On October 27, 2021, the FTC released its much-anticipated final revisions to the Gramm-Leach-Bliley Safeguards Rule (Safeguards Rule or Final Rule), following a 3-2 vote along party lines and also released a notice of proposed rulemaking that would require reporting to the FTC of certain cybersecurity events.
Revisions to the Safeguards Rule
Effective since 2003, the Safeguards Rule (16 CFR Part 314) requires covered financial institutions to develop, implement, and maintain a reasonably designed, comprehensive, written information security program (WISP) with appropriate administrative, technical, and physical safeguards relating to customer information. Financial institutions subject to FTC enforcement of the Safeguards Rule are entities that are not otherwise subject to enforcement of another financial regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805. These include mortgage lenders, “pay day” lenders, finance companies, account servicers, wire transferors, collection agencies, and investment advisors exempt from SEC registration, for example. The Final Rule represents a significant shift to more prescriptive requirements for information security and is the culmination of a multi-year effort by the FTC to amend the rule. These changes to the Safeguards Rule were first proposed in a notice of proposed rulemaking and request for comment in March 2019.
Notably, the Final Rule expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, which harmonizes other federal agencies’ Safeguards Rules, which already include such activities in their definition of financial institution. Going forward, the Final Rule applies to “finders,” i.e., companies that bring together buyers and sellers “of any product or service for the transactions that the parties themselves negotiate and consummate.” (f), modeled on 12 CFR 22586(d)(1). Because the Safeguards Rule applies only to customer relationships and to transactions that are “for personal, family, or household purposes” finding services involving consumer transactions for customers (i.e., consumers with whom a financial institution has an ongoing relationship) will now be covered by the Safeguards Rule.
The overall effect of the final rule is to generally align the Safeguards Rule with the New York State Division of Financial Services Cybersecurity Requirements (“NYDFS Cybersecurity Regulations”) 23 NYCRR 500, which issued prescriptive information security requirements, including the requirement to implement multifactor authentication (MFA) for access to a financial institution’s information system and the encryption of customer information in transit and at rest. In both instances, the FTC modeled its revised rule on the NYDFS Cybersecurity Regulations, and has adopted language that closely tracks it regarding these controls, including the limited carve-outs for reasonably equivalent controls instead of MFA and alternative compensating controls where encryption may be infeasible.
However, the FTC’s Safeguards Rule is more prescriptive than the NYDFS Cybersecurity Regulations in its requirement for annual reporting to a company’s Board by the designated “Qualified Individual,” who is responsible for the implementation, management, and enforcement of the information security program. In contrast to the NYDFS regulations which provide five topics to consider including in the annual Board report, the Final Rule specifies the required report to the Board shall include discussion of the overall status of the information security program, compliance with the Safeguards Rule, and material matters related to the information security program. Then, in furtherance of the discussion of material issues, it provides seven areas as examples for inclusion in the report, which include management’s responses to these issues and any recommendations for changes to the information security program. The Final Rule release indicates that the FTC recognizes the need for senior management to be well-informed regarding the information security program, and that with that awareness, it is more likely that the information security program will receive the necessary resources.
Although as of this writing the Final Rule has not yet been published in the Federal Register, certain sections of the final rule will take effect 30 days from publication of the Final Rule in the Federal Register. These include:
Financial institutions will have one year to come into compliance with the following sections, as they will not take effect until one year from publication of the Final Rule in the Federal Register:
Note that the written risk assessment, continuous monitoring and pen testing and annual certification requirements do not apply to financial institutions that maintain customer information for fewer than 5,000 consumers.
Republican Commissioners Dissents
Objections to the Final Rule of the two dissenting Commissioners, Christine Wilson and Noah Phillips, focused on the prescriptive requirements, raising concerns that by introducing prescriptive requirements into the rule, it could have unintended consequences of weakening risk management functions and undermining the financial institution’s ability to tailor its information security program based on its risk assessment. The Commissioners also argued that it was premature to adopt NYDFS-like requirements as there was insufficient data to assess the impact and efficacy of NYDFS rules. Finally, the dissenting Commissioners expressed the view that given increased legislative interest and Congressional activity in data security, “intrusive mandates are best left to the people’s representatives rather than to the vagaries of the administrative rulemaking process.”
Proposed Cybersecurity Event Reporting Requirement
In conjunction with the issuance of the Final Rule, the FTC has also issued a notice of supplemental rulemaking to consider instituting a reporting obligation to the FTC in the event of a cybersecurity event in which the covered financial institution determines customer information has been misused or is reasonably likely to be misused and 1,000 or more consumers have been affected or reasonably may be affected by the security incident. This standard for reporting based on a determination of misuse or reasonable likelihood of misuse of customer information is identical to the current standard for customer notices under the Interagency Guidelines Establishing Information Security Standards, and accordingly the proposed rule is limited to establishing FTC reporting requirements and does not separately define “customer information” or contain revisions to the criteria for customer notifications. However, by aligning the criteria for notification to the FTC with the customer notification criteria, the proposed rule would differ from the regulator notification criteria to which other, non-FTC regulated financial institutions are subject, including in the banking and insurance sectors.
The FTC previously sought comment in connection with its amendments to the Safeguards Rule as to the timing, criteria, and nature of reporting cybersecurity events to the FTC. The FTC is now proposing to require financial institutions to report to the FTC certain cybersecurity events “as soon as possible and no later than 30 days” following discovery of the event. The FTC’s rationale for reporting is to ensure that the FTC becomes aware of cybersecurity events that “could suggest a financial institution’s security program does not comply with the Rule’s requirements,” which in turn would facilitate FTC enforcement of the Rule. As a further justification for this rule, the FTC noted the patchwork of state data breach reporting statutes, in which regulatory reporting to state Attorneys General may vary, but proposes to require the same type of information to be reported to the FTC as is generally required under state regulatory notice requirements. The FTC further proposes to make this information publicly available. Once the notice is published in the Federal Register, commenters have 60 days to submit comments to the FTC.