Alston & Bird Privacy, Cyber & Data Strategy Blog

Update: FTC Amendments to the Safeguards Rule and Request for Comment on Proposed Reporting Requirement Published to the Federal Register

By , , and

As an update to prior coverage of the FTC’s final revisions to the Gramm-Leach-Bliley Safeguards Rule (Final Rule), following its publication in the Federal Register on December 9, 2021, the Final Rule now will take effect on January 8, 2022, 30 days after publication in the Federal Register.

Revisions to the Final Rule include an expansion of the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, harmonizing the rule with other federal agencies’ Safeguards Rules. This includes application of the Final Rule to “finders,” or companies that bring together buyers and sellers “of any product or service for the transactions that the parties themselves negotiate and consummate.” Additionally, financial institutions must comply with sections 4(d)(1) the updated testing and monitoring, 4(f)(1)-(2) service provider oversight, and 4(g) re-evaluation of Written Information Security Program (WISP) sections beginning 30 days after publication date. Financial institutions are given a year, however, to come into compliance with the following sections: 4(a) qualified individual, 4(b)(1) risk assessments, 4(c)(1)-(8) required safeguards, 4(d)(2) monitoring, 4(e) training, 4(f)(3) service provider, 4(h) incident response plan, and 4(i) qualified individual report. For a more detailed description of what each section effectively requires, please see our post from November.

The FTC’s request for comment on the proposed reporting requirement of certain cybersecurity events was also published on December 9, 2021, and commenters have 60 days to submit comments to the FTC. The proposed reporting obligation would require a covered financial institution to report a cybersecurity event in which it determines customer information has been misused or is reasonably likely to be misused and the information of 1,000 or more consumers has been affected or reasonably may be affected by the security incident. Financial institutions would be required to provide the Commission: (1) the name and contact information of the reporting financial institution; (2) a description of the types of information of the reporting financial institution; (3) if the information is possible to determine, the date or date range of the security event; and (4) a general description of the security event. The FTC further proposes to make this information publicly available.

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

About Kathleen Benway

Kathleen Benway is a partner with Alston & Bird’s Litigation & Trial Practice Group. She concentrates her practice on government investigations and corporate compliance related to consumer protection issues, including privacy, security, advertising, and marketing. She is a former chief of staff at the FTC’s Bureau of Consumer Protection.

[Read Bio]

About Kate Hanniford

Kate Hanniford is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team. . She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation.

[Read Bio]

About Kristen Bartolotta

Kristen Bartolotta is an associate in Alston & Bird’s Privacy, Cyber & Data Strategy Team. She advises clients on managing privacy and cyber risk, breach investigations and response, transactional diligence, and emerging technologies. Kristen also advises on privacy and security compliance at the state, federal, and international levels.

[Read Bio]