The Federal Trade Commission (“FTC”) recently announced an updated rule to strengthen data security safeguards for financial institutions. 16 C.F.R. § 314. As a result of increasing cyberattacks and data breaches, the FTC augmented requirements to protect customer financial information. The updated rules include limiting access and authentication protocols using encryption to secure information and laid out incident response plans and security programs based on risk assessments. Institutions will be required to explain their policies and practices, specifically administrative, physical, and technical safeguards. Financial institutions will also have to designate a single “qualified individual” to oversee the information security program. The individual must also report to the board of directors of the institution or to a senior information security officer there. The rule also requires non-banking institutions such as mortgage brokers, vehicle dealers and small loan lenders, to develop and implement comprehensive security systems to keep customer data safe.
These new safeguards reflect the FTC’s increased focus on preempting cyberattacks by requiring that businesses and institutions implement processes and procedures that safeguard user data.
The final rule can be found here.