On November 15, 2022, the Federal Trade Commission announced a six-month extension for companies to comply with certain updated requirements of the Gramm-Leach-Bliley Act’s Safeguards Rule, a set of data security provisions covered financial institutions must implement to protect their customers’ personal information. The new deadline is June 9, 2023.

The FTC announced updates to the Safeguards Rule in October 2021. While many provisions of the updated Rule became operational 30 days after publication in the Federal Register, other sections were due to go into effect on December 9, 2022. Specifically, the provisions affected by the six-month extension include requirements that financial institutions:

  • designate a qualified individual to oversee their information security program;
  • develop a written risk assessment;
  • limit and monitor who can access sensitive customer information;
  • encrypt all sensitive information, train security personnel, develop an incident response plan, periodically assess the security practices of service providers; and
  • implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.