The Federal Trade Commission recently finalized a long-discussed update to its cybersecurity Safeguards Rule that includes more specific criteria for what financial institutions must implement as part of their information security programs. Among other key changes, many companies are likely to be impacted by an expansion of the rule’s scope to include “finders,” which may allow such businesses (including fintech firms) to avoid the current regulatory burden and confusion of state law requirements.
As part of its implementation of the Gramm-Leach Bliley Act (GLBA), in 2002, the Federal Trade Commission (FTC) issued the Safeguards Rule (the Rule), which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. Until the recent update, the FTC had not amended the Rule since it was initially promulgated. The new Rule is the culmination of extensive work by the FTC that initially began in 2016.
Under the longstanding previous version of the Rule, companies are required to develop a written information security plan that implements administrative, technical, and physical safeguards appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of the customer information they handle.
The prior iteration also requires companies to assess and address the risks to customer information in all areas of their operations. In addition, covered companies are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care. Companies have enjoyed substantial flexibility in compliance under the prior version of the Rule, but sometimes found the lack of specifics frustrating. The FTC has now provided more specific instruction.
WHO IS COVERED UNDER THE NEW RULE?
Significantly, the definition of “financial institution” under the Rule includes many businesses that may not normally describe themselves that way. In fact, the Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. The Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions.
KEY CHANGES IN THE NEW RULE
The update includes six main changes:
- Adds more specific criteria about the safeguards that financial institutions must implement as part of their information security program, including encryption, penetration testing, and multi-factor authentication
- Requires institutions to explain their information sharing practices and security safeguards in a written risk assessment
- Requires financial institutions to designate a single qualified individual to oversee their information security programs and report periodically to the organization’s management
- Expands the definition of “financial institution” to include “finders”—companies that bring together buyers and sellers of a product or service
- Defines several terms and provides related examples in the Rule itself rather than incorporate them by reference from the GLBA Privacy Rule
- Exempts financial institutions that maintain customer information concerning fewer than 5,000 consumers from certain requirements
The added requirements of the updated Rule (e.g., qualified individual appointments, written risk assessments, annual penetration testing and biannual vulnerability assessments, periodic assessment of service providers, and written incident response plans) will take effect one year after its publication in the Federal Register (which makes the ultimate compliance date likely to be sometime in Q4 2022).
Most of these additional items may not be novel to companies that already have developed a robust information security program. As stated by the FTC itself in the preamble to the updated Rule:
The Commission believes that many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.
Many commentators have already noted that the measures closely track recently enacted regulations by state financial regulators such as the New York Department of Financial Services Cybersecurity Regulations and the Massachusetts Cybersecurity Regulations.
At the same time, the FTC published a supplemental notice of proposed rulemaking seeking comments on whether to make an additional change to the Rule to require financial institutions to report certain data breaches and other security events to the FTC.
ANALYSIS OF THE RULE’S EXPANDED SCOPE
Given the onus of compliance with an ever-changing state privacy law landscape, many entities may actually find it beneficial to be considered a “financial institution” under the Rule in order to be exempt from state laws, which generally have an exemption for entities or information subject to a federal privacy/cybersecurity law.
The update makes this somewhat easier by expanding the definition of a financial entity to include entities that are “significantly engaged in activities that are incidental to financial activity” as defined by the Bank Holding Company Act. This change brings one activity into the definition that was not covered before—the act of “finding” defined as “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.” “Finders” can be read broadly to include a variety of commercial enterprises, including many fintech business models.
The preamble to the updated Rule notes that there are certain limitations to what businesses are considered “finders” under the Rule, namely that only finding services involving consumer transactions will be covered and that the Rule only applies to the information of customers (consumers with which a financial institution has a continuing relationship). However, the addition of “finders” still allows for various types of entities to make a compelling argument that they are subject to the Rule.
Even with the addition of more prescriptive security requirements, being subject to the Rule may still be a straightforward way for companies to avoid wading into the confusing landscape of the current state law privacy regime. Additionally, the trend in certain privacy-related state laws—such as the California Consumer Privacy Act (CCPA) and in Virginia—has been to give consumers various opt-out and request rights that have not yet been adopted under federal law.
As an additional example of the expansiveness of state law when compared to the Rule, the FTC refused to include data that is “reasonably linkable” to individuals as “personally identifiable financial information.” This excludes from the scope of the Rule aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses but could possibly be linked to an individual. Such information is included as personal information under the CCPA.
 12 CFR 225.86(d)(1).