FTC Amends GLBA’s Safeguards Rule

 Privacy Plus+

Privacy, Technology and Perspective

FTC Amends GLBA’s Safeguards Rule The Federal Trade Commission has updated the data security requirements for financial institutions, amending the Standards for Safeguarding Customer Information (“Safeguards Rule” or “Rule”) under the Gramm-Leach-Bliley Act (GLBA).  A link to the amendment, which includes a summary of it, follows:

https://www.ftc.gov/system/files/documents/federal_register_notices/2021/10/safeguards_rule_final.pdf

The current Rule is modified in five primary ways:

  1. More Guidance. The Rule now includes more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption.

  2. Single Qualified Individual. The Rule now requires the designation of a single “Qualified Individual” to be responsible for the information security program, and periodic reports to boards of directors or equivalent governing bodies about the overall status of the information security program and financial institution’s compliance with the Safeguards Rule, as well as material matters related to the information security program.

  3. Exemptions. The Rule now exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, written incident response plan, and annual reporting to the Board of Directors.

  4. Definitions. The Rule expands the definition of a “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities (e.g., “finders” whom borrowers engage to search out sources of money).

  5. Central Reference. The Rule adds definitions and examples and includes them in the Rule itself, rather by reference to a different document.

None of these amendments is very surprising, as they have been in the works for five (5) years or more. Nor are they likely to cause much consternation since they largely adopt what have come to be seen as best practices.

These amendments’ main effect is likely to be to extend across the federal level an existing trend toward more-detailed and specific requirements set by influential state regulators, such as the New York State Department of Financial Services (NY-DFS).  23 NYCRR 500 has long contained specific (though non-exhaustive) requirements for what financial institutions subject to NY-DFS jurisdiction must include in their overall information security policy. Some state insurance regulators have imposed similarly-specific requirements upon insurers operating in their states.

Of course, the tightened, more-specific requirements won’t find favor everywhere. “Finders” probably won’t like them, as the new requirements will impose strictures that finders haven’t confronted before. Pawnbrokers especially may not like them: they already have to report every “pawn transaction” to local law enforcement, and local law enforcement typically prefers to receive that information un­encrypted and “in the clear.” The FTC considered but dismissed this objection with the regulatory equivalent of a soft smile, explaining that if transmission of such information in the clear is only a local law enforcement “preference” and isn’t actually required by applicable (local) law, then the pawnbrokers won’t contravene any applicable (local) law by henceforth sending it encrypted, as the Safeguards Rule will now require.  And the wireless communications industry association objected to requiring multi-factor authentication (MFA), largely for concern that it would cost too much to configure existing systems to require it. The FTC was wholly unmoved and will require MFA anyway.

The Final Rule containing the amendments and supporting explanation is 145 pages long, so as always, practitioners who represent financial institutions should study it carefully.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

                                                   

Previous
Previous

Board Oversight of Cyber Risk – A Matter of Personal Liability for Directors

Next
Next

More Privacy and Cybersecurity Issues in M&A