US Federal Trade Commission Updates Safeguards Rule for Consumer Financial Information

The US Federal Trade Commission (the FTC) released the text of a Final Rule (the Final Rule) on October 27, 2021, amending the Standards for Safeguarding Consumer Information (the Safeguards Rule). Since 2003, the Safeguards Rule has set the data security standards applicable to certain non-banking financial institutions, as defined under the Gramm-Leach-Bliley Act of 1999 (GLBA). Non-banking financial institutions include, for example, creditors, debt collectors, mortgage companies, and mortgage brokers, but not banks, savings and loan institutions, or federal credit unions. The Safeguards Rule governs the protection of the security and confidentiality of the “nonpublic personal information” (NPI) of customers of covered entities. See 16 C.F.R. Part 314. The Final Rule represents the product of several years’ work, since the FTC first issued a Notice of Proposed Rulemaking and request for public comment in April 2019, followed by a public workshop on the proposed changes in July 2020.

Key takeaways from the Final Rule include the following:

• Institutions subject to the Safeguards Rule should be aware that the Final Rule, which was adopted in a divided, 3-2 vote by the FTC, appears to signal a broader shift by the FTC to imposing “more specific criteria” with respect to data security under the GLBA. See FTC, Press Release (October 27, 2021). The FTC notes that, in response to the 2019 Notice of Proposed Rulemaking, industry groups criticized the FTC’s proposed approach as “too prescriptive [and] lack[ing] flexibility.” See, g., Final Rule at 27-28. Moreover, the two dissenting Commissioners issued a joint statement suggesting that, as drafted, the Final Rule adopts a “check-the box” and more “intrusive” approach to data security. See, e.g., Joint Statement at 2, 9. The dissenting Commissioners state that the Final Rule departs from the FTC’s historically more “flexible,” “principle-based approach” to oversight in this area.
• Some of the areas where the Final Rule imposes “more specific criteria” include the mandate that covered entities appoint a single “Qualified Individual” to oversee the entity’s information security program, see 314.4(a); a range of additional testing and monitoring requirements, see §§ 314.4(b), (d), (g); a mandate that all covered entities implement certain specific safeguards, see §§ 314.4(c)(1)-(8); additional training and educational requirements for security staff, see § 314.4(e); periodic assessments of service providers for compliance with the security program, see § 314.4(f)(3); the requirement that covered entities implement a written incident response plan with seven mandatory components, see § 314.4(h); and the requirement that the Qualified Individual make regular reports on data security to the entity’s board or other governing body, see § 314.4(i).
• Some of the changes announced by the Final Rule are scheduled to take effect within 30 days of the formal publication of the Final Rule in the Federal Register, while others are scheduled to take effect within one year of publication (as indicated below). However, the Final Rule has not yet been published in the Federal Register, so the precise dates on which it will become binding on covered entities are not yet clear. Given the scope of the changes, companies would be well-served to review their compliance with the Final Rule as soon as possible.

We note that the FTC’s changes are broadly consistent with the more prescriptive approach to data security adopted in New York Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 N.Y.C.R.R. Part 500, as companies familiar with the Cybersecurity Regulation may be aware. Compare, for example, the NYSDFS requirement that covered entities appoint a “Chief Information Security Officer” with the requirement in the Final Rule that covered entities appoint a “Qualified Individual” to oversee the information security program. The NYDFS Cybersecurity Regulation came into force in 2017.

Summary of certain changes taking effect within 30 days of publication in the Federal Register

The following is a summary of certain of the changes that will take effect within 30 days of publication of the Final Rule.

• 314.1(b) – Expanded scope

Revised Section 314.1(b) specifically provides that “financial institutions” include institutions engaged in activities “incidental” to covered financial activities, as defined in Section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k).

• 314.2 – Expanded definitions

The Final Rule generally harmonizes definitions under the Safeguards Rule with the Privacy Rule (see 16 C.F.R. Part 313) while adding a number of new definitions. For example, the Final Rule defines multi-factor authentication as including two of three enumerated types of authentication factors (knowledge factors, such as a password; possession factors, such as a token, and/or inherence factors, such as biometric characteristic). Similarly, the term “financial institution” is expanded to bring the activity of “finding” within the scope of the Safeguards Rule, as defined in 12 C.F.R. § 225.86(d)(1), i.e., an activity that is incidental to covered financial activities under the Bank Holding Company Act. Finally, we note that while the encryption requirements are new, the FTC has not mandated any specific standard of encryption in the Final Rule.

• 314.3 – Written information security program

Section 314.3 requires covered entities to “develop, implement, and maintain a comprehensive information security program that is written . . . and contains administrative, technical, and physical safeguards” that are appropriate to each individual company. Notably, this section provides that each company’s information security program “shall include the elements set forth in section 314.4 . . . .” While the mandate in Section 314.3 takes effect within 30 days, the elements of an information security program under Section 314.4 largely take effect within one year.

• 314.4(b)(2), (d)(1) – Additional testing requirements

While most required elements of the mandated information security program (see § 314.4) must be implemented within one year of the publication of the Final Rule, Sections 314.4(b)(2) and 314.4(d)(1) must be implemented within 30 days of publication. Paragraph (b)(2) generally requires covered entities to “perform additional risk assessments” to identify any “reasonably foreseeable” internal and external risks to customer information held by the covered entity that could lead to unauthorized disclosure, misuse, alteration, or destruction of such information, and to “reassess the sufficiency” of safeguards that have been implemented. Paragraph (d)(1) in turn requires covered entities to “[r]egularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures,” including procedures to detect actual and attempted attacks or intrusions.

