This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.
Question: My company is a financial institution subject to the FTC’s Safeguards Rule under the Gramm-Leach-Bliley Act and we have an information security program that conforms to the Safeguards Rule that has been in effect for almost two decades. What do we need to add to our program to comply with the revised Safeguards Rule, and how much time to do we have to add it?
Answer: On October 27, 2021, the Federal Trade Commission (FTC) voted 3-2 to finalize a significant revision of the Standards for Safeguarding Customer Information (“Safeguards Rule”) under the Gramm-Leach-Bliley Act (GLBA), adopting amendments that will require financial institutions to implement specific security practices to protect consumer financial information as part of their information security programs.
While the Safeguards Rule previously required financial institutions to implement a general written information security program, the revised rule specifies what measures must be featured as part of the program. The following key measures are likely to be required by Q4 of 2022, or within one year of the revised rule’s publication in the Federal Register (whereas the rule itself and remaining requirements will become effective within 30 days after publication):
These measures closely track those in the 2017 New York Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500), which similarly require covered financial institutions to implement specific cybersecurity controls, such as encryption of data in transit and at rest as well as multifactor authentication, and the appointment of a Chief Information Security Officer responsible for the information security program.
The following will become effective 30 days after publication of the revised rule:
The FTC also voted unanimously to publish a Supplemental Notice of Proposed Rulemaking in the Federal Register, which, if adopted, would require financial institutions to report to the FTC within 30 days of the discovery of any security event that resulted or would be reasonably likely to result in the misuse of customer information, and during the course of which at least 1,000 consumers have been affected or are reasonably likely to be affected. The public will have 60 days after publication to submit comments.
Visit our A MoFo Privacy Minute Series page to view our collection of Q&As. Explore our Privacy + Data Security page for additional information from our Privacy Library and Resource Centers on Cybersecurity, State Privacy Laws, and the GDPR + European Privacy.