshop on the rule.

The Safeguards Rule updates were passed 3-2 by the FTC, with Commissioners Noah Joshua Phillips and Christine S. Wilson dissenting.

The “new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions,” they wrote.

The revisions impose “intrusive corporate governance obligations” that are unsupported by evidence of prevalent failures at the senior management level, they added.

Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter in a joint statement pushed back on those assertions, writing that the revamped law is an update “sorely needed” to protect consumer data and stem the rising tide of damaging data breaches.

“There is also no support for the dissent’s notion that the amendments eliminate financial institutions’ flexibility in a way that will hurt smaller businesses,” they wrote. “The amendments require that information security programs address certain aspects of security, but do not prescribe any particular method for doing so.”

Requiring encryption of customer information and the use of multi-factor authentication will reduce the chances of a breach occurring, Khan and Slaughter wrote.

To contact the reporter on this story: Jake Holland in Washington at jholland@bloombergindustry.com

To contact the editor responsible for this story: Kibkabe Araya at karaya@bloombergindustry.com

To read more articles log in. To learn more about a subscription click here.