FTC Amends GLBA Safeguards and Privacy Rules; Proposes New Security Incident Reporting Obligations for Financial Institutions

Following more than two years of deliberation since proposing amendments to the 2002 Gramm-Leach-Bliley Act (GLBA) Standards for Safeguarding Customer Information, known as the “Safeguards Rule,”¹ the Federal Trade Commission (FTC) recently issued a final rule (the New Safeguards Rule) embodying most of those proposed amendments.² The New Safeguards Rule, which applies only to certain non-bank financial institutions, was approved 3–2 in a vote that fell along party lines, with three Democratic Commissioners—including Rohit Chopra, now the director of the Consumer Financial Protection Bureau—voting in favor. Although most of the New Safeguards Rule’s requirements are not effective until a year from the New Safeguards Rule’s publication in the Federal Register, certain requirements take effect within 30 days.

Simultaneously, the FTC issued a Supplemental Notice of Proposed Rulemaking to require financial institutions to report certain information security events. Specifically, under the proposed rule (which, if adopted, would become part of the New Safeguards Rule), financial institutions would be required to notify the FTC within 30 days after discovering an actual or reasonably likely “event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form” affecting at least 1,000 consumers. Comments on this new proposal are due within 30 days of the date the Supplemental Notice is published in the Federal Register.

The FTC also issued final amendments to its privacy regulations promulgated in 2000 under the GLBA (discussed further below).

The New Safeguards Rule

The New Safeguards Rule expands the scope of the original Safeguards Rule and imposes new information-security obligations, such as requirements to implement access controls, multifactor authentication and encryption techniques. In so doing, the New Safeguards Rule borrows many concepts from the New York Department of Financial Services’ (NYDFS) Cybersecurity Regulation,³ which means that financial institutions subject to the NYDFS regulation will have a head start on compliance with the New Safeguards Rule.

Scope

Expanded definition of financial institutions.

The New Safeguards Rule expands the definition of “financial institutions” to cover entities significantly engaged in activities determined by the Federal Reserve Board to be incidental to financial activities. In so doing, the New Safeguards Rule brings a number of nonbanking entities under its scope, ranging from professional tax preparers to those providing career counseling services to individuals currently employed or recently displaced from financial institutions. This modification, the FTC explains in its Supplementary Information to the New Safeguards Rule, is intended to bring “finders”—entities that bring buyers and sellers of any product or service together for transactions—under the New Safeguards Rule’s ambit.⁴ Finders, such as a lead generator that helps consumers find a financial institution for a home mortgage, often maintain extremely sensitive consumer financial information. Addressing the concern that the expanded definition of “financial institution” might capture an overly broad number of finders, the FTC emphasized that the information subject to protection is limited to customer information and does not apply to finders that “have only isolated interactions with consumers and that do not receive information from other financial institutions about those institutions’ customers.”

Small business exemption.

The New Safeguards Rule exempts financial institutions that maintain information concerning fewer than 5,000 consumers from certain requirements, including written risk assessments, continuous monitoring or annual penetration testing, biannual vulnerability assessments, and written incident response plans. This exemption serves in part to address the concern that certain risk assessment requirements might be too expensive and difficult for smaller financial institutions to implement.         

Required Risk Assessments; Risk Mitigation

The New Safeguards Rule outlines specific obligations for financial institutions with respect to risk assessments, including that they be written and capture how identified risks will be mitigated or accepted. Under the New Safeguards Rule, financial institutions must periodically perform additional risk assessments that reexamine potential risks to customer information that could result in the unauthorized compromise of such information. Responding to the concern that documenting risk assessments in writing would provide a roadmap for nefarious cyber actors if obtained, the FTC stated that financial institutions should be protecting their risk assessment documentation just as they would any other sensitive information.

The New Safeguards Rule explicitly requires financial institutions to design and implement safeguards to control the risks identified through the risk assessment. If a financial institution decides to accept a risk identified in a risk assessment, that decision should be documented with supporting explanation and reasoning. To maintain their information security programs, financial institutions must implement and periodically review access controls, including technical and physical controls to limit access only to authorized users and necessary customer information. Financial institutions also must encrypt all customer information at rest and in transit, implement multifactor authentication measures for access to customer information, monitor and log the activity of unauthorized users, and take measures to detect unauthorized access to or tampering with customer information.

