The FTC recently issued final rules updating the Safeguard Rule and Privacy Rule in accordance with the agency’s announcement in October 2021 that it would do so. WBK previously covered that announcement and the amended Rules in greater detail here.
The final rule makes the following changes to the Safeguard Rule:
- It provides financial institutions with more guidance on how to develop and implement specific aspects of information security programs;
- It adds provisions to improve accountability of financial institutions’ information security programs;
- It exempts financial institutions that collect information on fewer than 5,000 consumers from certain requirements;
- It expands the scope and definition of financial institutions to include entities engaged in activities incidental to financial activities, namely, finders; and
- It defines several terms in the Rule itself rather than incorporating them from the Privacy Rule in order to make the Rule self-contained.
The final rules makes the following changes to the Privacy Rule:
- It removes references that do not apply to motor vehicle dealers in order to correspond to changes made to the Dodd-Frank Act;
- It modifies the annual privacy notice requirements to reflect changes made to the Gramm-Leach-Bliley Act by the FAST Act; and
- It modifies the scope and definition of financial institutions to include entities engaged in activities incidental to financial activities, namely, finders.
Both the amended Safeguard Rule and the amended Privacy Rule go into effect on January 10, 2022.