The Federal Trade Commission has finalized amendments to the Standards for Safeguarding Customer Information (“Safeguards Rule”), specific to defined financial institutions, designed to strengthen security for consumer financial information following a recent uptick in data breaches.
The amendments contain four main modifications to the existing Rule that outline additional protections financial institutions must implement when handling sensitive consumer data.
- First, the amendments provide financial institutions with additional guidance regarding developing and implementing an information security program, including access controls, authentication, and encryption.
- Second, the amendments increase accountability by requiring periodic reports by financial institutions to boards of directors or governing bodies regarding information security programs.
- Third, the amendments expand the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, including “finders”—i.e. brokers or other companies that bring together buyers and sellers of a product or service.
- Fourth, the amendments reduce the burdens on financial institutions that collect small amounts of customer information by exempting them from certain requirements.
According to Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, the amendments “detail common-sense steps” that financial institutions and other entities that collect sensitive consumer data “must implement to protect consumer data from cyberattacks and other threats.”
The amendments were passed 3-2 by the FTC, even though Rohit Chopra departed to head up the Consumer Financial Protection Bureau and the agency temporarily has only four commissioners. Pursuant to the FTC’s arcane rules, if Chopra weighed in on pending proceedings before he exited, his votes continue to count and the Democrats continue to have a “majority” even though he has left. The agency’s rules do not impose a time limit on the release of votes cast by a commissioner before they left the commission. Chopra’s replacement, privacy expert Alvaro Bedoya, has been nominated but his confirmation hearing has not yet been scheduled.
Both Republican Commissioners, Noah Joshua Phillips and Christine S. Wilson, dissented from the amendments. In a joint statement, they expressed concerns that the “new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions.”
The amendments continue the trend of the expanded use of the FTC’s rulemaking authority under FTC Chair Khan and follow the recent issuance of the FTC’s policy statement clarifying the FTC’s position that health apps and related connected devices are subject to the Health Breach Notification Rule, which requires vendors of personal health records (“PHR”) and PHR-related entities to notify U.S. consumers, the FTC, and in cases of certain breaches involving over 500 consumers, the media, if there has been a breach of unsecured identifiable health information. These actions combined with the increased focused on privacy concerns have spurred discussions about the potential need to create bureau of privacy within the FTC, which was wholeheartedly supported by David Vladeck, a former Director of the Bureau of Consumer Protection, during a Senate Commerce Subcommittee hearing in September titled Protecting Consumer Privacy.
Regardless of whether or not the FTC creates a new bureau dedicated to privacy concerns, companies that collect or store consumer data should expect significantly increased scrutiny if they are not safeguarding the data.