The New Safeguards Rule also increases service provider oversight obligations, expressly requiring financial institutions to periodically assess their service providers based on the risk they present and the continued adequacy of their safeguards. And in line with the data minimization principles espoused by the European Union and codified in its General Data Protection Regulation, the New Safeguards Rule requires financial institutions to develop, implement and maintain procedures for securely disposing of customer information no later than two years after the last date the information was used, unless they are otherwise obligated to retain such information.

Internal Management

The New Safeguards Rule requires each financial institution to appoint a “Qualified Individual” to be responsible for that entity’s information security program. Although the Qualified Individual may function much like a “Chief Information Security Officer” (CISO) under the NYDFS regulation—the FTC noted that qualifications for serving as a Qualified Individual will vary by organization. For example, the Qualified Individual of a financial institution with a small and simple infrastructure will not require as much training and expertise as one for a financial institution with a large and complex infrastructure.

The Qualified Individual must provide a written report “regularly, and at least annually” on the institution’s information security program and compliance with the New Safeguards Rule. How frequently an entity provides such a report will depend on that entity’s particular needs. The report should be made to the financial institution’s board of directors or equivalent governing body, or, if no such board of directors or governing body exists, to a senior officer responsible for the information security program. Among other things, the report must include the overall status of the information security program and its compliance with the New Safeguards Rule.

New Privacy Rule

The New Privacy Rule⁵, whose application is limited to motor vehicle dealers, incorporates two substantive modifications. First, it widens the definition of “financial institution” to include entities significantly engaged in activities incidental to financial activities. Similar to the New Safeguards Rule, this will result in “finders” being captured within the New Privacy Rule’s scope. But given the FTC’s expectation that most motor vehicle dealers subject to the original Privacy Rule are directly involved in obtaining financing for their customers, this change is likely to have modest impact. Second, the New Privacy Rule modifies the annual privacy notice requirements to be consistent with the statutory changes to the GLBA enacted as part of the Fixing America’s Surface Transportation Act (the FAST Act), by providing that a financial institution is not obligated to provide an annual privacy notice if it (i) only shares nonpublic personal information (NPI) with nonaffiliated third parties in a manner that does not require an opt-out notice to be provided to its customers and (ii) has not changed its privacy policies and practices with respect to the disclosure of NPI since it last provided a privacy notice to its customers.

Conclusion

The two Republican commissioners who voted against the New Safeguards Rule, Noah Phillips and Christine Wilson, expressed their opposition in a pointed dissent, arguing that not only was there insufficient data establishing that the 2002 Rule was inadequate, but that the new requirements would actually weaken financial institutions’ data security by forcing them to channel resources into a “check-the-box” compliance exercise that constrains their ability to be flexible in approaching customer data security. Both of these commissioners also criticized the decision to incorporate elements of the NYDFS regulation without first monitoring that regulation’s “efficacy, costs, and unintended consequences.”

Irrespective of any competing views of the New Safeguards Rule, its issuance is indicative of an increasingly volatile cyber threat landscape and the concerns such an environment raises for financial institutions in particular. As attacks on such entities by bad actors grow in number and complexity, there is a corresponding need for financial institutions to be even more proactive and sophisticated in how they approach data protection. The New Safeguards Rule reflects an effort by the FTC to keep financial institutions accountable for the customer data they are tasked with securing. And although many entities may have already implemented a number of the data security measures mandated by the New Safeguards Rule, they should still re-evaluate their current practices—including arrangements with service providers—to avoid possible inquiries from the FTC or consumer litigation brought against them in connection with the New Safeguards Rule.

With respect to the FTC’s Supplemental Proposed Rulemaking on data security incident reporting, financial institutions may well wish to consider filing comments on the anticipated burdens and benefits of requiring such reporting, taking into account the federal banking agencies’ very recent adoption of new broad data security incident reporting obligations.⁶ Arnold & Porter regularly assists clients with such comments and we are available to consult on the value of submitting comments on these particular proposed rules.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.