Did the Safeguards Rule Just Get Safer? FTC Publishes Update to Strengthen Protections for Customer Financial Information

After more than five years of internal review and seeking public input, the Federal Trade Commission (“FTC”) announced its approval of long-awaited amendments to the Gramm-Leach-Bliley Act (the “GLBA”) Safeguards Rule (the “Safeguards Rule”). Congress enacted the GLBA in 1999 with a directive for the FTC to promulgate standards for certain financial institutions relating to administrative, technical, and physical safeguards for certain information. As a result of this directive, in May 2002, the Safeguards Rule originally became effective. Now, almost 20 years later, the FTC has updated the Safeguards Rule as an effort to modernize and enhance the safeguards in light of widespread data breaches and cyberattacks from recent years and the advancement of industry practices for protecting customer information. The key updates to the Safeguards Rule are summarized below.

Information Security Program Requirements

In general, the Safeguards Rule applies to non-banking financial institutions subject to the FTC’s enforcement authority pursuant to the GLBA. More specifically, these institutions may include, without limitation, mortgage lenders, “pay day” lenders, check cashers, wire transferors, certain travel agencies, car dealerships, certain retailers issuing credit, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, non-registered investment advisors, and entities acting as finders.

Under the Safeguards Rule, such non-banking financial institutions must develop, implement, and maintain a comprehensive information security program with administrative, technical, and physical safeguards appropriate to the institution’s size and complexity, the nature and scope of its activities, and the sensitivity of customer information. The updated Safeguards Rule, which was approved by the FTC Commissioners along party lines, requires non-banking financial institutions to make significant changes in their information security programs.

The updated Safeguards Rule mandates that non-banking financial institutions implement the below elements as part of their information security program. Many of these are already considered industry best practices. Although non-banking financial institutions must comply with these specific elements, the updated Safeguards Rule will allow them to retain the flexibility to tailor their information security programs to be appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of any customer information they possess.

  • Access Controls. Implementing and periodically reviewing access controls, including technical and physical controls to authenticate user access, permit access only to authorized users, and limit user access on a need-to-know basis for customer information.
  • Resource Inventory. Managing an inventory of the data, personnel, devices, systems, facilities, and other resources used to achieve business purposes in accordance with their relative importance.
  • Encryption. Encrypting all customer information both in transit over external networks and at rest, or, if encryption is not feasible, securing such information using comparably effective controls with the approval of the non-banking financial institution’s “qualified individual” (described more below).
  • Multi-Factor Authentication. Implementing multi-factor authentication (or equivalent or more secure controls) for anyone accessing any information system.
  • Secure Disposal. Developing, maintaining, and periodically reviewing procedures for secure disposal of customer information no later than two years after the last date the information is used in connection with providing a product or service to the customer, unless retention is necessary for legitimate business purposes or required by law.
  • Change Management Procedures. Adopting procedures for management of changes to a non-banking financial institution’s safeguards.
  • Activity Monitoring. Implementing procedures and controls to monitor and log activity of authorized users and detect unauthorized access to, use of, or tampering with, customer information by such users.
  • Intrusion Detection. Regularly testing or monitoring the effectiveness of key controls, systems, and procedures, including conducting continuous monitoring or periodic penetration testing and vulnerability assessments.
  • Employee Training. Ensuring personnel have the tools to enact the information security program by providing security awareness training, security updates, and training to address relevant risks.
  • Incident Response. Establishing a written incident response plan designed to promptly respond to, and recover from, any security incident or data breach relating to customer information.

Oversight from a “Qualified Individual”

The updated Safeguards Rule requires non-banking financial institutions to designate a single “qualified individual” to oversee and enforce their information security program, as well as report, in writing, regularly and at least annually, to the institution’s board of directors, other governing body, or a senior officer in charge of information security.

The qualified individual may be an employee of the non-banking financial institution, an affiliate, or a service provider. If a non-banking institution utilizes a service provider or an affiliate, the institution must designate one of its senior employees to be responsible for directing and overseeing the qualified individual and require the service provider or affiliate to maintain an information security program in accordance with the Safeguards Rule.

Supplemental Terminology and Examples

The updated Safeguards Rule expands the rule’s definitional section and add examples to illustrate particular definitions, rather than incorporating such definitions and examples by reference through the GLBA’s Privacy Rule, presumably in an effort to make the Safeguards Rule more self-contained and user-friendly.

Exemptions for Certain Entities

The updated Safeguards Rule exempts non-banking financial institutions that maintain customer information about less than 5,000 consumers from the rule’s requirements relating to a written risk assessment, penetration testing and vulnerability assessments, establishing an incident response plan, and the qualified individual’s reporting requirements.

Most of the provisions of the updated Safeguards Rule, including those relating to implementing safeguards, appointing a qualified individual, and conducting continuous monitoring or periodic penetration testing, are effective one year after the date of publication of the final rule in the Federal Register, while the remainder of the provisions are effective 30 days following publication.

In addition to the updates describe above, the FTC issued a Supplemental Notice of Proposed Rulemaking to seek comment an additional proposed change to the Safeguards Rule that would require non-banking financial institutions to report certain data breaches and other security incidents to the FTC within 30 days of discovery.  This proposed notification obligation would only apply when a non-banking financial institution has determined that misuse of customer information has occurred or is reasonably likely to occur, and at least 1,000 consumers have been, or may reasonably be, affected. Of note, unlike many state data breach notification statutes, as-proposed, the notification requirement does not permit any delay in the notice obligation when non-banking financial institutions cooperate with law enforcement.

A detailed discussion of the FTC’s rulemaking process and a copy of the updated Safeguards Rule is available here. If you have any questions about the Safeguards Rule or how to protect customer financial information, please contact one of the authors.