FTC Publishes Guidance on New Safeguards Rules


On May 24, 2022, the Federal Trade Commission (FTC) released a new publication aimed at offering financial institutions and their service providers guidance on the FTC’s recently revised Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA).  The new publication, “FTC Safeguards Rule: What Your Business Needs to Know,” signals the FTC’s continued interest in regulating the data security posture of financial institutions subject to the GLBA. Businesses subject to the FTC’s jurisdiction for the GLBA should pay particular attention to these standards, as the agency may be looking to flex its regulatory authority now that it is fully staffed.

The purpose of the Safeguards Rule is to ensure that financial institutions and their service providers maintain safeguards to protect the security of customer information.  The FTC’s Safeguards Rule broadly defines “financial institutions” and includes within its definition non-banking financial institutions, such as check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and credit reporting agencies.

The FTC amended the rule in December 2021 to provide more concrete guidance for financial services companies and their third-party service providers, as we wrote about previously here. Unlike previous rules and guidance promulgated by federal financial regulators, the FTC’s new Safeguards Rule includes specific criteria for what safeguards financial institutions must implement as part of their information security program. For example, the new Safeguards Rule requires financial institutions to implement multifactor authentication for individuals accessing networks that contain customer information.

The FTC’s FTC Safeguards Rule: What Your Business Needs to Know publication provides an overview of the new Safeguards Rule and is intended to apprise financial institutions regulated by the FTC of the core data security principles that must be followed.  For example, the publication notes that a reasonable information security program must include nine elements:  (1) a qualified individual responsible for the security program; (2) periodic risk assessments; (3) safeguards to control the risks identified through risk assessments; (4) monitoring and testing effectiveness of safeguards on a regular basis; (5) train staff regularly on cybersecurity awareness; (6) service provider oversight; (7) keeping information security program current to safeguard against emerging threats; (8) creating a written incident response plan; and (9) annual reports to boards of governors on security program.

Financial institutions and their service providers should review the FTC’s publication for more details.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WilmerHale | Attorney Advertising

Written by:


WilmerHale on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.