In October of last year, in an effort to strengthen data security measures, the Federal Trade Commission (“FTC”) announced that there were plans to implement important updates in an effort to rejuvenate and modernize what is known as the Standards for Safeguarding Customer Information (‘‘Safeguards Rule’’). The Safeguards Rule provides a guideline for businesses to have information security processes in practice to prevent consumer harm and promote good business practices and healthy competition in the marketplace. This anticipated change was initiated and implemented due to the dramatically increased infiltration of virtual networks in so many aspects of everyday business and personal life, demanding increased security in the realm of information security. This, along with a drastic uptick in data breach incidents and large-scale cybersecurity threats and attacks, spurred the FTC to announce these imminent changes. As a result, effective January 10, 2022, the FTC issued a final rule (‘‘Final Rule’’) to amend the Standards for Safeguarding Customer Information (‘‘Safeguards Rule’’). The recent changes were published in early December 2021 by the FTC and passed with a 3-2 vote.
Overall, the Final Rule maintains the roadmap originally outlined in the 2019 adaption of the same with notable amendments and clarifications as summarized below.
The Final Rule guidelines contain five main modifications from the existing Rule.
- Provides more detailed guidance on how to develop and implement specific aspects of an overall information security program, including access controls, authentication, and encryption. Risk Assessment requirements are clarified as well as employee training criteria.
- Second, it adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies to increase awareness and involvement of senior management roles.
- It exempts financial institutions that collect data from 5.000 customers or less from certain requirements.
- It expands the definition of ‘‘financial institution’’ to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds ‘‘finders’’— companies that bring together buyers and sellers of a product or service within the scope of the Rule.
- Defines several terms and provides related examples in the Rule itself to provide an ease of reference, rather than invoke the need to the separate Privacy of Consumer Financial Information Rule (‘‘Privacy Rule’’).
As the Final Rule was implemented on January 10, 2022, now is the time to take action – your qualifying financial institution should ensure your organization has a satisfactorily documented consumer information security process in place.
This is where Elevate can help! We can do the legwork for you. Elevate is already familiar with GBLA and the Safeguard and Final Rules, and can assist in evaluating your company’s current information security system, perform a Risk Assessment, then advise on areas that need improvement, and provide a plan of action.