MICHAEL NEWELL—The Federal Trade Commission (“FTC” or “Commission”), created by congressional statute, is empowered to prescribe rules that define with specificity acts or practices in or affecting commerce that are unfair or deceptive and establish requirements designed to prevent such acts or practices. In October 2021, the FTC issued a final rule to amend the Standards for Safeguarding Customer Information (“Safeguards Rule”), which set forth standards for financial institutions to develop, implement, and maintain safeguards to protect customer information.
The revised Safeguards Rule gives financial institutions more guidance on how to develop and implement security programs and requires periodic reports of compliance and risk assessment to boards of directors or governing bodies to improve accountability of financial institutions’ security programs. Additionally, it expands the definition of a “financial institution” to include entities engaged in activities “incidental” to financial activities and relocates examples and definitions from another rule.
According to the revised rule, firms that offer “finder services,” or services that “bring[] together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate,” now qualify as financial institutions because “acting as a finder is financial in nature or incidental to a financial activity.” Businesses whose services facilitate financial operations on behalf of financial institutions members may also fall under the broader definition of “financial institution,” even if they previously did not.
To protect customer information, the revised Safeguards Rule also requires companies to develop a written information security plan that describes their program. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.
The FTC recommends that firms designated as financial institutions take the following five steps to stay in compliance with the new rule:
designate one or more employees to coordinate its information security program;
identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
design and implement a safeguards program, and regularly monitor and test it;
select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
The rulemaking process engendered both support and criticism from different stakeholders. In general, consumer advocacy groups, academics, and security experts supported the amendments because the changes will improve the data security of institutions that hold customers’ information, protecting consumers. The National Consumer Law Center and others, on behalf of its low-income clients, agreed that the new rule’s provisions requiring financial institutions to adopt procedures for change management and encryption address the inadequate security measures that led to the Equifax data breach in 2017. And the Technology Policy Clinic at Princeton’s Center for Information Technology supported the rule’s requirement to adopt access controls, which, if used effectively, can prevent unauthenticated access to consumer financial information on the internet.
FTC Commissioners Noah Joshua Phillips and Christine S. Wilson voted against amending the Safeguards Rule. They offered a joint statement suggesting that imposing more demanding requirements for every firm and in every situation were not warranted in light of the FTC workshop’s failure to find evidence of market failures or systemic problems with the rule as it existed. The dissenting Commissioners also suggested the amendments are premature because New York’s cybersecurity rules, upon which the revised Safeguards Rule was largely based, had not yet been monitored for their efficacy, costs, and unintended consequences. The U.S. Chamber of Commerce argued in a public comment that the expanded regulation would impose higher costs of compliance and result in reduced competition due to the inability of small firms to absorb increased costs. Critics also expressed concerns that the revised rule will encourage a “checklist” approach to compliance, undermining the past risk-based framework that required companies to adopt the safeguard controls most appropriate to their own, individual risks.
But it remains to be seen whether the critics’ concerns become realized in practice. For example, financial institutions that maintain customer information for less than 5,000 customers are exempt from certain requirements related to conducting written risk assessments, developing incident response plans, and presenting annual reports. These exemptions help mitigate the financial burden on smaller businesses. Also, the FTC maintains that the Safeguards Rule “strike[s] the right balance between specificity and flexibility” by only providing a “high-level list of criteria the risk assessment must address.” By leaving financial institutions “free to perform the risk assessment using the method most suitable for their organization,” even businesses that do not qualify for the exemption can perform the required risk assessment in a cost-effective way.
The rule largely became effective on January 10, 2022, and covered financial institutions must comply with the key provisions of the rule by December 9, 2022, or risk facing enforcement action by the FTC. Law firms and IT advisory firms are already gearing up to help organizations comply.