chevron-down Created with Sketch Beta.
December 16, 2021 Practice Points

FTC Amends Standards for Safeguarding Customer Information

The key changes will become effective one year after the Final Rule is published in the Federal Register.

By Alexander (Sandy) R. Bilus

On October 27, 2021, the Federal Trade Commission (FTC) issued a Final Rule amending the Standards for Safeguarding Customer Information (also known as the Safeguards Rule), 16 C.F.R. Part 314. The Safeguards Rule sets the standards for administrative, technical, and physical protections for customer information collected and used by all financial institutions that are subject to the FTC’s enforcement authority under the Gramm Leach Bliley Act (GLBA).

The FTC’s Final Rule modifies the Safeguards Rule in several key ways:

Expanded definition of “financial institution.”

Under the Final Rule, the definition of “financial institution” subject to the enforcement authority of the FTC  is expanded to include entities that are “finders”—i.e., companies that bring together buyers and sellers of a product or service.  Accordingly, the “financial institutions” that are subject to the FTC’s enforcement authority now include, but are not limited to, mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders.

New requirements for information security programs.

Under the Final Rule, financial institutions must now consider specific criteria as part of their risk assessment process, including (1) criteria for the evaluation and categorization of identified security risks or threats, (2) criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of existing controls, and (3) requirements for describing how identified risks will be mitigated or accepted based on the assessment and how the information security program will address the risks.  Such risk assessments also must now be in writing.  The Final Rule also requires institutions to design and implement specific safeguards to control the identified risks, including: (1) access controls to permit access only to authorized users, (2) data inventory and classification according to importance to business objectives and risk strategy, (3) encryption of customer information both in transit and at rest, (4) secure development practices for in-house developed applications, (5) multi-factor authentication, (6) procedures for secure disposal of customer information, (7) change management procedures, (8) activity monitoring and logging, (9) regular testing of the safeguards’ effectiveness, and (10) a written incident response plan.  The Final Rule also includes new mechanisms meant to ensure that employee training and oversight of service providers are effective.

New accountability for information security programs.

The Final Rule will require financial institutions to designate a single “Qualified Individual” who is responsible for oversight and implementation of the information security program.  The Final Rule also requires that the Qualified Individual periodically report to the board of directors to help raise awareness and make it more likely that financial institutions will allocate appropriate resources for information security.

Exemptions for smaller institutions.

Financial institutions that collect information on fewer than 5,000 consumers are exempted from the Final Rule’s new requirements of a written risk assessment, incident response plan, and annual reporting to the board of directors.

The key changes will become effective one year after the Final Rule is published in the Federal Register.  The FTC’s announcement of the Final Rule can be viewed here, and the Final Rule itself can be viewed here.

If you have questions about the Final Rule, please contact the author of this article.

Alexander "Sandy" Bilus is a partner with Saul Ewing in Philadelphia, Pennsylvania.

Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).