FTC Adopts New Requirements To Strengthen Financial Data Security

The FTC adopted  additional amendments to its Standards for Safeguarding Customer Information (the "Safeguards Rule") to strengthen the data security measures that financial institutions must implement to protect consumer financial data. The amendments include:

• imposing additional requirements for an information security program, including access controls, encryption, and authentication protocols; and
• increasing the potential for individual liability for breaches at financial institutions by (i) designating a single individual chief information security officer responsible for the security program and (ii) requiring periodic reports by that individual to the firm's directors.

Amendments made to FTC Rule 314.4 ("Elements") will go into effect one year after publication in the Federal Register; certain other amendments will go into effect 30 days after their publication in the Federal Register.

FTC Commissioners Noah Joshua Phillips and Christine S. Wilson dissented, stating that the amendments are "wholly unsupported by record evidence of prevalent failures at the senior managerial level." Mr. Phillips and Ms. Wilson also argued that the amendments (i) were premature, (ii) reduce flexibility and (iii) impose substantially increased costs that will be difficult for smaller firms to bear.

FTC Chair Lina M. Khan and FTC Commissioner Rebecca Kelly Slaughter supported the amendments pointing to the Equifax breach as well as to "the recent history of major data breaches," in support of their positions.

The FTC also requested comment on a proposal to further amend the Safeguards Rule by requiring financial institutions to report to the FTC a security breach that could affect the information of at least 1,000 consumers. Comments to that proposal must be submitted within 60 days of its publication in the Federal Register.

Commentary

In their statement supporting adoption of the new requirements, Chair Khan and Commissioner Slaughter seem reluctant to acknowledge that the costs the requirements will impose on small firms are not proportionate to the costs on larger firms. According to the Commissioners, "financial institutions with smaller and simpler systems may determine that minimal procedures are required" and that the "record contains significant evidence that there are free and low-cost solutions for smaller businesses with more modest data security needs." The fact that smaller businesses have simpler systems does not mean that those systems are easier to protect; they may very well be more vulnerable. See, e.g., "Data Breaches at Small Firms." That small businesses can protect themselves for free seems over-optimistic.

When the regulators say they want "accountability," that presumably means an individual's head. Chief Information Security Officer can be added to the list of distinguished, but unattractive, job titles.

Primary Sources

1. FTC Press Release: FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches

1. FTC Final Rule: Standards for Safeguarding Customer Information
2. FTC Supplemental notice of proposed rulemaking; request for public comment: Standards for Safeguarding Customer Information
3. FTC Statement, Noah Joshua Phillips and Christine S. Wilson: In the Matter of the Final Rule amending the Gramm-Leach-Bliley Act's Safeguards Rule

5. FTC Statement, Lina M. Khan and Rebecca Kelly Slaughter: Statement Regarding Regulatory Review of the Safeguards Rule

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.