In December, the Federal Trade Commission (FTC) published amendments to the Standards for Safeguarding Customer Information (the Safeguards Rule), imposing new obligations for non-bank financial institution’s information security programs. Most of the new provisions within the Safeguards Rule will not be effective until December 9, 2022, but some requirements went into effect on January 10, 2022. This article discusses some of the major changes of the new Safeguards Rule, as well as tips for complying with these new standards.
The Gramm Leach Bliley Act (GLBA), enacted in 1999, provides a framework for regulating the privacy and data security practices of financial institutions. “Financial institutions” include, but are not limited to, lenders, financial advisors, loan brokers and servicers, collection agencies, tax preparers and real estate settlement services. The insurance and securities industries are also subject to GLBA, but are primarily regulated at the state level (insurance) and by other federal agencies (securities).
The GLBA generally requires financial institutions to provide customers with information about the institution’s privacy practices and to implement security safeguards for customer information. In 2002, the FTC and other federal agencies issued a final rule, the Safeguards Rule, setting forth standards for financial institutions to follow when implementing these safeguards.
The Safeguards Rule requires a financial institution to develop and implement a comprehensive “information security program”—a program that contains administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information. The information security program must be in writing, and it must be appropriate to the size and complexity of the financial institution, the nature and scope of its activities and the sensitivity of any customer information at issue. The Safeguards Rule initially required only certain basic elements be included in the security program. In general, the Safeguards Rule required financial institutions to (1) designate an employee to coordinate the information security program; (2) identify reasonably foreseeable risks to customer information that could result in unauthorized use, disclosure or other compromise of such information; (3) design and implement safeguards to control these identified risks; (4) regularly test and monitor the effectiveness of the program’s safeguards, (5) take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information; and (6) evaluate and adjust the program in light of the result of these tests and monitoring, or in light of any other circumstances that may have a material impact on the program.
In 2019, the FTC sought comments on proposed changes to the Safeguards Rule, and in 2020, the FTC held a public workshop on the Safeguards Rule. On December 9, 2021, after reviewing comments and conducting the workshop, the FTC issued its final amendments to the Safeguards Rule.
Amendments to the Safeguards Rule
The new Safeguards Rule contains five main modifications:
1. New Definition of “Financial Institution”
“Financial institution” was previously just defined as any U.S. company “significantly engaged in financial activities.” Now, under the new Safeguards Rule, “financial institution” also includes “activities incidental to such financial activities.” The FTC explains that this modification is intended to bring “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the Safeguards Rule. The FTC explains that “finders,” such as companies that serve as lead generators for payday loan companies or mortgage companies, often collect and maintain very sensitive consumer financial information and should thus have the same obligation as other financial institutions to protect this information.
While the definition of “finders” is broad, the scope of the language is limited by the context of the Safeguards Rule. Only finding services involving consumer transactions (i.e., transactions for personal, family or household purposes) are covered. Also, the Safeguards Rule only applies to information of customers, which are consumers who have a continuing relationship with financial institutions. Therefore, the Safeguards Rule does not apply to finders with only isolated interactions with consumers.
2. Other New Definitions and Related Examples
The new Safeguards Rule includes a number of new terms, such as “authorized user,” “multifactor authentication,” “encryption,” “penetration testing,” and “security event” – and related examples for clarity and ease of use.
3. New Requirements for Information Security Programs
The new Safeguards Rule provides more detailed requirements for developing and establishing an information security program. For example, the old Safeguards Rule generally required financial institutions to conduct a risk assessment, and develop and implement safeguards addressing those identified risks. Now, the new Safeguards Rule specifies that the risk assessment must now include, among other things, (1) criteria for evaluating risks faced by the institution; (2) criteria for assessing the security of its information systems; and (3) how the identified risks will be addressed.
The new Safeguards Rule also sets forth particular safeguards the information security program must include. For example, a financial institution’s safeguards must now include access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing and incident response.
The new Safeguards Rule also adds mechanisms designed to ensure employee training and oversite of service providers are effective. This will require financial institutions to implement policies and procedures that include four main components: (1) general employee training; (2) use of qualified information security personnel; (3) specific training for information security personnel; and (4) verification that security personnel are taking steps to maintain current knowledge on security issues.
Despite these more specific requirements, financial institutions are still free to perform their risk assessments in whatever way they choose and use whatever method or approach works best for them, as long as the method identifies reasonably foreseeable risks. The new Safeguards Rule still provides financial institutions the flexibility to design an information security program appropriate to the size and complexity of the financial institution, the nature and scope of its activities and the sensitivity of any customer information at issue.
4. Improved Accountability
The new Safeguards Rule adds requirements designed to improve accountability of financial institutions’ information security programs. For example, the new Safeguards Rule requires the designation of a single qualified individual to be responsible for periodic reports to the board of directors or equivalent governing bodies. The FTC explains that this requirement will provide senior management with better awareness of their financial institutions’ information security programs, making it more likely the programs will receive the required resources and be able to protect consumer information.
5. New Exemptions for Small Businesses
The new Safeguards Rule exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the board of directors.
The FTC declined to incorporate or reference any particular security standard or framework, and they also declined to make compliance with an outside standard a safe harbor for the new Safeguards Rule. So financial institutions will need to be in compliance with other state security standards and with the Safeguards Rule itself.
It should be noted that the Safeguards Rule does not (yet) include a breach notification requirement. However, the FTC is issuing a supplemental notice of proposed rulemaking that will propose requiring financial institutions notify the FTC of detected security events. Therefore, financial institutions can expect breach notification be made to the FTC in the near future.
The addition of companies conducting activities merely incidental to financial activities means the new Safeguards Rule’s scope will be broader than before. Some of the new Safeguards Rule are currently in effect, but the more substantive provisions—like some of the risk assessment requirements, safeguards requirements, and reporting to the board—are not effective until December 9, 2022. Companies involved in financial activities, even incidental activities, should thoroughly review their information security program and make sure it is compliant with the new Safeguards Rule.
To learn more about how you can prepare for the new Safeguards Rule, please contact our Cybersecurity and Data Privacy Team.