On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”).  Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.

In addition, the FTC is proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders.”  Finally, the FTC is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.

Proposed Revisions to the Safeguards Rule’s Information Security Program Requirements

The Safeguards Rule establishes requirements for the information security programs of all financial institutions subject to FTC jurisdiction.  The Rule, which first went into effect in 2003, requires financial institutions to develop, implement, and maintain a comprehensive information security program.  As currently drafted, the Safeguards Rule has few prescriptive requirements, but instead generally directs financial institutions to take reasonable steps to protect customer information.

The FTC’s proposed revisions would add substantially more detail to these requirements.  Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposed changes is “to better protect consumers and provide more certainty for business.”  The new requirements are primarily based on the cybersecurity regulations issued by New York Department of Financial Services (“NYSDFS”), and the insurance data security model law issued by the National Association of Insurance Commissioners.

Some of the specific proposed changes include:

  • Revising the requirement to designate an “employee or employees to coordinate [the] information security program” to require designation of a single individual, referred to as a Chief Information Security Officer (“CISO”), as responsible for overseeing and implementing the program;
  • Adding requirements to financial institutions’ risk assessments, including that the assessment must be written, describe how the information security program will address the identified risks, and be performed periodically;
  • Requiring financial institutions to implement access controls on information systems, as well as restrict access to physical locations containing customer information only to authorized individuals;
  • Requiring customer information to be encrypted, both in transit and at rest;
  • Requiring implementation of multi-factor authentication for any individual accessing customer information;
  • Requiring information systems to include audit trails designed to detect and respond to security events;
  • Requiring financial institutions to develop procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes;
  • Requiring financial institutions to develop procedures for change management;
  • Requiring financial institutions to implement policies and procedures “to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users;”
  • Requiring regular testing and continuous monitoring of relevant key controls, systems and procedures;
  • Requiring that financial institutions implement appropriate training and education, including verifying that key security personnel take steps to maintain current cybersecurity knowledge, and utilize qualified security personnel;
  • Expanding the requirement to oversee service providers to require financial institutions to periodically assess such service providers based on the information security risk they present;
  • Requiring that financial institutions establish incident response plans; and
  • Requiring that the financial institution’s CISO report at least annually to the institution’s board of directors on issues related to the information security program.

Dissenting Statement of Commissioners Phillips and Wilson

Notably, the proposal to amend the Safeguards Rule was issued pursuant to a 3-2 divided vote of the FTC’s commissioners.  Commissioners Noah Phillips and Christine Wilson issued a dissenting statement that argues that the proposed approach “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.”  Further, while Commissioners Phillips and Wilson acknowledge that the amendments remain a mere proposal, they “are concerned that the specific suggestions . . . will frame the debate so as to take the Commission in a direction that may be unwarranted,” particularly in light of the possibility of new comprehensive federal data protection legislation.

Other Proposed Changes to the Privacy Rule and the Safeguards Rule

The FTC is also proposing to make certain changes to the Privacy Rule, which is also issued under the GLBA. The Privacy Rule implements the information sharing restrictions in GLBA solely as to motor vehicle dealers.  The Dodd-Frank Act transferred the bulk of the rulemaking authority for implementing these provisions to the Consumer Financial Protection Bureau (“CFPB”), which does so pursuant to Regulation P (Privacy of Consumer Financial Information).

The FTC is proposing to make a small number of changes to the Privacy Rule to align it with the CFPB’s Regulation P and a Federal Reserve Board interpretive regulation.  Specifically, the FTC is proposing to expand the definition of “financial institution” to explicitly include “finders,” who “charge a fee to connect consumers who are looking for a loan to a lender.”  This proposed change would align with Regulation P’s definition of “financial institution,” which incorporates an interpretation of the Federal Reserve Board that acting as a finder is an activity “incidental to a financial activity.”  The FTC is proposing an identical revision to the definition of “financial institution” in the Safeguards Rule.  The FTC is also proposing technical or clarifying amendments to the Privacy Rule to align with the changes to the GLBA annual privacy notices contained in the Dodd-Frank Act and the FAST Act of 2015.