Federal Trade Commission Changes Safeguard Rule for Non-Bank Financial Institutions | Robinson + Cole Data Privacy + Security Insider
The Federal Trade Commission (FTC) issued a Final rule on October 27, 2021, amending the standards for protecting customer information, known as the âback-up ruleâ, under the Gramm-Leach-Bliley Act, which applies to a wide range of non-bank financial institutions . The FTC approved the amendment with a 3-2 vote. The FTC press release states that the “updated safeguard rule requires nonbank financial institutions, such as mortgage brokers, motor vehicle dealers and payday lenders, to develop, implement and maintain a complete security system to protect their customers’ information. “
The amendment includes “five main changes to the existing rule”, as shown below:
âFirst, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication and encryption. Second, it adds provisions to improve the accountability of financial institutions’ information security programs, for example by requiring periodic reports to boards of directors or governing bodies. Third, it exempts financial institutions that collect less information about customers from certain requirements. Fourth, it expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This change adds âresearchersâ – companies that bring together buyers and sellers of a product or service – within the scope of the Rule. Finally, the final rule defines several terms and provides related examples within the rule itself rather than incorporating them by reference to the Consumer Financial Information Privacy Rule, 16 CFR part 313.
The final rule is 145 pages long and describes details of the security measures that must be taken by financial institutions to protect consumers’ financial information “from cyber attacks and other threats”. Most of the requirements codify the basic elements of an information security program that are generally accepted in the cybersecurity industry. Nonetheless, the final rule gives the FTC the ability to initiate enforcement action and impose fines and penalties in the event the provisions are not complied with by regulated entities, so they deserve attention and consideration.