Yesterday, the FTC announced an update to its Safeguards Rule (“Rule”).  The update includes significant changes regarding the safeguards financial institutions may need to adopt as a part of an information security program, and adds board oversight and accountability requirements as well. The FTC also announced that it will seek public comments on whether there should be additional changes to the Rule.

The Safeguards Rule was originally promulgated in 2002 pursuant to the Gramm-Leach-Bliley Act (“GLBA”), one of the U.S.’s sectoral privacy laws governing the privacy and data security of financial institutions.  The GLBA requires financial institutions -- including mortgage brokers, motor vehicle dealers, and payday lenders -- to provide customers with information about the institutions’ privacy practices, consumers’ opt-out rights, and to implement security safeguards for consumer information.  

This update comes in the wake of “widespread data breaches and cyberattacks” that, according to the FTC, have resulted in “monetary loss, identity theft, and other forms of financial distress.”  The updated Rule expands many of the requirements relating to an organization’s information security policy, including by:

  • Specifying the criteria financial institutions must consider when conducting a written risk assessment identifying “reasonably foreseeable internal and external risks.”
  • Designating additional safeguards that companies may implement in addressing those risks as a part of an information security program, such as:
    • access controls limiting who may access consumer data,
    • conducting a data inventory and classification,  
    • encrypting data in transit and at rest,
    • strengthening authentication methods, and,
    • implementing information disposal, change management, and incident response procedures.
  • Requiring that financial institutions explain their information sharing practices, specifically the administrative, technical, and physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ information.
  • Requiring that financial institutions designate a qualified individual to oversee their information security program. The person in that role will also be required to report periodically to an organization’s board of directors, or a senior officer in charge of information security.

The updated Rule will exempt institutions that collect information from fewer than 5,000 consumers from the a written risk assessment, incident response plan, and annual board of directors reporting requirements.  Companies that do not meet this exemption should carefully review the updated Rule and the obligations therein.

The FTC also announced that it will open a new round of public comment on the Safeguards Rule in order to determine whether financial institutions should be required to report data security incidents to the FTC.  The comment period will run for 60 days starting the day after notice is published in the Federal Register.