The Federal Trade Commission (“FTC”) issued notices on March 5 seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act (“GLBA”), commonly known as the Safeguards Rule and Privacy Rule. Once the notices are published in the Federal Register comments must be received within 60 days. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule are more focused on technical changes to align the Rule with changes in law over the past decade.
Proposed Changes to the Safeguards Rule
The Safeguards Rule requires financial institutions (“FIs”) to maintain the security of customer information by maintaining a comprehensive written information security program (“WISP”) detailing the administrative, technical, and physical safeguards that the financial institution uses to collect, process, protect, store, transmit, dispose of, or otherwise handle customer information. The Safeguards Rule, which originally went into effect in 2003, is process-oriented. It includes general, high level elements of a security program, but lacks detailed security steps.
The Director of the FTC’s Bureau of Consumer Protection, Andrew Smith, stated that the “proposed changes are informed by the FTC’s almost 20 years of enforcement experience” and are designed to “keep up with marketplace trends and respond to technological developments.” The proposed amendments follow the FTC’s receipt of public comments in 2016 regarding the Safeguards Rule as part of the FTC’s regular review cycle.
The FTC, influenced by more detailed financial industry state regulatory developments such as the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation and the National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law, both finalized in 2017, proposes to maintain a process-oriented approach, but modify the Safeguards Rule with additional mandates such as requiring:
- Incident response plan. The proposed Rule would require FIs to implement an incident response plan. The plan must enable FIs to promptly respond to and recover from security events affecting customer information. It must also address the goals of the plan, internal processes for responding to a security event, and documentation and reporting regarding security events and related incident response activities. The plan must define clear roles, responsibilities, and levels of decision-making authority. Finally, the plan must require evaluation and revisions to it as necessary following a security event.
- Chief Information Security Officer (“CISO”). Currently the Safeguards Rule requires FIs to designate an employee or employees to coordinate the WISP. The proposed Rule would require FIs to have a designated CISO that is “qualified” and will oversee and implement the WISP; the FTC clarified that the Rule does not require FIs to use the formal CISO title. The proposed Rule would allow the CISO to be an employee of a service provider or affiliate, although in that case the FI would be required to designate a senior member of its personnel to direct and oversee the CISO.
- Board reporting. The CISO would be required to report in writing, at least annually, to the FI’s board of directors or equivalent governing body, or, if none exists, a senior officer responsible for the WISP regarding the overall status of the WISP and material matters related to the WISP.
- Periodic risk assessments. The Safeguards Rule allows FIs to take a risk-based approach to developing its ISP. Among other things, the proposed Rule would expand the current Rule’s risk assessment requirement to include that FIs must “periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.” Risk assessments under the proposed Rule will need to be written and include certain content, such as the criteria FIs use to evaluate and categorize identified security risks or threats.
- Specific information security measures. The proposed Rule is much more detailed in terms of security measures that FIs must implement. The specific required measures in the proposed Rule include encryption of customer information in transit or at rest (if infeasible it requires compensating controls), access controls, secure development practices for in-house developed applications, procedures for the secure disposal of customer information, procedures for change management, and monitoring the activity of system users. The FTC notes that it believes that most FIs already implement the proposed measures under their current programs and that the proposed Rule would simply clarify what is already required to help ensure that FIs understand their obligations. The proposed Rule will also require multi-factor authentication for any individual accessing customer information, but, unlike the NYDFS which imposed a similar requirement in the Cybersecurity Regulation, the FTC declined to endorse text messages as a permitted second factor.
- Regular testing or monitoring of key information security measures. The proposed Rule would require continuous monitoring of the effectiveness of key controls, systems, or procedures, or absent that, annual penetration testing and biannual vulnerability assessments.
- Employee training. Under the proposed Rule, FIs would be required to provide personnel with security awareness training that is updated to reflect risks identified by the FI’s risk assessment. The proposed Rule would also require that information security personnel be qualified and receive security updates and training sufficient to address relevant security risks.
- Service provider oversight. The proposed Rule would require FIs to take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information and to periodically assess service providers based on risk they present.
The FTC with its proposed Rule is seeking to refrain from being overly prescriptive about security requirements while adding elements that are included in other regulatory regimes and that it believes most FIs with reasonable data security practices should already be following. While recognizing that several cybersecurity frameworks with similar requirements to the proposed Rule already exist, the FTC declined to propose a safe harbor for FIs complying with existing frameworks, such as the NIST Cybersecurity Framework, and is seeking comment on the viability of a safe harbor.
Although the FTC proposes to exempt small businesses from some of the requirements, two of the five Commissioners disagreed with the proposed Rule’s more prescriptive approach. In their dissenting statement to the proposed Rule, the Commissioners note that the current proposal “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.”
Proposed Changes to the Privacy Rule
In a separate notice, the FTC is seeking public comment on proposed changes to the Privacy Rule. When the GLBA was enacted in 1999, the FTC was one of several federal regulators with rulemaking authority, and the FTC’s Privacy Rule applied to a broad range of non-bank financial institutions, such as payday lenders, mortgage brokers, check cashers, and debt collectors. The Dodd-Frank Act, enacted in 2010, transferred rulemaking authority under the GLBA’s privacy provisions to the CFPB for most non-bank financial institutions. The FTC retained authority over certain motor vehicle dealers only.
Pursuant to its rulemaking authority, the CFPB enacted its own version of the Privacy Rule, Regulation P, which it amended in 2018 to implement provisions in the Fixing America’s Surface Transportation Act (“FAST Act”), which simplified the delivery of annual GLBA notices. The CFPB’s amended Regulation P provides that FIs that meet certain conditions are exempt from the GLBA requirement to deliver an annual privacy notice.
The FTC’s proposed changes to the Privacy Rule would include (1) technical changes corresponding to the reduced scope of its Privacy Rule due to Dodd-Frank Act changes, which primarily consist of removing references that do not apply to motor vehicle dealers; (2) modifications to the annual privacy notice requirements to reflect the changes made to the GLBA by the FAST Act; and (3) a modification to the scope and definition of “financial institution” to include entities engaged in activities that are incidental to financial activities. The proposed Rule would expand the definition of “financial institutions” to include “finders,” meaning those who charge a fee to connect consumers who are looking for a loan to a lender, which would bring the Rule into accord with the CFPB’s Regulation P.