Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

FTC updates Safeguards Rule for financial institutions

Federal Issues FTC Privacy/Cyber Risk & Data Security Consumer Protection Data Breach Nonbank Safeguards Rule Agency Rule-Making & Guidance Gramm-Leach-Bliley Dodd-Frank

Federal Issues

On October 27, the FTC announced a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. The final rule follows a 2019 notice of proposed rulemaking (covered by InfoBytes here) and makes the following modifications to the existing rule:

  • Adds specific criteria financial institutions must undertake when conducting a risk assessment and implementing an information security program, including provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response, among others. The final rule also adds measures to ensure employee training and service provider oversight are effective.
  • Requires financial institutions to designate a single qualified individual to oversee the information security program. Periodic reports must also be made to an institution’s board of directors or governing bodies.
  • Provides an exemption from requirements related to written risk assessments, incident response plans, and annual reporting to the board of directors, for financial institutions that collect information on fewer than 5,000 consumers.
  • Expands the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule).
  • Adds several definitions and related examples into the Safeguards Rule itself instead of incorporating them through a reference from a related FTC rule.

Provisions of the final rule under Section 314.5 are effective one year after the date of publication in the Federal Register. The remainder of the provisions are effective 30 days following publication.

Additionally, the FTC issued a supplemental notice of proposed rulemaking seeking comments on a proposal to further amend the Safeguards Rule to require financial institutions to report security events to the Commission where a determination has been made that consumer information has been misused, or is reasonably likely to be misused, in an event affecting at least 1,000 consumers. Comments are due 60 days after publication in the Federal Register.

The FTC also announced a final rule adopting largely technical changes to its authority under the Privacy of Consumer Financial Information Rule (Privacy Rule) under the Gramm-Leach-Bliley Act, which requires financial institutions to inform consumers about their information-sharing practices and allow consumers the ability to opt out of having their information shared with certain third parties. The Privacy Rule is amended to revise the rule’s scope, modify the definitions of “financial institution” and “federal functional regulator,” and update requirements pertaining to annual customer privacy notices. The FTC noted that these changes align the Privacy Rule with changes made under Dodd-Frank and the FAST Act.