On November 15, the Federal Trade Commission (FTC) announced a six-month delay of the deadline by which companies must comply with recent amendments to its Standards for Safeguarding Customer Information (“the Safeguards Rule,” located at 16 C.F.R. § 314).
Financial institutions that will be affected by the updates to the Safeguards Rule will now have additional time to review and revise their security programs as needed to comply with the modified requirements. While this provides some relief for the industry, there are also other privacy and cybersecurity requirements that financial institutions need to be aware of, including the New York Department of Financial Services updating its cybersecurity regulations and California and Virginia having new comprehensive privacy laws taking effect on January 1.
We will continue to keep you posted of relevant updates to the Safeguards Rule and how they may impact your business.
Background
The Safeguards Rule was originally issued in 2002 pursuant to the FTC’s authority under the Gramm-Leach-Bliley Act. Specifically, the Rule requires that non-banking financial institutions (including, among other entities, mortgage brokers, payday lenders, check cashers, collection agencies, and tax preparation firms) develop, implement, and maintain information security programs to protect their customers’ information. The FTC amended the Safeguards Rule in December 2021, hoping to refresh the Rule in light of modern technological challenges and a wave of recent data breaches and cyberattacks. As we observed at the time, these amendments were perhaps most notable for defining specific criteria regarding what safeguards financial institutions must include in their information security programs, rather than merely offering general guidance.
While some of the amended provisions became effective in January 2022, the bulk of the substantive amendments were not slated to go into effect until December 9, 2022. The FTC’s six-month compliance deadline delay applies to the latter group of amendments, changing their effective date to June 9, 2023. In announcing the extension, the Commission cited a “shortage of qualified personnel to implement information security programs,” supply chain issues, and disruptions imposed by the COVID-19 pandemic.
Key provisions affected by the FTC’s six-month delay include those requiring a financial institution to:
- Designate a “Qualified Individual” to oversee and implement the financial institution’s information security program and require that individual to regularly report in writing to company leadership. See 16 C.F.R. § 314.4(a), (i).
- Conduct a written risk assessment and use that assessment’s findings to inform development of its information security program. See 16 C.F.R. § 314.4(b)(1).
- Design and implement safeguards to control risks identified through the risk assessment, including protections related to access control, encryption, app security, multi-factor authentication, data retention, change management, and activity monitoring. See 16 C.F.R. § 314.4(c).
- Execute continuous monitoring or periodic penetration testing and vulnerability assessments. See 16 C.F.R. § 314.4(d)(2).
- Provide personnel with appropriate security training. See 16 C.F.R. § 314.4(e).
- Conduct periodic assessments of service provider risks. See 16 C.F.R. § 314.4(f)(3).
- Establish a written incident response plan. See 16 C.F.R. § 314.4(h).