The Federal Trade Commission (“FCC”) recently issued its final rule with respect to new cybersecurity protocols. See here. The Rule is called “Standards for Safeguarding Customer Information” and is applicable to financial and related institutions.

The FCC’s amended Safeguard Rule is a very good and useful example of the current standards required by governmental agencies with respect to the security required for protecting consumer personal data and information. Whether your business involves financial transactions or not, it would be wise to proactively compare your current cybersecurity protocols and procedures with those in the FCC’s updated Safeguard Rule. If the comparison discloses significant divergences, it would also be wise to consider implementing new protocols and procedures.

Key features of the updated Safeguard Rule include:

• Encryption of data when “at rest” (stored) and when used or transferred through BOTH internal networks and over to external networks — in other words, data can be at risk whether moving or not
• Multi-factor authentication, particularly for external access — currently, two-factor authentication is the standard, but three-factor or more may become the standard
• Secure and unreconstructable destruction/disposal of data
• Separation and disaggregation of data sets
• Higher levels of security for –
  • Data sets that contain the most sensitive data or for data sets that can be combined or reconstructed to reveal the most sensitive data
  • Data or systems that, if breached or compromised, would materially affect business functionality and/or the confidentiality, integrity or availability of sensitive data
• Delegation to one or more persons — who are specifically qualified –
  • To implement cybersecurity
  • To oversee risk assessments (including written reports)
  • To quickly and effectively respond to risk threats and breaches
  • To begin and complete remediation and recovery efforts
  • To be a “point person” for consumer and governmental inquiries and
  • To provide continual and periodic reporting to corporate governing bodies (like the Board)
• Preparation of written risk assessment reports with such reports being inputs into the design of subsequent procedures and protocols
• Continuous monitoring
• Periodic penetration testing
• Ongoing vulnerability assessments
• Appropriate training for personnel at all levels
• Limiting access
• Application of appropriate security protocols for third-party service providers

Who Must Comply: The Rule’s Scope

The FTC’s amended Safeguards Rule, issued under the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801 et seq., applies to “financial institutions” — a term the FTC defines broadly in the rule to include any non-bank business that is significantly engaged in financial activities. Covered entities include mortgage brokers, auto dealerships that arrange financing, payday lenders, tax preparers, accountants who file tax returns, investment advisors not registered with the SEC, and retailers that issue their own credit cards. The 2023 amendments expanded the scope of covered activities and added significant new substantive requirements. Small financial institutions with fewer than 5,000 customer records are exempt from some provisions, but the core requirements — a written information security program, a qualified individual responsible for overseeing it, and reporting to the board — apply to essentially all covered entities regardless of size.

The Written Information Security Program: Core Requirements

The centerpiece of the Safeguards Rule is the requirement for a comprehensive written information security program (WISP) that is designed to protect the security, confidentiality, and integrity of customer information. The program must be based on a risk assessment that identifies reasonably foreseeable threats to the security of customer information and evaluates the likelihood and potential damage of those threats. The program must then include safeguards to control the identified risks, including the specific technical measures listed in the rule.

The WISP must be implemented, maintained, and regularly tested and updated. The rule requires annual review of the program and requires that the program be adjusted to reflect the results of testing, changes in operations, new threats identified, and changes in applicable legal requirements. Documentation of the review and the changes made is essential — if the FTC investigates a data breach, the absence of documentation of a functioning WISP is itself evidence of a rule violation.

The Qualified Individual Requirement

The amended rule requires that covered financial institutions designate a qualified individual responsible for overseeing, implementing, and enforcing the information security program. Importantly, this individual need not be an employee — the rule allows the qualified individual role to be outsourced to a service provider, as long as the covered institution retains ultimate responsibility and the service provider is subject to a written contract specifying the scope of services. The qualified individual must report in writing to the board of directors or equivalent governing body at least annually, providing a description of the overall status of the information security program and the institution’s compliance with the rule. This reporting requirement is significant: it creates a documented record of whether the board was advised of the cybersecurity program and its limitations, which becomes relevant in litigation following a breach.

Breach Notification Requirements

The 2023 amendments to the Safeguards Rule added a new breach notification requirement. Covered financial institutions must notify the FTC within 30 days of discovering a security event involving unencrypted customer information affecting 500 or more customers. The notification must identify the institution, describe the nature of the event, the number and categories of affected customers, and the steps taken to mitigate harm. The FTC then publishes these notifications on its website, creating a public record. In addition to FTC notification, affected businesses must comply with applicable state data breach notification laws, which typically impose shorter notification deadlines to affected individuals and state attorneys general.

Consequences of Non-Compliance

The FTC enforces the Safeguards Rule through civil penalty actions. The FTC Act authorizes civil penalties of up to $51,744 per day per violation for rule violations. Following a data breach, the FTC can investigate whether the institution had a compliant WISP, whether the qualified individual requirement was met, and whether required safeguards were in place. Significant settlements — including against major financial institutions — have included requirements to implement comprehensive security programs, engage third-party assessors, and report compliance to the FTC for extended periods. Beyond FTC enforcement, non-compliant institutions face private litigation risk from affected customers under state consumer protection statutes and from class action plaintiffs alleging negligence in the handling of their personal financial information.

Contact Revision Legal

Revision Legal advises financial institutions and businesses on cybersecurity compliance, data breach response, and regulatory investigations. If you need to evaluate your compliance with the FTC Safeguards Rule or have experienced a data breach, contact us today.