FTC Extends Deadline for Revised Safeguards Rule Compliance to June 9, 2023
- The Federal Trade Commission (FTC) has granted an additional six months for financial institutions to comply with most of the provisions outlined in the new Safeguards Rule.
- The Safeguards Rule, which implements a section of the Gramm-Leach-Bliley Act (GLBA), requires financial institutions to develop, implement, and maintain a comprehensive information security program.
- In October 2021, the Federal Trade Commission (FTC) made significant changes to the Safeguards Rule, which now mandates financial institutions to implement specific technical and administrative safeguards.
- The FTC has recognized that certain financial institutions, particularly smaller ones, may face difficulties meeting the new Safeguards Rule’s new requirements by the original deadline.
- The FTC has provided an extension for these institutions, allowing them additional time to comply fully.
The Federal Trade Commission (FTC) has decided to grant an additional six months for financial institutions to comply with most of the provisions outlined in the new Safeguards Rule. The rule, which implements a section of the Gramm-Leach-Bliley Act (GLBA), now has a compliance deadline of June 9, 2023, for all covered institutions. This extension was announced in November 2022.
The GLBA, enacted in 1999, establishes various standards and requirements for financial institutions to protect consumer information. The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program. In October 2021, the Federal Trade Commission (FTC) made significant changes to the Safeguards Rule, which now mandates financial institutions to implement specific technical and administrative safeguards.
While many requirements went into effect on January 10, 2022, the majority of the requirements were set to take effect on December 9, 2022. The extension of the deadline for compliance reflects the FTC’s understanding that financial institutions need more time to comply with the rule’s requirements.
Extended Deadline for Compliance: A Look at the Safeguards Rule Provisions
The Federal Trade Commission’s (FTC) latest revisions to the Safeguards Rule marks a significant departure from previous regulations issued by federal financial regulators. The new rule establishes a new benchmark for financial institutions to safeguard consumer financial data and sensitive information by introducing specific standards for the safeguards they must implement. One of the critical provisions of this updated rule is that it requires financial institutions to implement multifactor authentication for those with access to networks holding customer information.
This updated regulation represents a progression in data security regulations at the federal level, as previous regulations only offered general guidance to financial institutions. The new Safeguards Rule aims to provide more clarity and direction on the specific actions that financial institutions must take to safeguard consumer financial information. The new Safeguards Rule issued by the Federal Trade Commission (FTC) brings several new requirements for financial institutions to protect consumer financial data and sensitive information. These include:
- Implementing multifactor authentication for individuals accessing networks that contain customer information.
- Utilizing encryption for customer information during transit and when it’s at rest and allowing for alternative security measures if encryption is unfeasible.
- The appointment of a qualified individual responsible for the institution’s information security program.
- Submitting written reports to boards of directors or governing bodies on the institution’s information security program, similar to the SEC’s 2018 guidance on public company cybersecurity disclosures.
- Having procedures in place for the secure disposal of customer information and logging and monitoring of unauthorized access or use of customer information.
- Keep a close eye on third-party service providers to ensure they are taking appropriate measures to safeguard consumer financial information.
- Regularly evaluating and addressing potential security risks through written risk assessments and implemented safeguards.
- Conducting annual penetration testing and bi-annual assessments of vulnerabilities in information systems.
The Federal Trade Commission (FTC) recognized that certain financial institutions, particularly smaller ones, may face difficulties in meeting the new requirements of the Safeguards Rule by the original deadline. In light of this, the FTC granted the extension for all institutions to implement the necessary actions to comply with the rule. Financial institutions should review the new Safeguards Rule and consult with legal and compliance professionals to ensure they are aware of the specific requirements that apply to them and to ensure they are compliant with the rule by the new extended deadline.
Who Does the Safeguards Rule Affect?
The Safeguards Rule applies to a wide range of financial institutions that may not immediately be recognized as such. These include non-bank lenders, retail stores offering credit to customers, and colleges and universities administering certain federal student aid programs. Companies falling into these categories must comply with the regulations set out in the Safeguards Rule to protect consumer data and financial information.
These measures include implementing physical, electronic, and procedural safeguards such as regular staff training on security protocols, firewalls, and encryption. Companies must also have procedures to investigate and respond to any security breaches or suspected breaches. Financial institutions can protect customer information and maintain compliance with the Safeguards Rule by ensuring that these measures are followed.
Is My Business Considered a Financial Institution Subject to the Safeguards Rule?
The updated GLBA rule applies to any organization within the financial institution definition. The FTC has indicated that financial institutions include any businesses engaged in transactions involving personal financial information, such as payment processing services, credit card issuing, and merchant banking. Examples of these types of organizations might include but are not limited to:
- Credit unions
- A CPA or a tax preparation firm
- Mortgage brokers
- Check cashing institutions
- Collection agencies that handle consumer accounts
- Investment advisors or brokers
- Automobile dealerships
- Higher education institutions
- Payday lenders
Not all organizations will have to comply with the Safeguards Rule. Financial Institutions collecting information on less than 5,000 consumers are exempt from the requirements of written risk assessment, incident response plan, and annual reporting to the board under the new Safeguards Rule.
How Will the Safeguards Rule Be Enforced?
The FTC expects the Safeguards Rule to be enforced in two distinct ways.
- Heightened accountability: Institutions are expected to provide an annual report to their governing body detailing the state of their information security program. This ensures that the program is well-resourced and appropriately maintained.
- Enforcement action reviews: All aspects of the information security program are subject to review. Ultimately, the FTC expects institutions to understand their information security responsibilities and act accordingly.
These two enforcement mechanisms ensure that financial institutions are held accountable and appropriately manage their information security programs. The FTC is committed to upholding the Safeguards Rule and providing a safe digital environment for consumers.
The newly expanded definition of a financial institution in the updated Gramm-Leach-Bliley Act brings new requirements for a larger subset of businesses. These entities must enhance their cybersecurity measures to comply with the extended deadline. The positive aspect of this update is that it aligns with current technological developments, the evolving threat landscape, and other cybersecurity regulations. The combined regulations now apply to more businesses, promoting information security maturity across a wider range of industries.
As the deadline for compliance approaches, all organizations should actively explore options to meet the requirements. To ensure compliance with the GLBA, you can assess your readiness through various methods, such as using your internal staff, working with a trusted partner, or a combination of both, where you hire a vendor while utilizing your internal staff’s expertise and knowledge. It is important to start the process as soon as possible to ensure compliance by the June 9, 2023, deadline.