New Cybersecurity Safeguard Rule Issued by FCC featured image

New Cybersecurity Safeguard Rule Issued by FCC

by John DiGiacomo

Partner

Internet Law

The Federal Trade Commission (“FCC”) recently issued its final rule with respect to new cybersecurity protocols. See here. The Rule is called “Standards for Safeguarding Customer Information” and is applicable to financial and related institutions.

The FCC’s amended Safeguard Rule is a very good and useful example of the current standards required by governmental agencies with respect to the security required for protecting consumer personal data and information. Whether your business involves financial transactions or not, it would be wise to proactively compare your current cybersecurity protocols and procedures with those in the FCC’s updated Safeguard Rule. If the comparison discloses significant divergences, it would also be wise to consider implementing new protocols and procedures.

Key features of the updated Safeguard Rule include:

  • Encryption of data when “at rest” (stored) and when used or transferred through BOTH internal networks and over to external networks — in other words, data can be at risk whether moving or not
  • Multi-factor authentication, particularly for external access — currently, two-factor authentication is the standard, but three-factor or more may become the standard
  • Secure and unreconstructable destruction/disposal of data
  • Separation and disaggregation of data sets
  • Higher levels of security for –
    • Data sets that contain the most sensitive data or for data sets that can be combined or reconstructed to reveal the most sensitive data
    • Data or systems that, if breached or compromised, would materially affect business functionality and/or the confidentiality, integrity or availability of sensitive data
  • Delegation to one or more persons — who are specifically qualified –
    • To implement cybersecurity
    • To oversee risk assessments (including written reports)
    • To quickly and effectively respond to risk threats and breaches
    • To begin and complete remediation and recovery efforts
    • To be a “point person” for consumer and governmental inquiries and
    • To provide continual and periodic reporting to corporate governing bodies (like the Board)
  • Preparation of written risk assessment reports with such reports being inputs into the design of subsequent procedures and protocols
  • Continuous monitoring
  • Periodic penetration testing
  • Ongoing vulnerability assessments
  • Appropriate training for personnel at all levels
  • Limiting access
  • Application of appropriate security protocols for third-party service providers
  • Contractual requirements related to said third-party service providers
  • Requiring written incident reports including details on response and recovery

Although not included in the FCC’s updated Safeguard Rule, it should be noted that businesses affected by cybersecurity breaches have many reporting requirements imposed at both the federal and state levels. Most of those breach notification laws require notification when there is an actual breach of computer systems or unauthorized access that results in actual loss or potential loss of data. However, businesses should be aware that notification laws and regulations are being broadened to require notification of more generalized cybersecurity incidents. Given the increasing number of malware and ransomware attacks that have shut down companies, impacted specific industries and caused generalized disruption of the larger economy, legislators and regulators are quickly beginning to focus on cybersecurity as an economic security concern, not just a consumer data privacy issue.

If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side