FTC Proposes Amendments to Safeguards Rule to Track NY DFS Cybersecurity Regulation (and amendments to its Privacy Rule)

Locke Lord LLP

As we’ve been predicting, the Cybersecurity Regulation adopted by the NY DFS for insurance, banking and other financial services continues to drive the conversation in the U.S.  The latest manifestation is the FTC proposal, announced March 5, 2019, to amend it Safeguards Rule adopted pursuant to the Gramm-Leach-Bliley Act of 1999 (GLBA) to require financial institutions to adopt certain safeguards to protect the nonpublic personal information of consumers.  In proposing its amendments, available here, the FTC stated they are “based primarily on” the NY DFS Cybersecurity Regulation and the NAIC data security model law, both of which have been reviewed in our prior articles, including the article linked above.

Key proposed changes to the Safeguards Rule include:

  • Defining “security event” to include events that could compromise important systems as well as customer information
  • Requiring an “information security program” addressing specified elements far beyond the current requirement for “safeguards,” and based on a prescribed “risk assessment”
  • Specific requirements for a Chief Information Security Officer, or CISO, including reporting to the Board
  • Multi-factor authentication or other, equivalent access controls
  • Specifically requiring encryption of data, in transit and at rest
  • Requiring certain written policies, including an incident response plan
  • Specific requirements for data retention and disposal
  • Monitoring of authorized users, and training and education requirements
  • Audit trail requirements for security events
  • Annual penetration tests and biannual vulnerability scans
  • Requirements for managing third party service provider cybersecurity risk
  • Reporting requirements

At the same time, the FTC issued proposed changes to its Privacy Rule under the GLBA to effect certain technical changes related to auto dealers, to modify the requirement for annual privacy notices in accordance with the FAST Act amendments, and to expand the definition of financial institution to include entities engaged in activities incidental to financial activities.  The proposed amendment to the Privacy Rule is available here.

The comment period for the proposed FTC amendments ends 60 days after publication (expected to be on or shortly after March 8, 2019) in the Federal Register.

Written by:

Locke Lord LLP

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.