The Federal Trade Commission recently amended the Safeguards Rule, 16 C.F.R. § 314.1, et seq., with significant changes to how an information security program should be designed, what it must include, and who needs to be in charge. Some may note the similarity to the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies, N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00, et seq.
The Rule is now considerably lengthier, but not all the amendments added anything new or substantive. In this article we will explain which changes look new but are not, which are new and substantial, which do not apply to small businesses, and when certain provisions go into effect.
The Rule was promulgated under the Gramm-Leach-Bliley Act which, in part, requires the FTC to issue rules setting forth standards that financial institutions must implement to safeguard certain information. The Rule applies to customer information held by non-banking financial institutions and “sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of [that information].”
The Rule provides this non-inclusive list of entities that are considered financial institutions under the Gramm-Leach-Bliley Act and subject to the rule:
The amendments to the Rule became effective Jan. 10, 2022, although some of the most important provisions are not effective until Dec. 9, 2022. The FTC summarized the highlights as providing:
WHAT’S NOT NEW
Section 314.1 – Purpose and Scope. Although amended subsection (b) appears significantly lengthier, it simply incorporates the definition of “financial institution” from the Privacy Rule, as modified and with examples, “to allow the Rule to be read on its own, without reference to the Privacy Rule.”
Section 314.2 – Eleven Old Definitions. Previously, the Rule had only three defined terms and a general provision explaining that the terms used in the Rule had the same meaning as those defined in the Privacy Rule, 16 C.F.R. § 313.3.
Now, the Rule has 18 defined terms, but the majority have been carried over from the Privacy Rule to “improve clarity and ease of use.” The Rule’s pre-amendment terms and those carried over from the Privacy Rule without substantive change are:
Section 314.2 – Seven New Definitions. As mentioned above, most of the defined terms are newly added to this section but not new to the Rule because they were previously cross-referenced to their definitions in the Privacy Rule. Following are the seven new terms, and one that has been modified:
Section 314.6 – Exceptions. This “small business” section identifies certain provisions of § 314.4 that “do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.” Those provisions are identified below.
Section 314.4 – Elements. This section has been completely overhauled, and now explains with specificity the elements, new and old, that must be included in an information security program. Except where indicated, these elements must be incorporated by Dec. 9, 2022. In summary, the elements checklist includes:
The elements described in § 314.4 are not new concepts and many entities are already compliant. However, because the elements are now far more specific and detailed than before, we recommend those subject to the Rule compare its elements to those of their own programs to ensure compliance, leaving time for compliance by Dec. 9, 2022.