US: FTC adopts updated Safeguards Rule and seeks comment on security event notification requirement

US: FTC adopts updated Safeguards Rule and seeks comment on security event notification requirement

On October 27, 2021, the Federal Trade Commission (FTC) issued a final rule updating its information security rules for financial institutions’ protection of consumers’ financial information (the “Final Rule”).  This is the first significant update to the FTC’s Safeguards Rule since it took effect in 2003. The Final Rule imposes a number of new specific information security requirements on financial institutions subject to the FTC’s jurisdiction.

Section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15 USC 6801(b), requires the FTC and the federal functional financial regulators to adopt regulations to establish administrative, technical, and physical security safeguards at financial institutions to protect the security and confidentiality of consumers’ financial information. The FTC’s Safeguards Rule implements this GLBA requirement, with the FTC having Safeguards Rule jurisdiction over mortgage lenders, certain non-bank lenders, finance companies, mortgage brokers, account services, check cashers, wire transferors, collection agencies, credit and financial advisors, tax preparation firms, and investment advisors that are not required to register with the Securities and Exchange Commission. The Final Rule slightly expands the types of financial institutions subject to the Safeguards Rule to also include “finders,” which are described as companies that bring together buyers and sellers of a product or service.

In adopting the Safeguards Rule (2003), the FTC sought to provide financial institutions with flexibility in the implementation of their information security programs. In general, under the current version of the Safeguards Rule, financial institutions must conduct a risk assessment to identify reasonably foreseeable risks to the security of their customers’ information, adopt safeguards to address those identified risks, conduct employee training, and oversee service providers with access to customer information.

The Final Rule maintains the existing Safeguard Rule’s basic framework but imposes significant new requirements for financial institutions’ information security programs, including:

  • Appointing a single “qualified individual” to oversee the security program. Although the Final Rule does not define specific qualifications that this individual must possess, the qualified individual must be qualified to oversee and enforce a financial institution’s information security program, which will vary based on the size and complexity of the financial institution and its information systems. The Final Rule makes clear that a qualified individual can be an employee, the employee of an affiliate entity, or a service provider.
  • Conducting a written risk assessment and periodically updating it. In the update, the financial institution must reexamine the evolving risks to its customer information and to information systems that process or have access to such data.
  • Implementing safeguards to control identified risks. The Final Rule requires specific security measures that financial institutions must implement, including:
    • Technical and physical access controls based on least privilege principles to limit access to customer information.
    • Preparing a system inventory to manage the financial institution’s data, information systems, devices, personnel, and facilities so the financial institution can locate customer information and manage systems that may access such information or that are connected to systems that process such information.
    • Encrypting all customer information both in transit over external networks and at rest. The FTC declined to limit the encryption requirement to only more sensitive customer information, stating that information revealing that a consumer is a financial institution’s customer is itself sensitive. To provide financial institutions with some flexibility, the institution’s qualified individual may approve effective alternative compensating controls if encryption is infeasible.
    • Adopting secure development practices for in-house developed software used to transmit, access, or store customer information. Financial institutions also must develop processes to evaluate and test the security of externally developed applications used to process customer information.
    • Implement multifactor authentication for any individual accessing information systems that process customer information, including customers, employees, service providers, and others. As with encryption, the FTC argues that the security benefits of multifactor authentication outweigh any added financial burdens or inconvenience in a longer log-in process. Again, in an attempt to provide some flexibility, a financial institution’s qualified individual may approve (in writing) “reasonably equivalent or more secure access controls.”
    • Develop, implement and maintain procedures to securely dispose of customer information. The Final Rule creates a data retention limitation for financial institutions. Under the Final Rule, financial institutions must dispose of customer information no later than two years after the last date the information was used in connection with the provision of a product or service unless the information is necessary for business operations, a legitimate business purpose, is required by law, or disposal is not reasonably feasible.
    • Implement measures to monitor and log the activity of authorized users and detect unauthorized access to customer information.
  • Regularly testing or otherwise monitoring security controls’ effectiveness. Information systems must be continuously monitored or undergo annual penetration testing or biannual vulnerability assessments.
  • Implementing policies and procedures to ensure personnel are able to meet the information security program’s requirements These include providing security awareness training to employees, utilizing qualified information security personnel, providing information security personnel with training so they are aware of emerging threats and security vulnerabilities, and verifying that information security personnel maintain current knowledge of security threats (to complement the required training).
  • Periodically assessing service providers’ security risks and that the service providers continue to provide the safeguards required by their contract with the financial institution.
  • Establishing a written incident response plan designed to promptly respond to and recover from security events that materially affect the confidentiality, integrity, or availability of customer information. The “availability” prong is intended to address ransomware and denial-of-service incidents.
  • Providing annual reports by the qualified individual to the financial institution’s board of directors (or equivalent).

The Final Rule includes a limited exception for financial institutions that maintain customer information of fewer than 5,000 persons.  The Final Rule takes effect one year after the Final Rule is published in the Federal Register.

Security event notification proposal

In addition to the Final Rule, the FTC initiated a supplemental notice of proposed rulemaking (SNPRM) seeking comment on a proposed Safeguards Rule amendment that would require financial institutions to notify the FTC in the event of a “security event.” The Final Rule defines a “security event” as “an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.”

The proposed amendment would require a financial institution to notify the FTC of a security event affecting at least 1,000 consumers where it is reasonably likely that customer information has been misused. A financial institution would need to notify the FTC within 30 days of discovering the security event.

Comments on the proposed security event notification requirement are due to the FTC within 60 days after the SNPRM is published in the Federal Register.

 

For more information, please contact Andrew Serwin, Jennifer Kashatus and James Duchesne or your DLA Piper relationship attorney.