FTC’s Update to Safeguards Rule Has New Implications for Directors

Christopher Pippett
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

The Federal Trade Commission has issued an update to the Safeguards Rule that imposes a duty on financial institutions to protect consumer information they collect in the process of providing financial services.

In an October 27, 2021 release, the FTC noted that the Safeguards Rule was mandated by Congress under the 1999 Gramm-Leach-Bliley Act. The amendments were in part the result of public input sought by the FTC since 2019.

The amended Safeguards Rule contains five modifications that are designed to:

  • provide guidance to financial institutions on implementing various aspects of the Safeguard Rule and related security programs
  • improve the accountability of financial institutions by requiring the designation of a single qualified individual to oversee an institution’s data security program and provide periodic reports to boards of directors or governing bodies
  • exempt financial institutions that collect less consumer information from certain requirements
  • expand the definition of financial institutions
  • define several terms and provide examples within the Safeguards Rule itself

Of particular note is the second modification which is designed to improve accountability of financial institutions. It requires the appointment of a single qualified individual to oversee the institution’s data security program. Moreover, it requires periodic reports to boards of directors or governing bodies. While periodic reporting to the board of directors was not previously required under the Safeguards Rule, it has become a best practice for not only financial institutions but businesses in general.

Data Security and Good Governance

This approach is not only good governance but could serve to avoid claims that have been brought against directors of several publicly held corporations in recent years related to losses sustained as a result of data security breaches at the corporation which the directors were charged overseeing. In each of these cases the plaintiff shareholders claimed that the losses sustained by the corporation as a result of a data breach were the result of failure of directors to manage and/or implement appropriate data security measures and timely disclose data breaches.

Each of these cases was ultimately dismissed on procedural grounds and a couple subsequently settled. Of note is that in dismissing the claims in one case the court stated that “director’s decisions need to be reasonable, not perfect.” This statement by the court is consistent with the Business Judgment Rule which protects directors from second guessing by the courts provided their actions were reasonable.

The filing of these cases and the grounds on which liability was sought, together with the adoption of the second amendment to the Safeguards Rule, indicates that directors need to be even more diligent when it comes to data security. Going forward, understanding and managing the data security efforts of the organization will not only be best practice, but for many organizations, will be legally required.

More Than Passive Acceptance

This is not to say that directors need to be involved in the finite details of an organization’s data security efforts. They shouldn’t. However, it will be important for directors of financial institutions to act in a deliberate and knowledgeable way in identifying and exploring data security issues and the organization’s efforts to address them. This effort will require more than a passive acceptance of information presented by executive management and/or staff of the organization.

It will be important for directors to understand and insist on the development, implementation and promotion of a security culture within the organization that is supported with appropriate resources and is integrated with all business lines and functions, and is accountable within the organization, to the board, and to the ultimate beneficiaries of the organization. The board or a committee of the board should oversee the process, ensuring that management effectively carries out the objectives and holding senior management accountable for implementing the programs as well as any failure to do so.

Management should be reporting to the board at least annually and preferably quarterly on its risk assessment process, including threat identification and assessment, risk management and control decisions, including acceptance and avoidance, third-party service provider arrangements that are integrated into the data security program and the results of any testing. Likewise, security breaches or violation of law or regulations and management responses to same should be included.

These amendments to the Safeguards Rule make it imperative that all financial institutions not only ensure that an effective data security program is in place, but that data security and the protection of consumer information is an organization-wide effort and culture, and that the board is actively involved.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide