FTC Proposes Stricter Standards for Safeguards Rule
The FTC has extended until August 2, 2019 a notice and comment period, first announced in March, to proposed changes to the Safeguards Rule (16 CFR 314) issued under the Gramm-Leach-Bliley Act. The proposed changes would essentially require all financial institutions to adopt the NY Department of Financial Services’ strict information security program requirements and impose, among other things, a requirement to encrypt all customer information both in transit and at rest.
If adopted, the revised Safeguards Rule would add new elements to the information security program that financial institutions are required to maintain under § 314.4, including:
- Designation of a single qualified individual responsible for overseeing and implementing the information security program (referred to as a Chief Information Security Officer or CISO)
- Basing the information security program on a risk assessment; such assessment must be written and must include the criteria for evaluation as well as a description of how identified risks will be mitigated or accepted. The assessment also must be repeated periodically.
- Implementation of safeguards including:
- Access controls
- Restriction of physical access
- Encryption of all customer information both in transit and at rest
- Secure development practices for applications developed in-house
- Multi-factor authentication for individuals accessing customer information
- Audit trails to detect and respond to security events
- Procedures for secure disposal of customer information
- Procedures for change management
- Policies and procedures to monitor activity of authorized users
- Regular monitoring and testing of the effectiveness of the safeguards
- Periodic assessment of service providers
- Establishment of a written incident response plan
The proposed changes would also supply definitions where required, and import the existing privacy rule definition of “financial institution” into the Safeguard Rule.
If adopted, the changes may not be significant for large institutions, most of which already follow the Federal Financial Institutions Examination Council (“FFIEC”) security requirements, including with regard to encryption. But they could have a large impact on FinTech companies and entities that traffic in GLBA data but are not themselves traditional financial institutions.
The regulator is also accepting comments on proposed changes to the Privacy Rule (16 CFR 313) until June 3, 2019. The proposed changes to the Privacy Rule would distinguish with regard to protecting privacy of financial institution customer information, that the FTC Privacy Rule governs motor vehicle dealers, while the CFPB’s Regulation P applies to financial institutions. This change would align the regulations to the Dodd-Frank Act, which changed the rulemaking responsibilities of these entities—though the FTC still has enforcement authority over all financial institutions. The changes would thus not result in significant substantive changes for financial institutions, which are already operating under Regulation P.