U.S. Federal Trade Commission Releases New Safeguards Rule for Non-Banking Financial Institutions

The Federal Trade Commission (FTC) in the United States has changed the regulations concerning the Safeguards Rule relating to cybersecurity standards for non-banking financial institutions.  Essentially, the new Safeguards Rule contains additional specificity regarding what is required to comply with the contextual administrative, physical and technical standards for a compliant information security program.  The new Safeguards Rule will be effective a year from publication in the Federal Register. Notably, the new Safeguards Rule contains significant new definitions. The FTC press release states, in relevant part:  

The FTC’s updated Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

The changes adopted by the Commission to the Safeguards Rule include more specific criteria for what safeguards financial institutions must implement as part of their information security program such as limiting who can access consumer data and using encryption to secure the data. Under the updated Safeguards Rule, institutions must also explain their information sharing practices, specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information. In addition, financial institutions will be required to designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.

The Safeguards Rule was mandated by Congress under the 1999 Gramm-Leach-Bliley Act. Today’s updates are the result of years of public input. In 2019, the FTC sought comment on proposed changes to the Safeguards Rule and, in 2020 held a public workshop on the Safeguards Rule.

In addition to the updates, the FTC is seeking comment on whether to make an additional change to the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the Commission. The FTC is issuing a supplemental notice of proposed rulemaking, which will be published in the Federal Register shortly. The public will have 60 days after the notice is published in the Federal Register to submit a comment.

The new Safeguards Rule is available, here. Notably, there is legislation before the U.S. Congress to massively increase the budget of the FTC to deal, in part, with privacy and cybersecurity issues.