ARTICLE
24 November 2022

FTC Delays Safeguards Rule Implementation For Certain Financial Institutions

CW
Cadwalader, Wickersham & Taft LLP

Contributor

Cadwalader, Wickersham & Taft LLP logo
Cadwalader, established in 1792, serves a diverse client base, including many of the world's leading financial institutions, funds and corporations. With offices in the United States and Europe, Cadwalader offers legal representation in antitrust, banking, corporate finance, corporate governance, executive compensation, financial restructuring, intellectual property, litigation, mergers and acquisitions, private equity, private wealth, real estate, regulation, securitization, structured finance, tax and white collar defense.
Explore Firm Details
The FTC's new requirements are not without controversy.
United States Finance and Banking
Mercedes Kelley Tunstall
Your Author LinkedIn Connections

The Federal Trade Commission ("FTC") announced last week that it is delaying the date by which certain financial institutions must comply with certain provisions of its updated Safeguards Rule by six months, with the compliance date now being June 9, 2023. Applicable to non-banking institutions such as mortgage brokers, motor vehicle dealers, and licensed lenders, the FTC's iteration of the Safeguards Rule (16 C.F.R. 34) — which implements data security requirements from the Gramm-Leach-Bliley Act ("GLBA") — was updated in December 2021.

The FTC's new requirements are not without controversy. The Safeguards Rule has been hailed as uniquely effective over the two decades it has been in place because it is technology-agnostic and instead requires all financial institutions to maintain data security programs that are commercially reasonable, compared to their cohorts. Indeed, in a dissenting opinion from Commissioners Noah Joshua Phillips and Christine S. Wilson, they note that "the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions."

To that end, the following provisions have been delayed:

  • Designating a qualified individual to oversee the information security program;
  • Developing a written security risk assessment;
  • Limiting and monitoring who in their organization, and among their service providers and other third parties, can access sensitive customer information;
  • Encryption of all sensitive information;
  • Training of security personnel;
  • Development of an incident response plan;
  • Periodic assessment of the security practices of service providers; and
  • Implementation of multi-factor authentication, or another method of equivalent protection.

While most of these provisions are part of a robust information security program, the FTC cited the need for the delay as stemming from the multitude of small businesses affected by the Safeguards Rule that are still struggling with resuming business as usual after the pandemic.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Mercedes Kelley Tunstall
Mercedes Kelley Tunstall
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More