Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

Governance Controls at Center of FTC Financial Data Privacy Rule

Nov. 8, 2021, 10:31 AM

Financial institutions face heightened expectations for corporate accountability and oversight of data security measures under the Federal Trade Commission’s new rule for protecting their consumer information.

The FTC’s Safeguards Rule, updated Oct. 27, directs financial institutions to designate a person in charge of security controls, such as a chief information security officer, who will report regularly to the board of directors.

The directives represent a recognition that boards are increasingly concerned about cybersecurity, according to Brittany Bacon, a partner in Hunton Andrews Kurth LLP’s privacy and cybersecurity practice.

“It sends a clear message that cybersecurity continues to be a fundamental risk issue,” Bacon said, particularly for financial institutions that hold sensitive customer data such as bank account information and Social Security numbers.

Many financial firms already have a chief security officer or consultants to advise on their security programs, she said. Those practices may be less common in companies that fall on what Bacon called the “fringes” of the financial industry, meaning the FTC’s rule could have more of an impact there.

Covered Companies

The commission’s rule, issued under the 1999 Gramm-Leach-Bliley Act, serves as a catchall for financial institutions that aren’t covered by other federal regulators.

Banks and credit unions, for example, are subject to data privacy and security rules from the Federal Reserve and the National Credit Union Administration.

The FTC’s rule applies to institutions such as mortgage brokers, payday lenders, and consumer reporting agencies. That would include Equifax Inc., which agreed to pay $575 million as part of a settlement with the agency and other regulators over a 2017 data breach.

The updated FTC rule is broadened in scope to also cover intermediary firms that bring together a buyer and seller, such as for a merger or acquisition.

The commission’s focus on assigning an individual responsible for overseeing security could lessen legal pressure on boards of directors to face blame for breaches, according to Christopher Pippett, chair of the financial services industry practice at Fox Rothschild LLP.

“If you’ve got a qualified person managing security and reporting to the board, it’s less likely that directors will have liability,” Pippett said.

In the wake of its massive data breach, Equifax and its directors and executives agreed to pay $149 million to resolve claims that they misled investors about the company’s cyber defenses and vulnerabilities. Other companies have seen similar lawsuits from investors following data breaches.

Other Regulators

The commission’s update brings its rule in line with regulations from other government agencies that oversee the financial industry, including the New York Department of Financial Services.

New York’s cybersecurity rules, which were the first of their kind in the U.S., similarly require banks and other financial institutions to designate a chief information security officer who reports at least annually to the board of directors on the company’s cyber posture and risks.

The department’s rules also call for data access controls like encryption and multi-factor authentication, which are increasingly common practice in the security space. The FTC’s rule likewise tells financial institutions under its purview to limit who can access consumer data and use encryption to secure the data.

“The FTC has realized that it needs to bring its rule into alignment with peer regulators and with current thinking,” said Glenn Brown, data privacy and security counsel at Squire Patton Boggs.

Brown said the commission is also looking to synchronize cyber requirements when it comes to notifying regulators of a consumer data breach.

In New York, financial institutions must report a breach to their regulator within 72 hours of discovering the incident. The Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, and the Federal Reserve Board have proposed their own 36-hour breach notification standard.

The FTC is seeking public feedback on whether to make an additional change to the rule to require financial institutions to report certain data breaches and other security events to the commission.

To contact the reporter on this story: Andrea Vittorio in Washington at

To contact the editors responsible for this story: Kibkabe Araya at; Keith Perine at