The Federal Trade Commission (FTC) recently announced updates to the Safeguards Rule to strengthen the data security safeguards that financial institutions must implement to protect their customers’ financial information.
Notably, these Safeguards Rule revisions add meaningful meat to the bone of the old rule, which broadly and simply required financial institutions to develop, implement and maintain a comprehensive information security plan that included appropriate administrative, technical, and physical safeguards. And, while the Safeguards Rule only applies to financial institutions regulated by the FTC, these new details provide helpful guidance to all companies who find the lack of detailed and granular legal security requirements challenging in creating reasonable security programs.
The new details in the Safeguards Rule include:
- Greater specificity on how to develop and implement an information security program;
- A requirement to appoint a single qualified individual to oversee an institution’s data security program and provide periodic reports to the board of directors or governing body about the security program;
- An exemption for financial institutions that collect information from 5,000 or fewer customers from certain requirements, such as the written risk assessment, incident response plan, and annual reporting to the board of directors; and
- An expansion of the definition of “financial institution” to include non-banking institutions, including “finders.”
Notable changes to the Safeguards Rule include:
Data Security Program
The new Safeguards Rule sets forth specific criteria for the required risk assessment and security safeguards. Among other things, financial institutions must: 1) put their risk assessment in writing, 2) implement and periodically review access controls on customer information, 3) encrypt data in transit and at rest, 4) use secure development practices and multi-factor authentication, 5) create a written incident response plan, and 6) perform continuous monitoring or periodic penetration testing and vulnerability assessments.
The Final Rule aims to improve accountability for financial institutions. The Rule requires covered entities to designate a single Qualified Individual to oversee and implement the information security practice. The Qualified Individual is to report to the covered entity’s board of directors or equivalent governing body at least annually. This is a departure from previous requirements that called for oversight but did not specify the designation of a single qualified individual. Ideally, this additional information will provide the board with better awareness of their institutions’ information security programs and lead to providing more security resources to better protect consumer data.
Expanded Definition of “Financial Institution”
The Final Rule expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. So far, the Board has identified one activity as incidental to financial activity, “acting as a finder.” A “finder” brings together buyers and sellers of a product or service for a transaction the parties themselves negotiate and consummate.