A MoFo Privacy Minute Q&A (11 November 2021)

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: My company is a financial institution subject to the FTC’s Safeguards Rule under the Gramm-Leach-Bliley Act and we have an information security program that conforms to the Safeguards Rule that has been in effect for almost two decades. What do we need to add to our program to comply with the revised Safeguards Rule, and how much time to do we have to add it?   

Answer: On October 27, 2021, the Federal Trade Commission (FTC) voted 3-2 to finalize a significant revision of the Standards for Safeguarding Customer Information (“Safeguards Rule”) under the Gramm-Leach-Bliley Act (GLBA), adopting amendments that will require financial institutions to implement specific security practices to protect consumer financial information as part of their information security programs. 

While the Safeguards Rule previously required financial institutions to implement a general written information security program, the revised rule specifies what measures must be featured as part of the program. The following key measures are likely to be required by Q4 of 2022, or within one year of the revised rule’s publication in the Federal Register (whereas the rule itself and remaining requirements will become effective within 30 days after publication):

• Appointment of a single qualified individual to be responsible for the information security program, whereas the previous rule permitted the designation of one or more responsible employees.
• Periodic written risk assessments that describe the criteria for the evaluation and categorization of identified security risks or threats, the adequacy of existing controls, and how identified risks will be mitigated.
• Continuous monitoring or annual penetration testing and biannual vulnerability assessments.
• Encryption of customer information at rest and in transit over external networks.
• Multifactor authentication for individuals accessing networks that contain customer information. Authentication measures may include: (1) knowledge factors, such as a password; (2) possession factors, such as a token; or (3) inherence factors, such as biometric characteristics.
• Logging and disposal of customer information – disposal should occur no later than two years after the last date the information was used, unless otherwise required by law.
• Security training for personnel.
• Periodic assessments of service providers.
• A written incident response plan.
• Annual reporting by the qualified individual to the board of directors in writing.

These measures closely track those in the 2017 New York Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500), which similarly require covered financial institutions to implement specific cybersecurity controls, such as encryption of data in transit and at rest as well as multifactor authentication, and the appointment of a Chief Information Security Officer responsible for the information security program. 

The following will become effective 30 days after publication of the revised rule:

• An expanded definition of covered entities, or “financial institutions,” which will now include companies acting as “finder[s] in bringing together one or more buyers and sellers of any [consumer] product or service for transactions that the parties themselves negotiate and consummate.” This might include, for example, entities that match, or bring together, consumers and providers of consumer financial products, such as consumer borrowers and lenders or retail investors and investment products.
• Periodic additional risk assessments that reexamine reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.
• Regular tests or monitoring of the effectiveness of the safeguards that are implemented.
• Certain oversight of service providers, including: (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards; and (2) requiring service providers by contract to implement and maintain such safeguards.

The FTC also voted unanimously to publish a Supplemental Notice of Proposed Rulemaking in the Federal Register, which, if adopted, would require financial institutions to report to the FTC within 30 days of the discovery of any security event that resulted or would be reasonably likely to result in the misuse of customer information, and during the course of which at least 1,000 consumers have been affected or are reasonably likely to be affected. The public will have 60 days after publication to submit comments.

Visit our A MoFo Privacy Minute Series page to view our collection of Q&As. Explore our Privacy + Data Security page for additional information from our Privacy Library and Resource Centers on Cybersecurity, State Privacy Laws, and the GDPR + European Privacy.