The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The primary changes include:
- A requirement to designate a single qualified individual responsible for overseeing the information security program and periodically reporting to the board (or other governing body)
- Identification of specific security risk assessment criteria and a requirement that such assessments be documented in writing
- Specific required safeguards, including access controls, encryption, data disposal procedures, continuous monitoring, and penetration testing
- Service provider selection criteria and a related requirement to periodically assess service providers based on perceived risk
- Expansion of the definition of “financial institution” to clarify that it includes entities providing “finder” services incidental to financial activities
The updated rule takes effect 30 days after publication in the Federal Register, but some of the more significant new requirements will not take effect for another year.
The prior rule: lack of concrete guidance to financial institutions subject to FTC authority
The prior Safeguards Rule sought to facilitate covered financial institutions’ protection of consumer data by requiring them to implement robust information security programs. The requirements, however, were more general than prescriptive. Covered institutions were required to:
- Disclose their program to consumers
- Ensure that information security programs appropriately met the size and complexity of an institution’s operations
- Design programs based on reasonably foreseeable internal and external risks
- Implement periodic testing and update programs in light of such tests
- Select appropriate service providers with the capacity to implement and maintain appropriate safeguards
Specific standards introduced under new Safeguards Rule
The new Safeguards Rule introduces specific standards for covered financial institutions’ information security programs, including:
- Specific risk assessment criteria
- Specific factors to be addressed in determining appropriate safeguards
- Designation of a qualified individual responsible for overseeing and reporting on the information security program
- Various service provider oversight obligations
The amended rule also addresses annual penetration tests and semiannual vulnerability assessments, multifactor authentication, encryption of consumer data, and the definitions of various key terms. Notably, the new Safeguards Rule expands the definition of “financial institutions” to bring entities engaged in “finding” – that is, bringing together buyers and sellers of a product or service – under the ambit of the rule.
With the amended Safeguards Rule, the Commission continues to sharpen its focus on financial institutions’ data protection and privacy practices. In an already highly regulated field, it is important for businesses to remain agile and responsive to the changing regulatory and enforcement landscape. Clearer expectations for how financial institutions should develop and establish their information security programs may prove to be a double-edged sword: on the one hand, the amended Safeguards Rule may ease uncertainty about what the FTC expects, but it also places greater pressure on regulated entities to keep abreast of the Commission’s evolving standards and to strive for compliance on an ongoing basis.
Although key requirements are not slated to take effect for another year, financial institutions should begin evaluating their internal security programs in order to assess how they stack up against the amended Safeguards Rule.