FTC Changes Financial Institution Protection Rule, Including New Information Security Requirements | Benesch
The updated rule also includes new exemptions, expands the definition of “financial institution” and creates new liability requirements.
On October 27, the Federal Trade Commission (“FTC”) adopted and published final modifications to the Safeguards Rule (the “To reign“). Commissioners voted 3-2 to adopt the amendments, with the narrow margin highlighting divergent theories on how best to regulate an industry victim of data breaches with increasing frequency.
In 1999, Congress passed the Gramm-Leech-Bliley Act (“GLBA”) Which, among other things, has defined a framework of confidentiality and data protection standards that financial institutions must adhere to in their handling of customer information. The GLBA requires the FTC to create and update administrative, technical, and physical safeguard requirements that financial institutions must follow, leading to the Rule.
The updates and modifications consist mainly of new information security program requirements and a new exception. Updates and changes to the Rule will take effect on November 28, 2021 (30 days after publication in the Federal Register).
As a reminder, the GLBA, and in turn the Rule, applies to any entity that is considered a financial institution.
The FTC and other government agencies take a broad approach to what constitutes a financial institution, as the definition includes, but is not limited to, mortgage lenders, account managers, travel agencies operated as part of services financial institutions, tax preparation companies and any other entity that carries on an activity of a “financial nature” or related and incidental to financial activities.
The Rule, as well as the GLBA in general, only covers customer information. Breaking it down, the scope of the Rule includes anyone who purchases financial products or services for personal or household use; and that the personally identifiable financial information of individuals as well as any list, description or other grouping of such individuals that is created through the use of personally identifiable financial information.
The Rule does not govern the use by a financial institution of publicly available information.
New backup rule
Overall, the new rule provides financial institutions with more specificity in terms of requirements and details of how a financial institution should comply with those requirements.
However, the FTC has created a new exception to the rule. Financial institutions that maintain customer information for less than 5,000 consumers are not required to comply with the requirements set out in the Rule.
The biggest change concerns the specific requirements of the Rule’s information security program. An information security program was already required under the rule of origin, but now the rule requires specific measures and procedures.
Any financial institution subject to the Rule must implement an information security program that includes: (1) a designated person in charge of the program or of its supervision and implementation; (2) periodic risk assessments; (3) the guarantees that control the risks identified in these risk assessments; (4) regular testing and monitoring of the effectiveness of guarantees; (5) internal policies and procedures consistent with the information security program; (6) assess and supervise the guarantees of service providers; (7) is updated in light of regular monitoring and identification or material issues identified in risk assessments; and (8) a written incident response plan.
The more complex requirements are explained in more detail below.
The risk assessment, which should be designed to identify reasonably foreseeable internal and external risks, should categorize all identified security risks, assess the adequacy of existing controls in light of those risks, and identify risk mitigation strategies. identified risks.
In addition, the risk assessment should be written and performed on a periodic basis.
The most direct change to the Rule is the adoption of specific safeguards and controls.
A financial institution subject to the Rule must: (1) periodically review access controls; (2) identify and manage data and devices (i.e. data mapping); (3) encrypt all customer information, whether at rest or in transit, or use efficient and adequate alternatives if encryption is not possible; (4) adopt secure development practices for any software developed by the financial institution; (5) use multi-factor authentication for system access; (6) implement and periodically review data retention policies that ensure secure disposal of customer information within two years of the last use of the information; (7) adopt change management procedures; and (8) implement policies and procedures to monitor and record any activity or tampering that occurs in connection with customer information.
The multi-factor authentication requirement can be met by any verification that requires at least two of the following: (1) Passwords ; (2) tokens; Where (3) biometric characteristics.
Additionally, if a financial institution does not continuously monitor its systems, it must perform annual penetration tests and semi-annual vulnerability assessments.
- Staff and service providers
Under the Rule, financial institutions must employ qualified security personnel and provide periodic security awareness training to ensure that personnel can properly manage an information security program.
These requirements apply even if a financial institution uses a third-party service provider to manage the financial institution’s information security program. Therefore, a financial institution should ensure that the third-party service provider only employs qualified personnel and also implements proper and regular training.
In monitoring third-party service providers, a financial institution must (1) take reasonable steps to ensure that they only employ qualified third parties; (2) use contractual arrangements to ensure the proper implementation and maintenance of the required guarantees; and (3) periodically assess service providers to analyze the risks incurred and the adequacy of the service provider’s guarantees.
The written incident response plan should be designed to respond quickly to any security event that affects the confidentiality, integrity, or availability of customer information, and should be designed to recover from such event.
Specifically, the plan should include (1) the objectives of the plan; (2) internal response processes; (3) a clear allocation of roles, responsibilities and decision making; (4) internal and external communication process; (5) requirements to identify and correct any weaknesses in systems or controls that lead to a security event; and (6) procedures related to documenting and reporting security events and subsequent responses from financial institutions.
Under the rule, a security event includes any event that results in unauthorized access, disruption or misuse of any information system, information on such a system, or customer information held in physical form.
The new rule was passed by a narrow 3: 2 vote, highlighting divergent ideologies on how the government should regulate cybersecurity and data protection.
The dissenting opinion highlighted the pitfalls of an “overly prescriptive” approach that imposes a single approach on financial institutions. The fear, according to dissent, is that financial institutions’ compliance with the Rule is only performative; ensure they have the specific requirements instead of creating an information security program that is adaptive and balanced to the specific security and data protection needs of the financial institution.
According to dissent, the new requirements will divert critical resources towards “tick the box” compliance, rather than a more “tailor-made” risk management approach.
FTC President Lina M. Khan released a separate declaration in support of the new rule after its adoption to highlight the need for the new requirements in a world of increasing collection of customer information (in particular, sensitive information) and data breaches.
Specifically, the statement underscored the Equifax violation and alleged that the new rule’s vulnerability scanning, encryption and monitoring requirements would likely have prevented the breach.
It is likely that the FTC and other government agencies will use the development of rules and regulations to implement and enforce stricter cybersecurity and data protection standards.