FTC Updates Safeguards Rule for Consumer Financial Information
The FTC recently made changes to the Gramm-Leach-Bliley Act’s Safeguards Rule that should pose further privacy obligations to covered financial institutions.
Unless you work for a financial services organization or you're used to being deep in the weeds on all things compliance, you may have missed that the Federal Trade Commission (FTC) recently made changes to the Standards for Safeguarding Customer Information, or Safeguards Rule.
The rule, part of the Gramm-Leach-Bliley Act (GLBA), requires financial institutions to take a closer look at how they manage and secure data. It mandates entities safely and securely store and transmit data and implement a written information security plan that describes how the company is prepared for, and plans to continue to protect clients' nonpublic personal information.
Changes to rule will impose further privacy obligations and requirements for non-banking financial services companies, including mortgage brokers, motor vehicle dealers, collection agencies and payday lenders.
The amended rule has been a long time coming; these changes were first proposed back in April 2019 but weren't codified as what the FTC calls the Final Rule to amend the Standards for Safeguarding Customer Information until last month.
"Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection said in October. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”
Some of the new changes drill down with deeper specificity around the development and establishment of an information security program, like who can access consumer data and the types of safeguards organizations should have in place around the access, collection, distribution, processing, storing, use of, and transmission of consumer data.
As far as safeguards go, the new rule stresses organizations, if they haven’t already, need to address the following:
- Access controls
- Data inventory and classification
- Secure development practices
- Information disposal procedures
- Changes management
- Penetration testing
- Incident response
The original rule asks organizations to roll out employee training and carry out oversight of its service providers. The updated rule adds clarifications, asking organizations to ensure that they're effective.
In many ways, it seems the new rule doubles down on a lot of principles brought up in the first iteration. There are more requirements no matter how you slice it. While the current rule asks organizations to carry out a risk assessment, the new one puts criteria in place for what the risk assessment must include and that it’s done in writing. The first rule asked financial institution to designate one or more employees to oversee its information security program; the new rule says a single "Qualified Individual" - like a CISO or service provider, needs to be in charge of it, one who can periodically present to the board of directors with how the program is progressing.
The new rule also includes new mechanisms meant to ensure that employee training and oversight of service providers are effective. Organizations are asked to "develop or strengthen their information security programs in order to provide reasonable safeguards."
While some of these requests may sound stringent, they're designed to leave some wiggle room.
It all depends on your risk structure: "A financial institution that shares customer information with numerous service providers would need to take steps to ensure that such information remains protected," the Final Rule reads, "while a financial institution with no service providers would not need to address this issue."
It's worth noting the changes won't apply to every company, financial institutions that maintain information concerning fewer than 5,000 consumers will be exempted from some parts of the rule, including having a risk assessment written out.
On top of that, much of the guidance - encryption, access controls, etc. - has evolved into industry best practices as of late, so ideally this won't be too much heavy lifting for organizations. Many of the changes won't go in effect until a year after the Final Rule is published in the Federal Register - next fall sometime - but organizations will still want to ensure they'll be ready when the time comes to comply.