The Federal Trade Commission (FTC) in the United States has changed the regulations concerning the Safeguards Rule relating to cybersecurity standards for non-banking financial institutions. Essentially, the new Safeguards Rule contains additional specificity regarding what is required to comply with the contextual administrative, physical and technical standards for a compliant information security program. The new Safeguards Rule will be effective a year from publication in the Federal Register. Notably, the new Safeguards Rule contains significant new definitions. The FTC press release states, in relevant part:
The FTC’s updated Safeguards Rule requires non-banking
financial institutions, such as mortgage brokers, motor vehicle dealers, and
payday lenders, to develop, implement, and maintain a comprehensive security
system to keep their customers’ information safe.
“Financial institutions and other entities that collect
sensitive consumer data have a responsibility to protect it,” said Samuel
Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates
adopted by the Commission to the Safeguards Rule detail common-sense steps that
these institutions must implement to protect consumer data from cyberattacks
and other threats.”
The changes adopted by the Commission to the Safeguards
Rule include more specific criteria for what safeguards financial
institutions must implement as part of their information security program such
as limiting who can access consumer data and using encryption to secure the
data. Under the updated Safeguards Rule, institutions must also explain their
information sharing practices, specifically the administrative, technical, and
physical safeguards the financial institutions use to access, collect,
distribute, process, protect, store, use, transmit, dispose of, or otherwise
handle customers’ secure information. In addition, financial institutions
will be required to designate a single qualified individual to oversee their
information security program and report periodically to an organization’s board
of directors, or a senior officer in charge of information security.
The Safeguards Rule was mandated by Congress under the 1999
Gramm-Leach-Bliley Act. Today’s updates are the result of years of public
input. In 2019, the FTC sought
comment on proposed changes to the Safeguards Rule and, in 2020
held a
public workshop on the Safeguards Rule.
In addition to the updates, the FTC is seeking comment on
whether to make an additional change to the Safeguards Rule to require
financial institutions to report certain data breaches and other security
events to the Commission. The FTC is issuing a supplemental notice of proposed rulemaking,
which will be published in the Federal Register shortly. The public will have
60 days after the notice is published in the Federal Register to submit a
comment.
The new Safeguards Rule is available, here. Notably, there is legislation before the U.S. Congress to massively increase the budget of the FTC to deal, in part, with privacy and cybersecurity issues.
No comments:
Post a Comment