• 314.4(g) – Adjustments to information security program

Paragraph (g) requires covered entities to “[e]valuate and adjust” their information security program based upon the testing and monitoring required under paragraph (d) and the risk assessments performed under paragraph (b)(2), in addition to any other “material changes” to the company’s operations or business arrangements or circumstances that a covered entity knows or has reason to know “may have a material impact” on the information security program.

Summary of certain changes taking effect within one year of publication in the Federal Register

The following is a summary of certain of the changes that will take effect within one year of publication of the Final Rule.

• 314.4(a) – Appointment of a “Qualified Individual”

In order to promote “improve[d] accountability,” the Final Rule requires that a covered entity appoint a single “Qualified Individual” to oversee the entity’s information security program. The Qualified Individual may be employed by the covered entity, an affiliate, or a service provider. If employed by an affiliate or service provider, the covered entity must retain responsibility for compliance and perform oversight. Previously the Safeguards Rule required covered entities to appoint one or more employees to be responsible for the company’s information security program.

• 314.4(c)(1)-(8) – Eight specific safeguards that must be implemented

Previous versions of the Safeguards Rule generally required covered entities to undertake a risk assessment and develop and implement safeguards to address identified risks. The Final Rule imposes more detailed, prescriptive requirements regarding what specific safeguards must be implemented, and how. See Final Rule at § 314.4(c)(1)-(8). These include (1) implementing and periodically reviewing access controls, (2) data inventory and classification requirements, (3) implementing encryption protocols, (4) adopting “secure development practices” for certain in-house developed applications, (5) generally implementing multi-factor authentication “for any individual accessing any information system,” (6) developing, implementing and maintaining procedures for secure information disposal no later than two years after the information is last used in connection with a product or service to the customer, with certain narrow exceptions, (7) adopting procedures for change management, and (8) implementing policies and procedures to monitor and log the activity of authorized users and detect unauthorized access.

• 314.4(d)(2) – Annual penetration testing and vulnerability assessments

While requirement regarding regular testing in paragraph (d)(1) must be implemented within 30 days of publication, the requirement in paragraph (d)(2) that covered entities perform “continuous monitoring or periodic penetration testing and vulnerability assessment” must be implemented within one year. If companies cannot implement “effective continuous monitoring,” they “shall conduct” both “[a]nnual penetration testing” and “[v]ulnerability assessments . . . at least every six months,” or whenever there are “material changes” to the company’s “operations or business arrangements” or when there are “circumstances that you know or have reason to know may have a material impact on your information security program.”

• 314.4(e) – Training of information security personnel

The existing version of the Safeguards Rule requires that covered entities ensure employee training. However, as revised in the Final Rule, Section 314.4(e) now provides more detailed requirements on the subject of employee training. It requires covered entities to “ensure that personnel are able to enact [the] information security program” by reference to four covered actions, namely (1) providing “security awareness training,” (2) “[u]tilizing qualified information security personnel,” (3) ensuring that information security personnel have “security updates and training sufficient to address relevant security risks,” and (4) “[v]ertifying” that the company’s key information security personnel “take steps” to remain aware of “changing information security threats and countermeasures.”

• 314.4(f)(3) – Oversight of service providers

Paragraph (f) relates to a covered entity’s oversight over its service providers. Paragraphs (f)(1) and (f)(2) are effectively covered under the existing Safeguards Rule. However, paragraph (f)(3), which must be implemented within one year of the publication of the Final Rule, is new. It requires covered entities to “[p]eriodically assess[] your service providers based on the risk they present and the continued adequacy of their safeguards.”

• 314.4(h) – Written incident response plan

Paragraph (h) introduces a requirement that covered entities must have a “written incident response plan” that “shall address” the seven elements enumerated in paragraph (h), including, but not limited to, “[t]he internal processes for responding to a security event.” However, the precise actions that are mandated by paragraph (h) are not entirely clear in every instance, e.g., the requirements for “[e]xternal and internal communications and information sharing,” and “[d]ocumentation and reporting regarding security events and related incident response activities” are not described with any further detail.

• 314.4(i) – Regular reports by Qualified Individual

Paragraph (i) requires the Qualified Individual selected pursuant to § 314.4(a) to “report in writing, regularly and at least annually,” to the board or equivalent governing body of the covered entity. If no such body exists, the report must be made to the “senior officer responsible” for the covered entity’s information security program. Paragraph (i) specifies two items that “shall” be covered in the report, including (1) the “overall status” of the company’s information security program and compliance and (2) any “[m]aterial matters” that are related to the information security program, including “recommendations for changes” to the program.

In addition to the above changes, the Final Rule creates an exemption for financial institutions that collect NPI regarding fewer than 5,000 consumers (see § 314.6). Such institutions need not comply with the written risk assessment, penetration testing and vulnerability assessments, incident response plan, and annual reporting requirements (sections 314.4(b)(1), 314.4(d)(2), 314.4(h), and 314.4(i)).

* * *

We will continue to monitor developments in this area. Please reach out to your usual Herbert Smith Freehills contacts with any questions.