left-caret

PH Privacy

FTC Proposes to Ramp Up Data Security Obligations on Financial Institutions

March 20, 2019

By Kathryn Harris

Amid amplified calls for a national data privacy standard, the Federal Trade Commission (“FTC”) recently announced proposed amendments to the Safeguards Rule under the Gramm-Leach-Bliley Act (“GLBA”) for financial services—inviting both praise and concern from industry experts.

Background

The GLBA’s Safeguards Rule requires financial institutions to implement a comprehensive security program to protect customer information.

The new FTC proposals track much of the language and logic of New York’s landmark 2017 cybersecurity regulation, confirming the predictions of many that the regulation would be a template for subsequent federal action.  In particular, the proposals ostensibly seek to better protect consumer data and offer more certainty for covered institutions.

Key Proposals

The proposals come after a period of public comment on the Safeguards Rule in 2016.  Five proposals merit special attention.

Incident Response Plan:  First, while most financial institutions likely already have an incident response plan, they would now be required to develop one in writing.  Specifically, institutions would have to address the following areas:

  • the goals of the incident-response plan;

  • the internal processes for responding to a security event;

  • the delineation of clear roles and responsibilities concerning decision-making authority;

  • external and internal communications and information sharing;

  • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

  • documentation and reporting procedures for security events; and

  • the evaluation and revision of the incident response plan following a security event.

The Commission was careful to emphasize that this proposal is not intended to create any independent reporting or notification requirements, but instead to improve the accountability of financial institutions’ security programs.  

Risk Assessment Program: Second, the proposals add new requirements to institutions’ risk assessment programs, requiring that the programs be supported by written policies and:

  • set forth criteria to evaluate privacy risk such that the assessment is tailored to the sensitivity of the information collected;

  • describe how the financial institution’s information security program will address, mitigate, or accept any identified risks;

  • set forth a schedule to perform periodic risk assessments; and

  • designate a single individual responsible for overseeing and implementing the security program, who reports to the board of directors (or equivalent) the institution’s compliance with the rule.

Additional Security Safeguards: Third—and reflective of an industry-wide focus on access controls, authentication and encryption—the proposals add more detailed requirements that institutions must observe when implementing a comprehensive security program.  Institutions would be obligated to:

  • encrypt all customer information, both in transit and at rest, unless the institution’s chief information security officer determines alternative means are sufficient;

  • implement multi-factor authentication;

  • place access controls on information systems to protect customer information from unauthorized acquisition;

  • maintain audit trails to detect when the system has been compromised; and

  • monitor the effectiveness of these safeguards either by continuous monitoring or periodic penetration testing and vulnerability assessments.

Expanded Definition of “Financial Institution”: Perhaps the most controversial proposal is the expansion of the definition of a “financial institution.”  The Commission proposes bringing within the rule’s regulatory ambit “finder” institutions that are only incidentally involved in financial activities.  An institution acts as a “finder” when it brings together buyers and sellers of services for transactions that the buyers and sellers themselves then negotiate and consummate.

Importantly, although the FTC no longer possesses jurisdiction over most financial institutions for purposes of the GLBA Privacy Rule – with the bulk of that authority transferred to the Consumer Financial Protection Bureau under the Dodd-Frank legislation – the Commission retains its authority under the Safeguards Rule.  Thus, the proposals would apply to all financial institutions within either agency’s GLBA privacy jurisdiction.
Exemptions: Finally, the proposals would exempt small business from certain requirements.  Financial institutions that maintain fewer than five thousand customers would not have to produce a written risk assessment or incident response plan and also would be exempt from vulnerability-assessment testing. The remainder of the amended rule would apply to smaller institutions as they do to larger institutions.

The Dissent

Commissioners Noah Joshua Phillips and Christine S. Wilson, both appointed by President Trump, issued a rare dissent opposing the proposed amendments.  The dissenters argued that the rule already provides sufficient guidance to financial institutions.  They added that the proposal swaps flexibility for a more rigid, one-size-fits-all approach, potentially driving out smaller players or newer entrants.  The commissioners criticized the new proposals’ reliance on the model established by the New York regulation, arguing that the New York rule remains in its nascent stages and that it would be more prudent to wait to assess its impact before emulating it.
Effective Date

If implemented, the effective date of the proposals would be staggered.  Most requirements would be effective immediately, but some—notably, the written risk assessment and the rules for the architecture of the information security program—would not be required until six months after the publication of a final rule.

Interested parties may submit comments on the proposed changes until 60 days after its forthcoming publication in the Federal Register.