On May 24, 2022, the Federal Trade Commission (FTC) released a new publication aimed at offering financial institutions and their service providers guidance on the FTC’s recently revised Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). The new publication, “FTC Safeguards Rule: What Your Business Needs to Know,” signals the FTC’s continued interest in regulating the data security posture of financial institutions subject to the GLBA. Businesses subject to the FTC’s jurisdiction for the GLBA should pay particular attention to these standards, as the agency may be looking to flex its regulatory authority now that it is fully staffed.
The purpose of the Safeguards Rule is to ensure that financial institutions and their service providers maintain safeguards to protect the security of customer information. The FTC’s Safeguards Rule broadly defines “financial institutions” and includes within its definition non-banking financial institutions, such as check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and credit reporting agencies.
The FTC amended the rule in December 2021 to provide more concrete guidance for financial services companies and their third-party service providers, as we wrote about previously here. Unlike previous rules and guidance promulgated by federal financial regulators, the FTC’s new Safeguards Rule includes specific criteria for what safeguards financial institutions must implement as part of their information security program. For example, the new Safeguards Rule requires financial institutions to implement multifactor authentication for individuals accessing networks that contain customer information.
The FTC’s FTC Safeguards Rule: What Your Business Needs to Know publication provides an overview of the new Safeguards Rule and is intended to apprise financial institutions regulated by the FTC of the core data security principles that must be followed. For example, the publication notes that a reasonable information security program must include nine elements: (1) a qualified individual responsible for the security program; (2) periodic risk assessments; (3) safeguards to control the risks identified through risk assessments; (4) monitoring and testing effectiveness of safeguards on a regular basis; (5) train staff regularly on cybersecurity awareness; (6) service provider oversight; (7) keeping information security program current to safeguard against emerging threats; (8) creating a written incident response plan; and (9) annual reports to boards of governors on security program.
Financial institutions and their service providers should review the FTC’s publication for more details.