• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Update: FTC Amendments to the Safeguards Rule and Request for Comment on Proposed Reporting Requirement Published to the Federal Register

December 15, 2021 By Kim Peretti, Kathleen Benway, Kate Hanniford and Kristen Bartolotta

As an update to prior coverage of the FTC’s final revisions to the Gramm-Leach-Bliley Safeguards Rule (Final Rule), following its publication in the Federal Register on December 9, 2021, the Final Rule now will take effect on January 8, 2022, 30 days after publication in the Federal Register.

Revisions to the Final Rule include an expansion of the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, harmonizing the rule with other federal agencies’ Safeguards Rules. This includes application of the Final Rule to “finders,” or companies that bring together buyers and sellers “of any product or service for the transactions that the parties themselves negotiate and consummate.” Additionally, financial institutions must comply with sections 4(d)(1) the updated testing and monitoring, 4(f)(1)-(2) service provider oversight, and 4(g) re-evaluation of Written Information Security Program (WISP) sections beginning 30 days after publication date. Financial institutions are given a year, however, to come into compliance with the following sections: 4(a) qualified individual, 4(b)(1) risk assessments, 4(c)(1)-(8) required safeguards, 4(d)(2) monitoring, 4(e) training, 4(f)(3) service provider, 4(h) incident response plan, and 4(i) qualified individual report. For a more detailed description of what each section effectively requires, please see our post from November.

The FTC’s request for comment on the proposed reporting requirement of certain cybersecurity events was also published on December 9, 2021, and commenters have 60 days to submit comments to the FTC. The proposed reporting obligation would require a covered financial institution to report a cybersecurity event in which it determines customer information has been misused or is reasonably likely to be misused and the information of 1,000 or more consumers has been affected or reasonably may be affected by the security incident. Financial institutions would be required to provide the Commission: (1) the name and contact information of the reporting financial institution; (2) a description of the types of information of the reporting financial institution; (3) if the information is possible to determine, the date or date range of the security event; and (4) a general description of the security event. The FTC further proposes to make this information publicly available.

Filed Under: Cyber Risk, Cybersecurity, Data Security, Enforcement

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

About Kathleen Benway

Kathleen Benway is a partner with Alston & Bird’s Litigation & Trial Practice Group. She concentrates her practice on government investigations and corporate compliance related to consumer protection issues, including privacy, security, advertising, and marketing. She is a former chief of staff at the FTC’s Bureau of Consumer Protection.

[Read Bio]

About Kate Hanniford

Kate Hanniford is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team. . She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation.

[Read Bio]

About Kristen Bartolotta

Kristen Bartolotta is an associate in Alston & Bird’s Privacy, Cyber & Data Strategy Team. She advises clients on managing privacy and cyber risk, breach investigations and response, transactional diligence, and emerging technologies. Kristen also advises on privacy and security compliance at the state, federal, and international levels.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
  • Recent Updates in Two Closely-Watched Cybersecurity and Privacy-Related Securities Fraud Class Actions
  • EU and U.S. Reach Agreement In Principle on a Replacement for the EU-U.S. Privacy Shield
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.