An FTC final rule to strengthen data security measures to further protect consumer financial data goes into effect on January 10, 2022. Certain provisions are extended until December 9, 2022 to allow financial institutions more time to modify their information security programs to comply with the new requirements. The final rule was published in the Federal Register.
The FTC final rule amends the agency's Standards for Safeguarding Customer Information. As previously covered, the amendments include:
- imposing additional requirements for an information security program, including access controls, encryption, and authentication protocols; and
- increasing the potential for individual liability for breaches at financial institutions by (i) designating a single individual chief information security officer responsible for the security program and (ii) requiring periodic reports by that individual to the firm's directors.
While the rule is effective on January 10, 2022, certain provisions under FTC Rule 314.5 ("Effective Date") are applicable starting on December 9, 2022 to allow more time to comply with the new requirements. These include: Sections 314.4(a) ("Appointment of a Qualified Individual); 314.4(b)(1), ("Conducting a written risk assessment); 314.4(c)(1) through (8), ("Elements of the information security program"); 314.4(d)(2), ("Monitoring and annual penetration testing and biannual vulnerability assessment;) § 314.4(e), ("Training for personnel"); 314.4(f)(3), ("Periodic assessment of service providers"); 314.4(h), ("Written incident response plan"); and 314.4(i), ("Annual written reports from the Qualified Individual").
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
