Back to Basics, Continued—Keep Your Customers’ Information Safe – The New FTC Safeguards Rule



Are you doing everything you can to keep your customers’ information safe? These days, it certainly seems like there is a new, massive data breach making the frontpage on a daily basis. As a consumer, it is never a good feeling to receive a letter that your personal information may have been stolen. And, as a business, it is definitely never a good feeling to have to send those letters to your customers.

Believe it or not, there have been laws on the books for almost 20 years that require financial institutions to take steps to safeguard customer information. The original “Safeguards Rule”, implemented under the Gramm-Leach-Bliley Act (GLBA), went into effect in 2003 and required financial institutions to adopt policies and procedures to protect, or safeguard, customer information. The definition of financial institution in GLBA is extremely broad and covers almost all companies in the consumer finance industry.

But, like most 20-year-old technology, the original Safeguards Rule is showing its age and has become obsolete.

For that reason, last year the Federal Trade Commission amended, expanded and modernized the Safeguards Rule. The updated Safeguards Rule is similar to the 2003 version in that it requires financial institutions to implement a written policy (called an information security program) designed to safeguard customer information. However, the new rule is much more specific and detailed about what companies need to include in their policies. Most of the new provisions become mandatory in December 2022.

Just by sheer word-count, the rule has gone from less than 1,000 words to close to 5,000 words. All those new words mean you probably have some work to do.

Most significantly, the rule now identifies nine elements that must be in a company’s information security program, including (i) designating a “qualified individual” to supervise and implement the program, (ii) conducting a thorough risk assessment, (iii) designing and implementing safeguards based on the risk assessment, (iv) monitoring and testing effectiveness of the program, (v) training staff, (vi) monitoring service providers, (vii) keeping the program up-to-date, (viii) implementing an incident response plan, and (ix) reporting to the board of directors. The rule goes into detail on each of these elements, with specific requirements with which companies need to comply.

While a few of the more high-maintenance provisions only apply to companies that maintain customer information on at least 5,000 consumers, even small companies will still need to adopt a majority of the new provisions in the new rule.

In the consumer finance regulatory world, every so often, we have a new rule that requires companies to do some heavy-lifting and adopt new policies and procedures. This is one of those rules, so pay attention. Every financial institution under GLBA (which, again, is very broad and includes almost every company in the consumer finance industry) needs to review and update its safeguards policy based on the new rule before December 2022.

Practice Pointer: If you are in the financial services industry, you need to take this seriously for two reasons. First and foremost, you owe it to your customers to keep their information safe. Adopting and implementing a safeguards policy, and of course, actually following the policy, is a great start. Second, it is the law. If a company suffers a data breach and neglected to have a safeguards policy that might have prevented the breach, there would be serious and expensive legal, administrative and reputational consequences.

Written by:


Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.