To respond to the constant threat of cyber-attacks and data breaches, the Federal Trade Commission (“FTC”) has amended one of its key consumer protection rules: the Standards for Safeguarding Customer Information (the “Safeguards Rule”), 16 C.F.R. § 314. This is the first time the Safeguards Rule has been amended since it was enacted in 2003 to fulfill the FTC’s mandate under the Gramm-Leach-Billey Act (“GLBA”) to create rules for the processing and protection of personal information. The new Safeguards Rule updates cybersecurity requirements and expands the scope of protectable consumer information for nonbanking financial institutions. The deadline for compliance is June 9, 2023. Here are the top five things financial institutions need to know to understand and comply with the FTC’s new rule.

1. Who does the Safeguards Rule apply to? 

The amended Safeguards Rule, like its predecessor, applies to any entity that is a “financial institution,” as defined in 12 U.S.C. § 1843(k) and 12 C.F.R. §§ 225.28 and 225.86, is subject to regulation by the FTC, and engages in transactions with consumers for “personal, family, or household purposes.” This includes any entity engaged in an activity that is “financial in nature” or is “incidental to such financial activities” that are not otherwise subject to another regulatory authority. Examples of covered entities include:

• Mortgage lenders and brokers;
• Pay-day lenders;
• Finance companies;
• Wire transferors and check cashers;
• Collection agencies;
• Retailers who offer consumer credit cards;
• Car dealerships that lease cars for more than 90-days terms;
• Real estate or personal property appraisers;
• Accountants and tax preparation professionals;
• Companies that provide real estate settlement services;
• Investment advisors that are not required to register with the Securities and Exchange Commission (“SEC”);
• Credit counseling companies; and
• Colleges, universities, and third-party services that handle student financial aid information.

Simply accepting payment in the form of cash, checks, or credit cards is not enough to transform a business into a “financial institution.” The Safeguards Rule does not apply to entities that only occasionally engage in financial activities. For example, a retailer who offers credit only in the form of “lay away” or deferred payments plans, or allows customers to “run a tab,” are not considered “financial institutions” subject to the Safeguards Rule.

There are a number of types of “financial institutions” that are not subject to regulation by the FTC and, therefore, are not covered by the FTC’s Safeguard Rule, such as banks, insurance companies, federally insured credit unions, and broker dealers and investment companies registered with the SEC. These entities are subject to the enforcement authority of other regulators such as the SEC and Federal Deposit Insurance Corporation.

2. What information is protected by the Safeguards Rule? 

The amended Safeguards Rule significantly expands the scope of protectable consumer information. While it is obvious that organizations must protect consumer information they specifically solicit in credit card or loan applications, some of the new categories in the amended rule are less obvious. For example, financial institutions must proactively protect any information collected through the use of “cookies” on their websites. Similarly, any information the financial institution obtains as a result of consummating a transaction with a consumer—even if that information was incidental to the transaction and not specifically solicited—requires protection. Likewise, any nonpublic personal information—such as a financial institution’s client lists and related identifying information—must be protected. Notably, aggregated anonymized information that does not identify a consumer or contain personal identifiers does not require protection.

3. What is an Information Security Program? 

The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program (“ISP”). The ISP must include administrative, technical, and physical safeguards designed to both ensure the security and confidentiality of consumer information as well as protect that information from anticipated threats and unauthorized access, which could result in substantial harm to consumers. An administrative safeguard might be limiting employee access to certain information, based on their role within the company. A physical safeguard might be requiring multi-factor authentication for accessing the institution’s information systems. A technical safeguard might include encrypting sensitive information. The safeguards must be appropriate to the size and complexity of the organization, the nature and scope of its activities, and the sensitivity of the customer information that the organization typically handles. In other words, the ISP a tax advisor must develop may be different from the ISP a travel agency or real estate appraiser uses.

While the existing Safeguards Rule requires an ISP, the amended Rule contains more detailed requirements relating to the development and establishment of the ISP.

Under the amended Safeguards Rule, the ISP must be based on a written risk assessment that identifies reasonably foreseeable internal and external risks using concrete and specific criteria and evaluation measures and assesses the sufficiency of existing safeguards in place to control these risks. Pursuant to the ISP, the financial institution must implement policies and procedures that ensure its personnel are able to enact the ISP. The Safeguards Rule proposes two primary ways to accomplish this: (1) providing cybersecurity awareness training for all authorized users, which includes any employee, contractor, agent, customer, or other person authorized to access any of the institution’s information systems or data and (2) employing qualified information security personnel and providing them with training opportunities to address relevant and emerging security risks. Additionally, the ISP must provide some mechanism for periodically assessing the security practices of the institution’s service providers who may come into contact with the customer information or may even be considered an “authorized user” with access to the institution’s financial information.

For larger institutions—those with 5,000 or more customers—the ISP must include a monitoring and testing component. Specifically, the amended Safeguards Rule calls for continuous monitoring or periodic penetration testing and vulnerability assessments, including system-wide scans every six months designed to test for publicly known security vulnerabilities. Whenever there is a change in the information system—adding a new server or changing the software programs that store and manage customer information—the institution must conduct additional penetration testing and vulnerability assessments.

Finally, the ISP must also include a written incident response plan designed to promptly respond to and recover from any security event that materially affects the confidentiality, integrity, or availability of customer information in the financial institution’s control.

4. How do I manage and enforce the ISP? 

The amended Safeguards Rule requires financial institutions to designate a qualified person (“Qualified Person”) to oversee the ISP. The Qualified Person may be an employee, an employee of an affiliate organization, or an independent third-party service provider. Notably, however, any financial institution that chooses to outsource the management and enforcement of its ISP to an affiliate or service provider must designate a senior member of the organization to direct and oversee the Qualified Person and cannot avoid liability for non-compliance based on the fact that it outsourced this work. The financial institution must retain responsibility for compliance.

5. What is the deadline for compliance with the expanded Safeguards Rule?

The expanded Safeguards Rule takes effect on Friday, June 9, 2023. Financial Institutions must be in compliance on that date. If you have any concerns about whether you are compliant or if you need additional assistance, Hinckley Allen attorneys are experts in the area of cybersecurity and regulatory compliance and we are happy to work with you to navigate the process.

Next Steps: 

In sum, before June 9, 2023, arrives, financial institutions must take the following steps to comply with the amended Safeguards Rule:

• Designate a “Qualified Person” to manage and enforce the Information Security Program;
• Develop a written risk assessment;
• Develop an incident response plan that addresses what you learn during the risk assessment;
• Limit and monitor who can access sensitive customer information;
• Encrypt all sensitive information;
• Implement multi-factor authentication;
• Train security personnel;
• Train employees in cybersecurity awareness;
• Periodically assess the security practices of service providers.

Unsurprisingly, the FTC itself put it best: “The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program. The best programs are flexible enough to accommodate periodic modifications.”

The new Safeguard Rule is far more prescriptive than the old rule and requires a more detailed security program that identifies, evaluates, and addresses risks across the entire organization. Please contact a member of Hinckley Allen’s Cybersecurity, Privacy, and Data Protection group if you have any questions about how this updated rule may impact your organization and your organization’s information security program.