On October 27, 2021, in efforts to address increasing data breach and cybersecurity concerns, the FTC announced that it updated its Safeguards Rule to require non-banking financial institutions, such as independent mortgage lenders and brokers, to develop, implement, and maintain a comprehensive security system to help protect their customers’ data from cyberattacks and other threats. The following provisions, discussed in more detail below, are effective one year after the Final Rule is published in the Federal Register: (i) the appointment of a qualified individual, who must prepare an annual report and conduct written risk assessments; (ii) the new elements that must be included in information security programs; (iii) continuous monitoring or periodic penetration testing and vulnerability assessments; (iv) requirements related to the training of personnel; (v) periodic assessments of service providers; and (vi) written incident response plan requirements. All other changes are effective 30 days after the publication of the Final Rule in the Federal Register.
The FTC adopted the Final Rule after reviewing the comments that were submitted for the proposed rules, which WBK previously covered here and here, and from the workshops that the FTC held in connection with the proposed changes. The update makes five primary modifications to the Safeguards Rule. For starters, the Final Rule adds detailed data security requirements, which are intended to provide more guidance to financial institutions regarding the development and implementation of specific aspects of information security programs (e.g., access control, authentication, encryption, and data disposal and retention). In addition, the Final Rule incorporates provisions that are intended to improve the accountability of financial institutions’ information security programs. For example, the Final Rule requires financial institutions to designate a qualified individual who, among other things, will be required to prepare written risk assessments, oversee service providers, and prepare annual reports for the financial institutions’ board of directors or equivalent governing body.
The Final Rule also adopts, as originally proposed, an exemption for financial institutions that collect information on fewer than 5,000 consumers from certain requirements, such as those regarding written risk assessments, continuous monitoring or periodic penetration testing and vulnerability assessments, incident response plans, and annual reporting. Moreover, the Final Rule expands the meaning of “financial institution,” which includes entities significantly engaged in activities that the Federal Reserve Board determines to be financial in nature or incidental to such financial activities, to include companies that bring together buyers and sellers of a product or service for transactions that the parties themselves negotiate and consummate (i.e., “finders”).
Finally, the update adds several definitions and examples to the Safeguards Rule, many of which were added in order to include them directly in Safeguards Rule itself rather than via incorporation by reference to the FTC’s Privacy Rule (e.g., “consumers,” “customers,” and “personally identifiable financial information”). Although many terms were adopted as originally proposed (e.g., “financial institution”), the Final Rule modifies the meanings of several terms from the definitions originally included in the proposed rule (e.g., “authorized user,” “encryption,” and “information system”).
The FTC is also seeking comment on whether to make additional changes to the Safeguards Rule to require financial institutions to report to the FTC any security event where the institution has determined that customer information misuse has occurred or is reasonably likely to occur and that at least 1,000 consumers have been or reasonably may be affected. More specifically, among other things, the FTC is requesting comments on whether such a requirement should be added to the Safeguards Rule; and, if so, the deadline for reporting discovered security events to the FTC, which security events should require notifications, whether such reports should be disclosed to the public, whether events involving encrypted information should be included in the requirement, and, for notifications affecting law enforcement investigations, whether law enforcement agencies should be allowed to delay or prevent notification. The public will have 60 days from the date the supplemental notice of proposed rulemaking is published in the Federal Register to submit comments.
Additionally, the FTC announced that it adopted technical changes to its Privacy Rule, which will become effective 30 days after publication in the Federal Register. These revisions align with the changes made under the Dodd-Frank Act that narrowed the FTC’s jurisdiction under the Privacy Rule to only apply to motor vehicle dealers.