The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The primary changes include:

  • A requirement to designate a single qualified individual responsible for overseeing the information security program and periodically reporting to the board (or other governing body)
  • Identification of specific security risk assessment criteria and a requirement that such assessments be documented in writing
  • Specific required safeguards, including access controls, encryption, data disposal procedures, continuous monitoring, and penetration testing
  • Service provider selection criteria and a related requirement to periodically assess service providers based on perceived risk
  • Expansion of the definition of “financial institution” to clarify that it includes entities providing “finder” services incidental to financial activities

The updated rule takes effect 30 days after publication in the Federal Register, but some of the more significant new requirements will not take effect for another year.

Continue Reading FTC significantly amends GLBA Safeguards Rule

Last week, the Staff of the Commodity Futures Trading Commission (CFTC) issued Staff Advisory 14-21 on the subject of “Gramm-Leach-Bliley Act Security Safeguards.” The CFTC had issued guidance previously in Part 160 of the CFTC’s regulations on “Privacy of Consumer Financial Information” (April 27, 2001). Swap Dealers (SDs) and Major Swap Participants (MSPs)