United States: US Federal Trade Commission Adopts Prescriptive Data Security Requirements And Other Updates To Its Gramm-Leach-Bliley Act Safeguards Rule

On October 27, 2021, the Federal Trade Commission ("FTC" or "Commission") issued a final rule ("Final Rule") implementing most of the revisions it proposed in 2019, with some important modifications, to its Gramm-Leach-Bliley Act¹ ("GLBA") safeguards rule ("Safeguards Rule").

Financial institutions covered by the Final Rule include finders (as discussed below), finance companies, mortgage companies, motor vehicle dealerships, payday lenders and other non-banks involved in the consumer financial services industry. The Final Rule:

• Adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, multi-factor authentication and encryption;
• Adds provisions designed to improve the accountability of financial institutions' information security programs, such as by requiring periodic reports to boards of directors or governing bodies;
• Exempts financial institutions that maintain customer information concerning fewer than 5,000 consumers from certain requirements;
• Expands the definition of "financial institution" to include entities engaged in activities that the Board of Governors of the Federal Reserve System ("Federal Reserve Board" or "Board") determines to be incidental to financial activities (e.g., so-called "finders" that bring together buyers and sellers of a product or service); and
• Defines several terms and provides related examples in the Safeguards Rule itself rather than incorporating them by reference from the rule implementing the GLBA privacy provisions ("Privacy Rule").²

The Final Rule will take effect one year after its publication in the Federal Register. ³

Background

On April 4, 2019, the FTC proposed a number of revisions ("Proposed Rule") to the Safeguards Rule. In particular, the Commission proposed revisions to require financial institutions to implement specific information security controls, including those with respect to data encryption, multifactor authentication, incident response planning, board reporting and program accountability. The proposal drew heavily from the cybersecurity regulations issued by the New York Department of Financial Services⁴ ("NYDFS Cyber Regulation") in March 2017 and the insurance data security model law issued by the National Association of Insurance Commissioners ("NAIC Model Law") in October 2017.⁵ Therefore, financial institutions subject to the NYDFS Cyber Regulation will be familiar with many of the requirements and likely have existing policies and procedures in place to address these requirements. 

On July 13, 2020, the Commission held a workshop concerning the proposed changes and conducted panels with information security experts discussing subjects related to the Proposed Rule. The Commission received 60 comments in response to the Proposed Rule and workshop. Many comments highlighted the prescriptive nature of the Proposed Rule, noting concerns that the revisions may be too burdensome for financial institutions and other regulated entities to follow.

After reviewing the initial comments to the Proposed Rule, conducting the workshop and then reviewing the comments received following the workshop, the Commission issued its final amendments to the Safeguards Rule, which were shaped in part by the comments it received during the comment period.

The Commission received many comments suggesting that the prescriptive safeguard elements were inflexible and financially burdensome. However, the Commission dismissed these concerns, noting that the safeguard elements are goalposts that can be modified based on the institution's size and needs and a burden that is justified in order to protect customer information as required by the GLBA. The Commission noted that while large financial institutions may incur substantial costs to implement complex information security programs, there are much more affordable solutions available for financial institutions with smaller and simpler information systems. The Commission indicated that these expenses were justified because of the vital importance of protecting customer information collected, maintained and processed by financial institutions.

Overview of the Final Rule

QUALIFIED INDIVIDUAL
Where the Proposed Rule would have required a financial institution to appoint a Chief Information Security Officer ("CISO"), the Final Rule instead requires the designation of a "Qualified Individual."⁶ The Qualified Individual need not be an employee of the financial institution but may be an employee of an affiliate or a service provider. This change was intended to accommodate financial institutions that may prefer to retain an outside expert. No particular level of education, experience or certification is prescribed by the Final Rule. Accordingly, a financial institution may designate any qualified individual who is appropriate for its business.

CUSTOMER INFORMATION 
Several industry groups also suggested that significant portions of the Proposed Rule should not apply to all customer information but rather only to some subset of particularly "sensitive" customer information, such as account numbers or social security numbers. These commenters generally argued that the definition of "customer information" is too broad, as it will include information that the commenters felt is not particularly sensitive, such as name and address, and therefore does not justify extensive safeguards. The Commission did not agree that some portion of customer information is not entitled to the protections required by the Final Rule. The Final Rule defines "customer information" as "any record containing nonpublic personal information" about a customer that is handled or maintained by or on behalf of a financial institution.⁷

To view the full article, please click here.

Footnotes

1. 15 U.S.C. §§ 6801 et seq. 

2.  12 C.F.R. Part 1016. 

3. FTC Standards for Safeguard Rule, Published Guidance on 16 C.F.R. § 314. 

4. 23 NYCRR 500. The NYDFS Cyber Final Regulation applies to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking, Insurance, or Financial Services Laws. For an overview of the NYDFS Cyber Regulation, see https://www.mayerbrown.com/en/perspectives-events/publications/2017/03/cybersecurity-ny-adopts-final-regulations-for-bank 

5. See NAIC, Insurance Data Security Model Law, available at https://www.naic.org/store/free/MDL-668.pdf ( last accessed Mar. 12, 2019). The NAIC Model Law requires every insurance licensee in a state (unless they qualify for an exemption) to maintain a written cybersecurity policy and implement a riskbased cybersecurity program. To date, the NAIC Model Law has been adopted in more than 15 states. For an overview of the NAIC Model Law, see https://www.mayerbrown.com/en/news/2017/11/dissecting-naics-insurance-data-security-model-law

6. 16 C.F.R. § 314.4(a).

7. 16 C.F.R. § 314.2(d). 

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.