The Federal Trade Commission (FTC) recently published changes to data security requirements for financial institutions by revising the Safeguards Rule (Rule) under the Gramm-Leach-Bliley Act (GLBA). The law is designed to protect the privacy and security of consumer financial information when dealing with financial institutions. The scope of covered financial institutions is broad and includes a wide spectrum of companies in the financial industry, not just banks. In adopting the new security rules, the FTC recognized that “[i]n recent years, widespread data breaches and cyberattacks have resulted in significant harms to consumers, including monetary loss, identity theft, and other forms of financial distress.”
Previously, the Rule was light on details and contained only general language requiring companies to implement appropriate data security measures. This led to uncertainty among and within the financial industry, with ad hoc rulings and guidance being issued by the regulators. The new Rule contains detailed requirements, including that covered financial institutions must:
The Rule expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be “incidental to” financial activities. A company will fall under the definition of financial institution if it is “significantly engaged in activities incidental to” financial activities. This change adds entities such as “finders” — companies that bring together buyers and sellers of a product or service — within the scope of the Rule. This type of activity has greatly increased with the significant development and expansion of the Internet and online marketing over the past several years since the Rule was first adopted. Finders often collect and maintain very sensitive consumer financial information, and this change will require them to comply with the Safeguards Rule’s requirements to protect that information.
A particular area of concern of the business community regarding revisions to the Rule was the extent to which companies are required to report data security breaches. The industry and the FTC recognize the potential friction between the benefits of sharing information relating to security breaches and the confidentiality and security concerns that are inherent when such information is provided to the government or made public. The FTC did not promulgate rules in this regard, but is seeking comment on whether financial institutions should be required to report certain data breaches and other security events.
The Rule was perhaps overdue for an update, with no modifications since its passage in 1999. The revisions bring the Rule more in line with data security regulations, including those under HIPAA and New York’s cybersecurity regulation, as well as prevailing industry standards such as the NIST Cybersecurity Framework and ISO/IEC 27001. While the new requirements apply to companies governed by the GLBA, it provides additional guidance and support for data security measures and safeguards that should be considered and adopted by organizations in all industries.
Some aspects of the amended Rule, including those that relate to implementing safeguards, undertaking a written risk assessment, appointing a Qualified Individual, and conducting continuous monitoring or annual penetration testing, are effective one year after the date of publication (thus, in October 2022). The other portions are effective 30 days after publication.