In March, the Federal Trade Commission announced proposed updates to two key privacy and security regulations, the Safeguards Rule and Privacy Rule. Both rules implement regulations under the federal Gramm Leach Bliley Act, and the FTC seeks comments for both.
The FTC’s proposed update to the Safeguards Rule would impose a number of information security requirements partially modelled off of New York’s Cybersecurity Regulations. These include requirements to:
- designate a Chief Information Security Officer, required to report annually in writing to the board of directors or equivalent body regarding the status of the institution’s information security;
- develop an information security program based on a written risk assessment;
- oversee service providers, including periodic risk assessments of the continuing adequacy of service providers’ safeguards; and
- develop a written incident response program.
The new Safeguards Rule would require a financial institution’s information security program to include the following elements:
- access controls;
- data, personnel, device, systems and facilities management;
- encryption of all customer information both in transit and at rest;
- adoption of secure development practices;
- “multi-factor authentication for any individual accessing customer information”;
- audit trails to detect and respond to cybersecurity events;
- limited retention of customer information and secure disposal techniques; and
- “policies, procedures and controls” designed to monitor user activity and detect unauthorized access or use of customer information.
These and other detailed requirements could have significant impacts on companies engaged in financial activities over which the FTC claims authority. Such companies include mortgage brokers and lenders, finance companies, pay-day lenders, check cashers and wire transferors, collection agencies, tax preparers, non-federally insured credit unions and certain investment and financial advisors. The updated Safeguards Rule provides limited exceptions to certain requirements for companies which maintain customer information for fewer than five thousand individuals.
Proposed updates to the Privacy Rule will address annual privacy notice requirements and clarify the limited scope of the FTC’s rulemaking authority under Gramm Leach Bliley. These updates reflect amendments to Gramm Leach Bliley by the 2010 Dodd-Frank Act and the 2015 FAST Act. In keeping with changes to the FTC’s rulemaking authority under Dodd-Frank, the updated Privacy Rule removes references to financial institutions who are not motor vehicle dealers. Based on the FAST Act, the FTC will additionally update the Privacy Rule to remove the requirement to provide annual privacy notices in certain circumstances. These updates to the annual privacy notice requirements substantially reflect the FTC’s adoption of the (previously-blogged) CFPB approach to the FAST Act.