For the first time in 17 years, the FTC is proposing significant increases to the information security standards which apply to those financial institutions that are regulated by the FTC and are not already subject to similar standards imposed by other federal regulators (such as the SEC or banking regulators). The proposal incorporates the expansive cybersecurity and data protection laws that apply to insurance companies and other financial institutions, adopted by the New York Department of Financial Services and the National Association of Insurance Commissioners.

This may be the last chance for financial institutions to weigh in on the FTC’s proposal before it is promulgated as final; the FTC is seeking comments on the proposal which will be due 60 days after the proposal is formally published in the Federal Register. 

Safeguards Rule

Financial institutions subject to the FTC’s jurisdiction are required to follow the FTC’s Standards for Safeguarding Customer Information(Safeguards Rule) unless, pursuant to Section 505 of the Gramm-Leach-Bliley Act, they are regulated by another U.S. federal or state regulatory body, such as the SEC, CFTC, FDIC, OCC, OTS, NCUA, Federal Reserve Board, or state insurance regulators.  Financial institutions subject to the Safeguards Rule include non-bank financial institutions such as payday lenders, check cashers, debt collectors, consumer reporting agencies such as credit bureaus and background check companies, real estate settlement agents, electronic transactions companies, certain mortgage lenders and brokers, and vehicle finance and  lease companies. The Safeguards Rule was adopted as a final rule by the FTC in May 2002.

Proposed Amendments to Safeguards Rule

On March 5, 2019, the FTC issued a Notice of Proposed Rulemaking, requesting comments on its proposed amendments to the Safeguards Rule. The proposed amendments will subject financial institutions to much greater obligations, such as encryption of all data, multi-factor authentication, routine risk assessments, and formal reports to their boards of directors.  A separate Incident Response Plan is mandatory, and must detail how cybersecurity events will be addressed.  

The proposed amendments also require financial institutions to designate one specific individual (employee or third-party provider) to oversee and enforce the institution’s information security program, such as a Chief Information Security Officer (CISO).  It will no longer be permissible for a group of employees for this function, as the FTC believes more than one person in charge increases the risk of gaps in responsibilities and decreases accountability.

The proposed amendments would expand the scope of the Safeguards Rule to financial institutions engaged in activities that are “incidental to financial activities (as determined by the Federal Reserve Board).  Under this expansion, so-called “finders” (those who bring together buyers and sellers) would have to comply with the Safeguards Rule.  Finders are being included because their practices involve collection of financially sensitive personal information. 

Small businesses would be exempt from some of the proposed amendments. This limited exemption would apply to businesses that traditionally have fewer customers (particularly tax preparers; mortgage brokers).  To qualify for the exemption, a financial institution must maintain customer information concerning fewer than 5,000 consumers.

The FTC discusses several public comments submitted by interested parties in 2016, when the FTC considered potential changes to the Safeguards Rule. Most of the comments favored flexibility in maintaining information security programs, without additional and more detailed requirements. The FTC largely rejected these suggestions, although it is instructive that two of the five FTC Commissioners voted against the proposed amendments and issued a separate opinion criticizing the amendments as unnecessarily detailed and restrictive.

The proposed amendments have not yet been published in the Federal Register; once published, comments will need to be submitted within 60 days of publication.  The proposed amendments will be effective six months after they are finalized, although there are some staggered effective dates for some of the new requirements.  

In conjunction with the proposed amendments to the Safeguards Rule, the FTC published a proposal to amend its Privacy of Consumer Financial Information Rule.  Such amendments are mostly technical changes to ensure conformity to the most updated versions of federal laws (Dodd-Frank Act, GLBA and the CFPB’s Regulation P).  Post Dodd-Frank, the Privacy Rule generally applies only to certain motor vehicle dealers.  

[View source.]