To strengthen data security protections for consumer financial information following widespread cyberattacks, the FTC recently issued much-anticipated final revisions to the Gramm-Leach-Bliley Act Safeguards Rule (Final Rule), following a 3-2 vote along party lines. The Final Rule represents a significant shift to more prescriptive information security requirements for non-banking financial institutions subject to the rule. With input and advice from partners at Wiley, Cooley and WilmerHale, this article analyzes the Final Rule’s changes and offers practical steps covered financial institutions can take now to comply with the rule’s new requirements, some of which take effect 30 days after publication in the Federal Register.
Excerpt: With effective dates looming, there are a number of steps financial institutions should take now, if they have not already. “I would hope that most relevant entities already are doing most of these things, as part of good overall information security hygiene,” said Nahra, noting that it is also “important to keep in mind who is covered by this rule – it isn’t most typical financial institutions. Banks and insurers aren’t subject to [the Final Rule] specifically.”
Excerpt: “This new rule does seem meaningfully different in approach than most previous data security regulation, from the FTC and otherwise,” observed Nahra. “Regulators have shied away from being too prescriptive because (1) security isn’t one size fits all; and (2) there often would be a need for more constant updating of the regulatory requirements. This is clearly a change in approach, at least to some extent.