On October 27, 2021, the Federal Trade Commission (FTC) released a final rule that updates the Safeguards Rule of the Gramm-Leach-Bliley Act (Final Rule). This Final Rule comes after the FTC sought comment on proposed changes to the Safeguards Rule in 2019 and held a public workshop in 2020.
The Safeguards Rule applies to non-banking financial institutions, including certain financial technology companies, that are engaged in financial activities. The Final Rule makes significant updates to the original Safeguards Rule promulgated in 2003, most notably by 1) requiring financial institutions to follow more specific criteria for implementing safeguards to help protect their customers' information; and 2) adding provisions that are intended to increase the accountability of information security programs.
Key provisions in the Final Rule include:
- Guidance on how to implement specific aspects of an information security program: Among other things, the Final Rule requires that financial institutions implement safeguards that address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. Companies must also implement policies and procedures to enact those safeguards, hold trainings for employees on information security, and oversee any third-party service providers. Although the Final Rule has more specific requirements than the current Rule, it still provides financial institutions the flexibility to design an information security program that is appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.
- Additional provisions that are intended to increase the accountability of information security programs: While the current rule allows for multiple individuals to have responsibility over a covered financial institution's information security program, the Final Rule narrows that responsibility to a single "Qualified Individual," who must periodically report to a board of directors or equivalent governing body, or to a senior officer responsible for the information security program.
- Partial exemption of financial institutions that collect less customer information: Financial institutions that collect information on less than 5,000 customers are exempt from certain requirements, including documenting the required risk assessment in writing, performing vulnerability and penetration testing, establishing a written incident response plan, and annual reporting to the board.
- Expansion of the definition of covered "financial institutions": Covered financial institutions now include entities that engage in activities that the Federal Reserve Board considers incidental to financial activities. This change brings only one activity into the definition that was not covered before: the act of "finding," which is defined as bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.
The final updated Safeguards Rule was passed 3-2, with Commissioners Noah Joshua Phillips and Christine S. Wilson dissenting. In their dissent, Phillips and Wilson criticized the updated rule for being too inflexible and prescriptive, and claimed that the record failed to show a need for updates to the Rule at all. The dissent argued that both competition and security itself would suffer, as smaller companies are less able to absorb the financial costs of new regulatory mandates, and covered companies may be incentivized to engage in a check-the-box exercise, rather than a thoughtful risk assessment. Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter wrote separately to push back on the dissenting commissioners' criticisms, and assert that these updates were necessary to protect consumer information and address an increasing amount of data breaches.
Separately, the FTC is also inviting comments on a proposed rulemaking to add a reporting requirement to the Safeguards Rule, which would require covered financial institutions to report data breaches and other security events to the commission.
Financial institutions—including financial technology companies—that are covered by the GLBA are encouraged to reexamine their information security programs under the new Safeguards Rule to ensure compliance.