Extended safeguard rule applicable to more financial institutions; provides more details on security requirements | Morgan lewis
The Federal Trade Commission recently finalized a long-discussed update to its Cyber Security Safeguard Rule that includes more specific criteria for what financial institutions should implement as part of their information security programs. Among other key changes, many companies are likely to be affected by an extension of the rule’s scope to include “finders”, which may allow these companies (including FinTech companies) avoid the current regulatory burden and confusion of state law requirements.
As part of its implementation of the Gramm-Leach Bliley Act (GLBA), in 2002, the Federal Trade Commission (FTC) issued the Safeguard Rule (the Rule), which requires financial institutions under the jurisdiction of the FTC to take action to keep customer information secure. Until the recent update, the FTC had not changed the rule since its initial enactment. The new rule is the culmination of extensive work by the FTC that began in 2016.
Under the long-standing previous version of the rule, businesses are required to develop a written information security plan that implements administrative, technical and physical safeguards appropriate to their size and complexity, the nature and extent of their business and the sensitivity of customer information. they manipulate.
Pre-iteration also requires companies to assess and address customer information risks in all areas of their operations. In addition, Covered Companies are required to take steps to ensure that their affiliates and service providers protect customer information in their care. Businesses enjoyed substantial flexibility in compliance under the previous version of the Rule, but at times found the lack of detail frustrating. The FTC has now provided more specific instructions.
WHO IS COVERED BY THE NEW RULE?
Significantly, the definition of “financial institution” under the Rule includes many businesses that do not normally describe themselves in this way. In fact, the Rule applies to all businesses, regardless of size, that are “significantly engaged” in the provision of financial products or services. This includes, for example, check cashing businesses, payday lenders, mortgage brokers, non-bank lenders, personal or real estate appraisers, professional tax preparers, and courier services. The rule also applies to businesses such as credit bureaus and ATM operators who receive customer information from other financial institutions.
KEY CHANGES IN THE NEW RULE
The update includes six main changes:
- Adds more specific criteria on the guarantees that financial institutions must implement as part of their information security program, including encryption, penetration testing and multi-factor authentication
- Requires institutions to explain their information sharing practices and security measures in a written risk assessment
- Requires financial institutions to designate a single qualified person to oversee their information security programs and report periodically to the organization’s management
- Expands definition of “financial institution” to include “researchers” – companies that bring together buyers and sellers of a product or service
- Defines several terms and provides related examples within the rule itself rather than incorporating them by reference to the GLBA Privacy Rule
- Exempts financial institutions that maintain customer information for less than 5,000 consumers from certain requirements
Additional requirements of the updated Rule (for example, qualified individual appointments, written risk assessments, annual penetration tests and semi-annual vulnerability assessments, periodic assessment of service providers and written incident response plans) will take effect. one year after its publication in the Federal Register (making the ultimate compliance date likely to be somewhere in Q4 2022).
Most of these additional elements may not be new to companies that have already developed a strong information security program. As stated by the FTC itself in the preamble to the updated Rule:
The Commission believes that many of the requirements set out in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs comply with the rule. current backup.
Many commentators have already noted that the measures closely follow regulations recently passed by state financial regulators, such as the New York Department of Financial Services cybersecurity regulations and Massachusetts cybersecurity regulations.
At the same time, the FTC released a supplement notice of proposed regulations seeking comment on whether to make a further change to the rule to require financial institutions to report certain data breaches and other security events to the FTC.
ANALYSIS OF THE WIDER SCOPE OF THE RULE
Given the responsibility to comply with an ever-evolving state privacy legislative landscape, many entities may in fact find it beneficial to be considered a “financial institution” under the Rule. in order to be exempt from state laws, which typically provide an exemption for entities or information subject to federal privacy / cybersecurity law.
The update helps matters somewhat by expanding the definition of a financial entity to include entities that are “significantly engaged in activities incidental to financial activity” within the meaning of the Bank Holding Company Act. This change introduces an activity in the definition that was not previously covered: the act of “finding” defined as “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and conclude. “. The term “Finders” can be read broadly to include a variety of business ventures, including many fintech business models.
The preamble to the updated Rule indicates that there are certain limits on which businesses are considered “finders” under the Rule, namely that only research services involving consumer transactions will be covered and that the Rule only applies to customer information (consumers with whom a financial institution has an ongoing relationship). However, the addition of “finders” still allows various types of entities to make a convincing case that they are subject to the Rule.
Even with the addition of more prescriptive security requirements, being subject to the Rule can still be a simple way for businesses to avoid wading through the confusing landscape of the state’s current privacy regime. Additionally, the trend in some state privacy laws, such as the California Consumer Privacy Act (CCPA) and Virginia, has been to give consumers various opt-out and request rights that have yet to be enacted into law. under federal law.
As a further example of the extent of state law compared to the rule, the FTC declined to include data “reasonably related” to individuals as “personally identifiable financial information.” This excludes from the scope of the Rule aggregated information or blind data which does not contain personal identifiers such as account numbers, names or addresses, but which could potentially be linked to an individual. This information is included as personal information under the CCPA.
 12 CFR 225.86 (d) (1).