On October 27, 2021 the Federal Trade Commission (FTC) issued a final rule (Final Rule) to amend the Safeguards for Safeguarding Customer Information (Safeguards Rule or Rule). The amended Rule has five modifications to the existing Rule. Below is a short overview of the Rule and its revisions along with a short set of recommendations for business affected by the updated Safeguards Rule.
Congress enacted the Gramm Leach Bliley Act (GLB or GLBA) in 1999. The GLBA provides a framework for regulating the privacy and data security of a broad range of financial institutions. The GLBA requires financial institutions to provide customers with information about the institutions’ privacy practices and about their opt-out rights, as well as implement security safeguards for customer information. Under the GLBA, Congress required the FTC and other federal agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for certain information. Accordingly, the FTC established the Safeguards Rule in 2002 and the Rule became effective in May of 2003.
Q. What is the scope of the Safeguards Rule? To whom does the Safeguards Rule apply?
A. First, the Safeguards Rule applies only to transactions that are “for personal, family or household purposes.” Second, it applies only to the information of customers which are consumers with which a financial institution has a continuing relationship. The Rule applies to financial institutions over which the FTC has jurisdiction. The FTC has rule making authority over financial institutions under the GLBA.
The financial institutions in scope for the Final Rule include but are not limited to mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission and entities acting as finders.
The Rule and the recent revisions under the Final Rule apply only to financial institutions that are not subject to federal regulatory authority but rather those financial institutions that are subject to Federal Trade Commission Act or are not subject to the jurisdiction or authority under Section 505 (1) through (6). This excludes national banks, member banks of the Federal Reserve System other than national banks, banks insured by the FDIC, and federally insured credit unions. This also excludes broker dealers registered under the Securities and Exchange Act of 1934, investment companies registered under the Investment Company Act of 1940, and investment advisors registered with the Securities and Exchange Commission under the Investment Advisors Act of 1940. To be clear the “financial institutions” subject to the FTC’s enforcement authority are those that are not otherwise subject to enforcement authority of another regulator under Section 505 of Gramm-Leach-Bliley, 15 U.S.C. 6805.
Q. When am I required to comply with the new provisions of the Final Rule?
A. The deadline for compliance under the Final Rule is October 27th 2022, or one year after the date of publication on October 27, 2021.
Q. What does the current version of the Safeguards Rule require of financial institutions?
A. The current version of the Rule requires:
1. Financial institutions to develop, implement and maintain a comprehensive information security program that consists of the administrative, technical, and physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle customer information.
2. The information security program must be written in one or more readily accessible parts.
3. The safeguards must be appropriate to the size and complexity of the financial institution, the nature and scope of its activities and the sensitivity of any customer information at issue.
4. The safeguards must be reasonably designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
5. In order to develop, implement, and maintain its information security program, a financial institution must identify reasonably foreseeable internal and external risks to the security confidentiality and integrity of customer information that could result in an unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.
6. The financial institution must design and implement safeguards to control the risks identified through the risk assessment and must regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems and procedures.
7. The Rule requires the financial institution to evaluate and adjust its information security program in light of the results of this testing and monitoring, any material changes in its operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.
8. The financial institution must also designate an employee or employees to coordinate the information security program.
9. The Rule also requires a financial institution to take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information and require those service providers by contract to implement and maintain such safeguards.
Q. How does the Final Rule modify the current Rule?
A. The Final Rule modifies the current Rule in five different ways.
1. The Final Rule amends the current Rule to include more detailed requirements for the development and establishment of the information security program required under the rule.
- While the current Rule requires financial institutions to undertake a risk assessment and develop and implement safeguards, the Final Rule sets forth detailed and specific criteria for the risk assessment and requires the assessment to be in writing.
- The Final Rule also sets forth more specificity regarding the particular safeguards and requires they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, changes management, incident response and testing.
- The Final Rule also adds mechanisms designed for training of personnel to ensure an ability to enact the information security program. This includes security awareness training, utilizing qualified individuals to manage the program and verifying that key security personnel take steps to maintain current knowledge of changing information security threats and counter measures.
2. The Final Rule adds a requirement designed to improve accountability of financial institutions’ information security programs requiring the appointment of a Qualified Individual. The Qualified Individual may be employed by the financial institution, an affiliate or a service provider.
- Filling this requirement through an affiliate or service provider will require the financial institution to (1) retain responsibility for compliance under the Final Rule, meaning no delegation of responsibility to a third party; (2) designate a senior member of the financial institution’s personnel to be responsible for direction and oversight of the Qualified Individual; and (3) require the service provider to maintain a program that protects the financial institution consistent with the Final Rule.
- The Qualified Individual is also required to report in writing at least annually to the financial institution’s board of directors or equivalent to inform of the overall status of the information security program and compliance under the Final Rule and material matters affecting the information security program.
3. The Final Rule exempts financial institutions that collect information on fewer than 5,000 consumers from the requirement of a written risk assessment, incident response plan and annual reporting to the board of directors.
4. The Final Rule expands the definition of financial institution to include entities that engage in activities the Federal Reserve Board determines to be “incidental” to financial activities. This change expands the Safeguard Rule’s applications to “finder” companies that bring together buyers and sellers of products or services and collect very sensitive financial information. This change brings the Rule into harmony with other federal agencies’ Safeguards Rules which include activities incidental to financial activities into their definition of financial institution.
5. The Final Rule includes several definitions and related examples including “financial institution” in the Rule itself rather than incorporating from another related FTC rule, the Privacy of Consumer Financial Information Rule.
Q. What are some recommendations for businesses in light of the Final Rule?
A. 1. Determine if an exemption applies under the Final Rule and document facts in support of this conclusion.
2. Ensure the board of directors, officers and others responsible for management of the operations are aware and familiar with the Final Rule’s requirements. Assemble leadership teams for education, assessment of existing compliance processes and a full discussion on how best to implement the Final Rule’s requirements in light of the time frame required for compliance.
3. Evaluate existing third party contractual relationships and determine what actions or steps may be required in support of the Final Rule. Ensure all service providers are required by contract to implement and maintain the safeguards mandated by the Final Rule.
4. Identify suitable internal or external candidates to serve as a Qualified Individual.
Evaluate whether current information security teams require updated training or additional certifications in order to manage risks related to information security.
5. Engage qualified counsel to evaluate and engage outside third parties subject to the attorney client privilege to conduct a risk assessment of current compliance under the Rule.