Introduction

Notably, the final publication of the updated Safeguards Rule ('the Final Rule') is the culmination of five years of work which began in 2016 when the FTC underwent a systematic review of all its rules and guides (a process that occurs every ten years). The subject of the initial comment period included, among other questions, the economic impact and benefits of the Safeguards Rule; possible conflict between the Safeguards Rule and state, local, or other federal laws or regulations; and the effect on the Safeguards Rule on any technological, economic, or other industry changes. As such the Final Rule contains five main modifications including:

• adding provisions designed to provide covered financial institutions with additional guidance on the development and implementation of aspects of information security programs;
• adding provisions to improve the accountability of financial institutions' information security programs;
• exempting financial institutions that collect less customer information from certain requirements;
• expanding the definition of 'financial institution' to include entities engaged in activities incidental to financial activities; and
• defining several other terms.

Scope

The personal scope of the Final Rule expands the definition of 'financial institution' which was previously applicable pursuant to Section 501(b) of the Gramm-Leach-Bliley Act of 1999 ('GLBA'). In particular, the Final Rule includes 'finders' which are companies that bring together buyers and sellers of a product or service and who often collect and maintain sensitive consumer financial information. Further to this, the Final Rule now covers activities incidental to financial activities which the Federal Reserve Board has clarified to include activities such as identifying potential parties, making inquiries as to the interest, introducing and referring potential parties to each other, arranging contacts between and meetings of interested parties, and conveying between interested parties expressions of interest, bids, offers, orders and confirmations relating to a transaction. The subsequent addition was to align the Final Rule more closely with the language of the GLBA.

Increased requirements

The previous requirements set out in the Safeguards Rule were already expansive and the Final Rule builds upon the principles already set out by outlining more detailed requirements for how financial institutions should develop and establish their information security programs. As such, the Final Rule sets out clearer requirements for employee awareness and training, risk assessments, and accountability.

Further to this, the Final Rule stipulates that financial institutions must implement policies and procedures to ensure employees are able to effectively implement the information security program including:

• providing personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;
• utilising qualified information security personnel sufficient to manage information security risks and to perform or oversee the information security program;
• providing information security personnel with security updates and training sufficient to address relevant security risks; and
• verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.

In addition, the Final Rule outlines that the risk assessment must be written and include:

• criteria for the evaluation and categorisation of identified security risks or threats faced;
• criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and
• requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

Accountability

A major aspect of the changes to the Final Rule set out metrics for how financial institutions' information security programs can remain accountable. In this regard, the Final Rule establishes that each financial institution must designate a qualified individual responsible for overseeing and implementing the information security program and enforcing the information security program. Furthermore, financial institutions must base their information security programs on detailed risk assessments that address the risks to the security, confidentiality, and integrity of customer information that could result in the unauthorised disclosure, misuse, alteration, destruction, or other compromise of such information. The Final Rule also sets out regular monitoring and auditing procedures of the program to either board of directors or governing bodies in order to measure program maturity and effectiveness.

Conclusion

As part of the announcement of the Final Rule, and at the time of publication of this article, the FTC also noted that it will soon publish a notice of proposed rulemaking in which the FTC is soliciting comments regarding data security incident reporting which would further amend the Safeguards Rule. More specifically, the notice of proposed rulemaking would require financial institutions to report to the FTC any security event where the financial institutions have determined misuse of customer information occurs or is readably likely and that at least 1,000 customers have been affected or reasonably may be affected. It is clear that with this proposal and the publication of the Final Rule, privacy and data security continues to be a critical regulatory priority of the FTC. Covered entities must be mindful of these important changes.

Edidiong Udoh Privacy Analyst
[email protected]