The Federal Trade Commission recently amended the Safeguards Rule, 16 C.F.R. § 314.1, et seq., with significant changes to how an information security program should be designed, what it must include, and who needs to be in charge. Some may note the similarity to the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies, N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00, et seq.
The Rule is now considerably lengthier, but not all the amendments added anything new or substantive. In this article we will explain which changes look new but are not, which are new and substantial, which do not apply to small businesses, and when certain provisions go into effect.
The Rule was promulgated under the Gramm-Leach-Bliley Act which, in part, requires the FTC to issue rules setting forth standards that financial institutions must implement to safeguard certain information. The Rule applies to customer information held by non-banking financial institutions and “sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of [that information].”
The Rule provides this non-inclusive list of entities that are considered financial institutions under the Gramm-Leach-Bliley Act and subject to the rule:
- Mortgage lenders;
- Pay day lenders;
- Finance companies;
- Mortgage brokers;
- Account servicers;
- Check cashers;
- Wire transferors;
- Travel agencies operated in connection with financial services;
- Collection agencies;
- Credit counselors and other financial advisors;
- Tax preparation firms, non-federally insured credit unions;
- Investment advisors that are not required to register with the SEC; and
- Entities acting as finders.
Additionally, in its definitions, the Rule provides more detailed examples of entities considered financial institutions.
The amendments to the Rule became effective Jan. 10, 2022, although some of the most important provisions are not effective until June 9, 2023. The FTC summarized the highlights as providing:
- More guidance on how to develop and implement specific aspects of an overall information security program.
- New provisions to improve the accountability of information security programs.
- Exemptions for financial institutions that collect less customer information.
- Inclusion of entities engaged in activities that are incidental to financial activities.
- New terms and examples.
WHAT’S NOT NEW
Section 314.1 – Purpose and Scope. Although amended subsection (b) appears significantly lengthier, it simply incorporates the definition of “financial institution” from the Privacy Rule, as modified and with examples, “to allow the Rule to be read on its own, without reference to the Privacy Rule.”
Section 314.2 – Eleven Old Definitions. Previously, the Rule had only three defined terms and a general provision explaining that the terms used in the Rule had the same meaning as those defined in the Privacy Rule, 16 C.F.R. § 313.3.
Now, the Rule has 18 defined terms, but the majority have been carried over from the Privacy Rule to “improve clarity and ease of use.” The Rule’s pre-amendment terms and those carried over from the Privacy Rule without substantive change are:
- Customer Information;
- Customer Relationship;
- Financial Product or Service;
- Information System;
- Nonpublic Personal Information;
- Personally Identifiable Financial Information;
- Publicly Available Information;
- Service Provider; and
Section 314.3 – Standards for Safeguarding Customer Information. This section is essentially unchanged.
Section 314.2 – Seven New Definitions. As mentioned above, most of the defined terms are newly added to this section but not new to the Rule because they were previously cross-referenced to their definitions in the Privacy Rule. Following are the seven new terms, and one that has been modified:
- Authorized User: This new term “means any employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data.”
- Encryption: This new term “means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.”
- Financial Institution: This term has been modified to include “any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. . .” (emphasis added). It specifically applies to “[a] company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate is a financial institution because acting as a finder is an activity that is financial in nature or incidental to a financial activity listed in 12 CFR 225.86(d)(1).”
- Information Security Program: This new term “means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.”
- Multi-Factor Authentication: This new term “means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics.”
- Penetration Testing: This new term “means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.”
- Security Event: This new term “means an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.”
Section 314.5 – Effective Date. This section identifies certain provisions of § 314.4 that are not effective until June 9, 2023, as described below.
Section 314.6 – Exceptions. This “small business” section identifies certain provisions of § 314.4 that “do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.” Those provisions are identified below.
Section 314.4 – Elements. This section has been completely overhauled, and now explains with specificity the elements, new and old, that must be included in an information security program. Except where indicated, these elements must be incorporated by June 9, 2023. In summary, the elements checklist includes:
- A single “qualified individual” designated to oversee, implement, and enforce the information security program. Previously, the program could be coordinated by a designated employee or employees.
- An information security program based on a risk assessment. This is a current requirement, as well as the need to periodically perform additional risk assessments. However, effective June 9, 2023, the risk assessment must include, except for small businesses:
- Criteria for the evaluation and categorization of identified security risks or threats;
- Criteria for the assessment of the confidentiality, integrity, and availability of information, including the adequacy of the existing controls in the context of the identified risks or threats; and
- Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.
- Safeguards designed to control identified risks through:
- Access controls, including technical and physical controls, to authenticate and limit access;
- Identification and management of data, personnel, devices, systems, and facilities;
- Encryption of all customer information held or transmitted;
- Secure development practices and security testing for applications used for transmitting, accessing, or storing customer information;
- Multi-factor authentication for any individual accessing any information system;
- Procedures for the secure disposal of customer information no later than two years after the last date the information is used;
- Procedures for change management;
- Policies, procedures, and controls to monitor and log the activity of authorized users and detect unauthorized access, use or tampering.
- Regular testing and monitoring of the safeguards’ effectiveness. This general requirement is currently in effect, but new requirements effective June 9, 2023, and not applicable to small businesses, are:
- Annual penetration testing; and
- Vulnerable assessments.
- Policies and procedures that include:
- Security awareness training;
- Use of qualified information security personnel to manage risks and oversee the program;
- Security training and updates to address risks; and
- Verification that information security personnel maintain current knowledge of changing information security threats and countermeasures.
- Service provider oversight through:
- Selecting service providers capable of maintaining appropriate safeguards, which is a current requirement;
- Requiring the safeguards by contract, which is also a current requirement; and
- Periodically assessing service providers based on the risk they present and the adequacy of their safeguards, effective June 9, 2023.
- A written incident response plan, with seven specific requirements, designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information. This is not required for small businesses.
- A regular written report, prepared at least annually, by the qualified individual to the board of directors that includes the status of, and compliance with the information security program, and any related material matters. This is not required for small businesses.
The elements described in § 314.4 are not new concepts and many entities are already compliant. However, because the elements are now far more specific and detailed than before, we recommend those subject to the Rule compare its elements to those of their own programs to ensure compliance, leaving time for compliance by June 9, 2023. On March 15, join me for a Receivables Management Association International webinar to learn more about the amendments and the steps you need to take now to bring your company into compliance by June 9, 2023.