New Cybersecurity Safeguard Rule Issued by FCC featured image

New Cybersecurity Safeguard Rule Issued by FCC

by John DiGiacomo

Partner

Internet Law

The Federal Trade Commission (“FCC”) recently issued its final rule with respect to new cybersecurity protocols. See here. The Rule is called “Standards for Safeguarding Customer Information” and is applicable to financial and related institutions.

The FCC’s amended Safeguard Rule is a very good and useful example of the current standards required by governmental agencies with respect to the security required for protecting consumer personal data and information. Whether your business involves financial transactions or not, it would be wise to proactively compare your current cybersecurity protocols and procedures with those in the FCC’s updated Safeguard Rule. If the comparison discloses significant divergences, it would also be wise to consider implementing new protocols and procedures.

Key features of the updated Safeguard Rule include:

  • Encryption of data when “at rest” (stored) and when used or transferred through BOTH internal networks and over to external networks — in other words, data can be at risk whether moving or not
  • Multi-factor authentication, particularly for external access — currently, two-factor authentication is the standard, but three-factor or more may become the standard
  • Secure and unreconstructable destruction/disposal of data
  • Separation and disaggregation of data sets
  • Higher levels of security for –
    • Data sets that contain the most sensitive data or for data sets that can be combined or reconstructed to reveal the most sensitive data
    • Data or systems that, if breached or compromised, would materially affect business functionality and/or the confidentiality, integrity or availability of sensitive data
  • Delegation to one or more persons — who are specifically qualified –
    • To implement cybersecurity
    • To oversee risk assessments (including written reports)
    • To quickly and effectively respond to risk threats and breaches
    • To begin and complete remediation and recovery efforts
    • To be a “point person” for consumer and governmental inquiries and
    • To provide continual and periodic reporting to corporate governing bodies (like the Board)
  • Preparation of written risk assessment reports with such reports being inputs into the design of subsequent procedures and protocols
  • Continuous monitoring
  • Periodic penetration testing
  • Ongoing vulnerability assessments
  • Appropriate training for personnel at all levels
  • Limiting access
  • Application of appropriate security protocols for third-party service providers
  • Contractual requirements related to said third-party service providers
  • Requiring written incident reports including details on response and recovery

Although not included in the FCC’s updated Safeguard Rule, it should be noted that businesses affected by cybersecurity breaches have many reporting requirements imposed at both the federal and state levels. Most of those breach notification laws require notification when there is an actual breach of computer systems or unauthorized access that results in actual loss or potential loss of data. However, businesses should be aware that notification laws and regulations are being broadened to require notification of more generalized cybersecurity incidents. Given the increasing number of malware and ransomware attacks that have shut down companies, impacted specific industries and caused generalized disruption of the larger economy, legislators and regulators are quickly beginning to focus on cybersecurity as an economic security concern, not just a consumer data privacy issue.

If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Fairness Factors For Your College NIL Agreement

Fairness Factors For Your College NIL Agreement

Corporate

In May 2025, as part of a settlement of litigation involving college football, a new entity was created called the College Sports Commission (“CSC” or “Commission”). See news media reports here and here. Among many other purposes, the CSC will monitor and approve name, image, and likeness (“NIL”) agreements for college athletes. As the term […]

Read more about Fairness Factors For Your College NIL Agreement

Is a “Fanciful” Trademark the Best Type of Trademark?

Is a “Fanciful” Trademark the Best Type of Trademark?

Trademark

Trademarks are words, designs, symbols, logos, and other things that are used/associated with goods or services that identify the specific commercial source of the goods/services. COCA-COLA, APPLE, and GUCCI are just a few famous examples. If COCA-COLA is on the bottle, consumers know what to expect from the beverage in the bottle. The same for […]

Read more about Is a “Fanciful” Trademark the Best Type of Trademark?

Put Revision Legal on your side