In a much-anticipated announcement last week, the FTC amended the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and proposed a further amendment requiring certain financial institutions to provide the FTC with notice in the event of certain security events. Although these changes were announced after FTC Commissioner Chopra left the agency to lead the CFPB, he apparently voted prior to leaving to ensure 3/2 approval of the amendments in a Commission that remains divided.
What is GLBA Safeguards?
For nearly 20 years the Safeguards Rule has required financial institutions to develop, implement, and maintain comprehensive information security programs to protect their customers’ personal information. Such programs must be appropriate to each entity’s “size and complexity, the nature and scope of [its] activities, and the sensitive of the customer information at issue.” For a generation, the Rule’s requirements have influenced data security standards in other sectors, emphasizing a flexible, process-based approach. The amended Rule replaces some of that flexibility with more specificity.
Violations of the Safeguards Rule are enforced through the FTC Act. Unlike other FTC rule violations, Safeguards violations are not subject to civil penalties.
The definition of “financial institutions” is broad. It includes businesses that are “significantly engaged” in financial activities or significantly engaged in activities incidental to financial activities, which include businesses as diverse as real estate settlement services, credit counseling services, and professional tax preparers. The amendments expand the definition of financial institutions to expressly include “finders,” which are companies that bring together buyers and sellers of a product or service for personal, family, or household purposes, in a manner that is incidental to financial activities, such as a lead generator that helps consumers find a financial institution for a home mortgage or car insurance.
FTC’s Changes to the Rule’s Requirements
The FTC’s amended Rule, which takes effect one year from its publication in the Federal Register, makes significant substantive changes in four general areas, which largely follow the agency’s 2019 Notice of Proposed Rulemaking, which we summarized here in 2019:
- First, it adds more specific requirements related to the design and implementation of a safeguards program, including:
- Access Controls. Periodic review of access controls, including “technical and physical controls” to limit access only to authorized users and only to necessary customer information.
- Data and Systems Inventory. Inventory of the data in the financial institution’s possession, the systems on which (and facilities where) that data is collected, stored, or transmitted, and an understanding of the relevant portions of applicable systems and their importance.
- Encryption of all customer information in transit and at rest. If encryption is not feasible, implementation of comparable controls with the approval of the “Qualified Individual” (see below description of this role).
- Multi-Factor Authentication. Implementation of MFA to access any information system, or equivalent or stronger controls.
- Secure Applications. Adoption of secure development practices for applications developed in-house and assessment of externally developed applications.
- Change Management. Adoption of procedures governing changes to a company’s safeguards.
- Intrusion Detection. If a company is unable to implement “effective continuous monitoring . . . to detect…changes in information systems that may create vulnerabilities,” it must perform annual penetration testing and twice-yearly vulnerability assessments.
- Incident Response. Development of a written incident response plan that meets specific criteria.
- Second, it adds provisions requiring appointment of a single “Qualified Individual” to oversee the program and report to the board of directors or equivalent governing body.
- Third, it exempts from some of the Rule’s requirements entities that collect information from fewer than 5000 customers.
- Finally, the Rule sets forth many terms and related examples in the Rule itself rather than incorporating them by reference.
Commissioners Phillips and Wilson dissented from approval of the final rule, expressing concern that the new requirements could weaken data security by “diverting finite resources towards a check-the-box compliance exercise and away from” tailored risk management. They explained that the record did not support the Rule revisions.
FTC Proposes New Notification Requirement
Simultaneously with its release of the above amendments, the FTC proposed a further amendment to require financial institutions to report certain security events to the FTC within 30 days of discovery. In its Supplemental Notice of Proposed Rulemaking, the FTC recommended that when a financial institution determines that misuse of customer information has occurred or is reasonably likely, and at least 1,000 consumers have been or may reasonably be affected, the financial institution must notify the agency. The FTC reasoned that this proposed requirement would impose “little additional burden” while facilitating the agency’s enforcement of the underlying rule. The FTC anticipates making the reported information public through a database it would “update periodically.” The proposed notification requirement would not allow for any delay of the 30-day reporting obligation for financial institutions cooperating with law enforcement.
The FTC seeks comments on its proposed notification requirement, including on the following:
- Whether the information proposed to be submitted to the Commission is over- or under-inclusive.
- Whether the FTC calibrated notice correctly. Should it account for events in which misuse is not likely (e.g., encrypted data)? Should it only require notice when a company must provide notice to a governmental entity under another state or federal requirement?
- The timing of the notice period – i.e., whether a shorter period is practicable?
- Whether the requirement should allow law enforcement agencies to prevent or delay notification? And relatedly, whether information reported to the Commission should be kept confidential in some circumstances?
- The extent to which the Commission should require notification to consumers.
The deadline to submit written comments is 60 days after the notice is published in the Federal Register.
Why Do the Changes and the FTC’s Proposal Matter?
Although the Safeguards Rule is limited to financial institutions, the granularity of the controls announced are likely to influence financial institutions’ contract terms. On a practical level, the new Safeguards Rule may serve as a model for data security standards in other sectors; the proposed notification requirement may set the stage for additional burdens on financial institutions and other firms; and the Rule changes could affect the scope of state privacy laws, some of which exempt data covered by the Gramm-Leach-Bliley Act from their requirements. Further, while the Safeguards Rule does not include civil penalties, businesses should take note of the various efforts underway by the agency to create a basis to assert civil penalties under a variety of scenarios, as we’ve discussed, for example, here (notice to companies about earnings and endorsement claims), here (what notice about penalty offenses means), and here (GLBA pretexting).