The comprehensive amendment updated data security requirements for financial institutions.
Last year, the Federal Trade Commission (FTC) amended the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). The comprehensive amendment updated data security requirements for financial institutions, which are broadly defined as institutions significantly engaged in financial activities or significantly engaged in activities incidental to such financial activities. Business entities in many industries can fall under this definition, from lenders, account servicers and financial advisors to retailers, auto dealerships and Title IV institutions of higher education. In response to reports of personnel shortages and supply chain issues, on November 15, 2022, the FTC announced that it has extended the compliance deadline by six months (to June 9, 2023) for provisions of the rule that were originally to become effective on December 9, 2022.
The GLBA is a federal law enforced by the FTC. It governs financial institutions’ use and collection of customer personally identifiable information. The specific cybersecurity requirements of the GLBA are set forth in the Safeguards Rule. The rule requires covered financial institutions to develop, implement and maintain an information security program with administrative, technical and physical safeguards designed to protect customer information. The rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” (16 CFR Part 314)
What Is Included in the Extension?
Covered financial institutions now have a six-month extension to certain provisions of the Safeguards Rule that require the company to:
- Designate a qualified individual to oversee the information security program;
- Develop a written risk assessment;
- Limit and monitor who can access sensitive customer information;
- Encrypt all sensitive information;
- Train security personnel;
- Develop an incident response plan;
- Periodically assess the security practices of service provides; and
- Implement multifactor authentication.
What Is Not Included in the Extension?
The extension only applies to the aspects of the Safeguards Rule that were supposed to go into effect on December 9, 2022. The other portions of the rule that already went into effect on January 10, 2022, have not been extended. This includes the general requirement to have an information security program, conduct a risk assessment (not written), designate a coordinator (not a “qualified individual”), evaluate and adjust the information security program, conduct testing and monitoring, and minimal oversight of service providers (not periodically assessing practices).
What Covered “Financial Institutions” Need to Do
First, take a minute to celebrate that your company gets an extra six months to meet these requirements―but then get back to work. These requirements are not policies and procedures that can be implemented overnight. Considering the shortage of qualified personnel to implement information security programs and the various supply chain issues, covered companies may need every bit of those six months to develop an information security program that meets the rule’s comprehensive requirements. Companies should work with legal counsel and an information security professional to draft or revise a comprehensive cybersecurity program to protect customer information and ensure compliance with the updated Safeguards Rule.
For More Information
If you have any questions about this Alert, please contact Michelle Hon Donovan, Jessica High, any of the attorneys in our Privacy and Data Protection Group, any of the attorneys in our Banking and Finance Industry Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.