Last week, the Federal Trade Commission issued proposed amendments to its Safeguards Rule and Privacy Rule, both promulgated under the Gramm-Leach-Bliley Act (GLBA). The Safeguards Rule, which originally went into effect in 2003, requires that financial institutions develop, implement, and maintain a comprehensive information security program. The Privacy Rule, which originally went into effect in 2000, requires that financial institutions inform customers about their information-sharing practices and allow customers to opt out of information-sharing with certain third parties.
The FTC previously sought comments on the Safeguards Rule in 2016 as a part of a systematic review of its rules and guides. The current proposed amendments incorporate comments that the FTC received in response to the 2016 request.
Among other changes, the FTC is proposing to amend the Safeguards Rule to add more detailed requirements for what should be included in a financial institution’s comprehensive information security program. For example, the proposal would require encryption of all customer data, access controls to prevent unauthorized users from accessing customer information, and multifactor authentication to access customer data.
The FTC is also proposing requiring companies to submit periodic reports to their boards of directors regarding compliance with these requirements. Although these requirements may be burdensome for some companies, they represent current best practices and are embodied in other regulatory frameworks, such as the New York Cybersecurity Regulation and the NIST framework.
The FTC’s proposal would also bring the rules into line with changes implemented by Congress through the Dodd-Frank Act in 2010 and the FAST Act in 2015. These amendments modified GLBA to provide an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers. The CFPB issued rules to amend GLBA’s Regulation P implementing these changes in August 2018.
Importantly, the FTC’s proposal would also expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to include companies engaged in activities “incidental to financial activities.” The expansion would include “finders,” or those who charge a fee to connect consumers looking for a loan to a lender. This expansion of scope may be particularly noteworthy for certain readers who may wish to comment on the matter.
Comments are due 60 days after publication in the Federal Register. The proposed rules have not yet been published in the Federal Register, but we anticipate a deadline of mid-May.
Peter Cockrell is an Attorney in McGlinchey Stafford’s Washington, DC office who focuses on consumer financial services compliance and cybersecurity and data privacy.