The FTC’s final rule released last week amending its Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA) will require significant changes in data security policies and procedures to be made by non-bank financial institutions covered by the Safeguards Rule. Such institutions include finance companies, mortgage companies and brokers, motor vehicle dealers, small-dollar lenders, and debt collectors.
The amendments were adopted along party lines, with the three Democratic Commissioners (who then included Rohit Chopra before his move to CFPB Director) voting in favor of the amendments and the two Republican Commissioners voting against the amendments (and issuing a joint dissent). As discussed below, the FTC also released last week a Supplemental Notice of Proposed Rulemaking requesting comment on a further amendment to the Safeguards Rule and a final rule amending its Privacy Rule (which implements the GLBA privacy notice requirements for motor vehicle dealers). (These two latter items were approved by a 5-0 vote.)
In this blog post, we provide an overview of the changes to the Safeguards Rule. We will discuss the changes in greater detail and their implications for covered institutions in subsequent blog posts. The final rule is effective 30 days after the date it is published in the Federal Register.
The key changes are:
- Risk assessment and safeguards. The final rule requires a risk assessment to be in writing and adds specific criteria that must be included in an assessment. It also adds (1) requirements for what must be addressed by the safeguards an institution must design and implement to control the risks identified through a risk assessment, and (2) mechanisms intended to ensure the effectiveness of employee training and service provider oversight.
- The final rule requires the designation of a single “Qualified Individual” who is responsible for overseeing and implementing an institution’s information security program and enforcing the program. It also requires the Qualified Individual to provide written reports on the information security program at least annually to the institution’s board of directors or equivalent governing body.
- Small Business Exemption. The final rule exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the board of directors.
- Expanded Definition of “Financial Institution.” The final rule amends the definition of “financial institution” to include entities that are “significantly engaged in activities that are incidental to  financial activities.” This change means that finders will be considered financial institutions covered by the Safeguards Rule.
In a Supplemental Notice of Proposed Rulemaking also released last week, the FTC requests comment on whether the Safeguards Rule should be further amended to require a financial institution that experiences a security event to report the event to the FTC. The proposed amendment would require an institution to report a security event in which the misuse of customer information has occurred or is likely, and at least 1,000 consumers have been affected or reasonably may be affected. Such notice would need to be provided electronically, using a form on the FTC’s website within 30 days of discovery of the event and include certain specified information. Comments on the proposal are due 60 days after the date it is published in the Federal Register.
The third item released last week by the FTC is a final rule amending its Privacy Rule. As a result of changes made to the FTC’s GLBA authority by the Dodd-Frank Act, the Privacy Rule applies only to certain motor vehicle dealers. The 2015 FAST Act amended the GLBA to create an exception to the annual notice requirement if an institution only shares nonpublic personal information under certain GLBA provisions that do not trigger any opt-out rights and the institution’s disclosure policies and practices have not changed from its most recent privacy notice. The final rule amends the Privacy Rule for motor vehicle dealers to reflect the FAST Act exception. The final rule is effective 30 days after the date it is published in the Federal Register.