U.S. Federal Trade Commission adopts prescriptive data security requirements and other updates to its Gramm-Leach-Bliley safeguard rule
On October 27, 2021, the Federal Trade Commission (“FTC” or “Commission”) issued a “Final Rule” implementing most of the revisions it proposed in 2019, with some significant changes, to his Gramm-Leach- Bliley Law1(“GLBA”) backup rule (“backup rule”).
Financial institutions covered by the final rule include researchers (as noted below), finance companies, mortgage companies, motor vehicle dealers, payday lenders, and other non-banks involved in the consumer financial services sector. The final rule:
- Adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of a comprehensive information security program, such as access controls, multi-factor authentication and encryption;
- Adds provisions designed to improve the accountability of financial institutions’ information security programs, for example by requiring periodic reports to boards of directors or governing bodies;
- Exempts financial institutions that maintain customer information for less than 5,000 consumers from certain requirements;
- Expands the definition of “financial institution” to include entities engaged in activities that the Board of Governors of the Federal Reserve System (“Federal Reserve Board” or “Board”) determines to be incidental to financial activities (for example , the “finders” which bring together buyers and sellers of a product or service); and
- Defines several terms and provides related examples in the safeguard rule itself rather than incorporating them by reference to the rule implementing the confidentiality provisions of the GLBA (“Privacy Rule”).2
The final rule will take effect one year after its publication in Federal Register. 3
On April 4, 2019, the FTC proposed a number of revisions (“Proposed Rule”) to the Safeguards Rule. In particular, the Commission has proposed revisions to oblige financial institutions to implement specific information security controls, including those relating to data encryption, multi-factor authentication, planning of intervention in the event of a breach. incident, board reports and program accountability. The proposal draws heavily on cybersecurity regulations issued by the New York Department of Financial Services.4 (“NYDFS Cyber Regulation”) in March 2017 and the Model Law on Insurance Data Security published by the National Association of Insurance Commissioners (“NAIC Model Law”) in October 2017.5 Therefore, financial institutions subject to NYDFS cyber regulation will be aware of many of the requirements and likely have policies and procedures in place to meet those requirements.
On July 13, 2020, the Commission organized a workshop on the proposed changes and organized panels with information security experts to discuss topics related to the proposed rule. The Commission received 60 comments in response to the proposed rule and to the workshop. Many comments underscored the prescriptive nature of the proposed rule, noting that the revisions might be too onerous for financial institutions and other regulated entities to follow.
After reviewing the initial comments on the draft rule, hosting the workshop, and then reviewing the comments received as a result of the workshop, the Commission issued its final amendments to the rule on safeguards, which were shaped in part by the comments it received during the comment period.
The Commission received numerous comments suggesting that the prescriptive safeguards were rigid and financially onerous. However, the Commission dismissed these concerns, noting that the safeguards are goals that can be changed depending on the size and needs of the institution and a burden that is justified in order to protect customer information like the requires the GLBA. The Commission noted that while large financial institutions may incur substantial costs to implement complex information security programs, there are much more affordable solutions for financial institutions with smaller and smaller information systems. simpler. The Commission indicated that these expenditures were justified because of the vital importance of protecting customer information collected, maintained and processed by financial institutions.
Overview of the final rule
While the proposed rule would have required a financial institution to appoint an Information Security Officer (“CISO”), the final rule instead requires the designation of a “qualified person”.6 The Qualified Person does not need to be an employee of the financial institution, but can be an employee of an affiliate or a service provider. This change was intended to accommodate financial institutions that might prefer to retain the services of an external expert. No particular level of education, experience or certification is prescribed by the Final Rule. Thus, a financial institution can designate any qualified person who is suitable for its business.
Several industry groups have also suggested that important parts of the proposed rule should not apply to all customer information, but rather only to certain subsets of particularly “sensitive” customer information, such as numbers. account or social security numbers. These reviewers have generally argued that the definition of “customer information” is too broad, as it will include information that reviewers say is not particularly sensitive, such as name and address, and therefore does not warrant no extended guarantees. The Commission does not agree that some of the customer information is not entitled to the protections required by the Final Rule. The final rule defines “customer information” as “any record containing non-public personal information” about a customer that is managed or maintained by or on behalf of a financial institution.seven
To view the full article, please click here.
1.15 USC §§ 6801 and following.
2.12 CFR part 1016.
3. FTC Standards for Safeguard Rule, Guidelines published on 16 CFR § 314.
4. 23 NYCRR 500. The NYDFS Cyber Final Regulation applies to any person operating or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance or financial services laws. For an overview of NYDFS cyber regulation, see https://www.mayerbrown.com/en/perspectives-events/publications/2017/03/cybersecurity-ny-adopts-final-regulations-for-bank
5. See NAIC, Insurance Data Security Model Law, available at https://www.naic.org/store/free/MDL-668.pdf (Last access March 12, 2019). The NAIC Model Law requires every insurance licensee in a state (unless they have an exemption) to maintain a written cybersecurity policy and implement a risk-based cybersecurity program. To date, the NAIC Model Law has been passed in more than 15 states. For an overview of the NAIC Model Law, see https://www.mayerbrown.com/en/news/2017/11/dissecting-naics-insurance-data-security-model-law
6.16 CFR § 314.4 (a).
7. 16 CFR § 314.2 (d).
Visit us on mayerbrown.com
Mayer Brown is a global provider of legal services comprising law firms that are separate entities (the “Mayer Brown Practices”). The Mayer Brown Firms are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, two limited liability companies established in Illinois in the United States; Mayer Brown International LLP, a limited liability company incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales under number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a partnership of Hong Kong and its associated entities in Asia; and Tauil & Checker Advogados, a Brazilian law partnership in which Mayer Brown is associated. “Mayer Brown” and the Mayer Brown logo are registered trademarks of Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Practices of Mayer Brown. All rights reserved.
This article by Mayer Brown provides information and commentary on legal issues and developments of interest. The foregoing does not constitute a complete treatment of the matter at hand and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action on the matters discussed in this document.