The compliance deadline for implementation of certain requirements of the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information, better known as the “Safeguards Rule,” is June 9, 2023. Here is what you need to know:
What is the Safeguards Rule?
The Safeguards Rule was promulgated under the Gramm-Leach-Bliley Act. Its purpose is to regulate financial institutions to protect the security of customer information.
While the Safeguards Rule took effect in 2003, in October 2021, the FTC amended the Rule to adopt a broad definition of the term “financial institution” and create additional detailed compliance requirements. As amended, the Safeguards Rule requires financial institutions to establish an information security program with appropriate safeguards, among other things.
In November 2022, the FTC extended the compliance deadline for some of these requirements, including the deadline to implement the information security program, to June 9, 2023.
Who is subject to the Safeguards Rule?
The Safeguards Rule applies to financial institutions (defined below) over which the FTC has jurisdiction.
The term “financial institution” captures any business engaged “in an activity that is financial in nature or incidental to” financial activities. The Safeguards Rule outlines 13 examples of financial institutions, including but not limited to tax preparation firms, investment advisers not required to be registered with the SEC, collection agencies, real estate appraisers, mortgage brokers, and certain car dealerships, among others.
The Safeguards Rule does not apply to financial institutions that are subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805, such as certain banks, broker-dealers, and investment advisers registered with the SEC.
How does an entity comply with the Safeguards Rule?
Each financial institution subject to the Safeguards Rule must develop, implement, and maintain a comprehensive written information security program (Program) no later than June 9, 2023. The Program should contain administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the customer information at issue. To satisfy this requirement, each financial institution subject to the Safeguards Rule must:
- Designate a qualified individual to oversee and implement the Program.
- Conduct an initial risk assessment, base the Program on the risk assessment, and perform periodic additional risk assessments—the frequency of which will depend on the needs and resources of the institution.
- Design and implement safeguards to control the risks identified through risk assessment by implementing and periodically reviewing access controls, encrypting customer information, and developing procedures for the secure disposal of customer information, among others.
- Regularly test or monitor the effectiveness of the safeguards.
- Implement policies and procedures to ensure personnel are able to enact the Program, including by training employees and utilizing qualified information security personnel.
- Oversee service providers by selecting and retaining only capable providers, requiring them to implement and maintain appropriate safeguards, and periodically assessing them.
- Update the Program on an ongoing basis.
- Establish a written incident response plan.
- Require the qualified individual to report, in writing, to the financial institution’s board of directors or equivalent governing body.
Consult 16 CFR § 314.4 for a full explanation of the requirements briefly discussed above.
Note for Small Businesses: Certain Program requirements do not apply to financial institutions that maintain customer information for fewer than 5,000 consumers.
This client alert is prepared for the general information of our clients and friends. It should not be regarded as legal advice. Please contact us if you have any questions about your compliance with the Safeguards Rule.