In late 2021, the Federal Trade Commission amended the Gramm-Leach-Bliley Act’s Safeguards Rule enhancing information security program (ISP) requirements that non-bank financial institutions must implement to protect their customers’ personal information.
The Rule applies to financial institutions that are subject to the FTC’s jurisdiction and not regulated by another regulator, such as auto dealers, collection agencies, and payday lenders. Covered businesses must implement and maintain a written comprehensive ISP that contains safeguards to protect customer information. Further, they must appoint an employee, affiliate, or service provider as a “Qualified Individual” to oversee and implement the ISP. At least annually, the Qualified Individual must submit a written report to the business’s governing body such as a board of directors detailing the status of the ISP, including compliance with the Rule.
Highlights of ISP requirements under the revised Rule include:
- Businesses must base their ISP on a risk assessment that identifies reasonably foreseeable risks to the security, confidentiality, and integrity of customer information. The risk assessment must be periodically updated to reexamine safeguards and threats.
- The ISP must mandate technical controls, including multi-factor authentication, to authenticate and permit authorized users to access only the customer information actually needed to perform a business function.
- All customer information held or transmitted over external networks, regardless of whether the data is in transit or at rest, must be encrypted.
- The ISP must contain procedures for the secure disposal of customer information within two years of the last date of use unless necessary for business operations or other legitimate business or legal purposes.
- Businesses must continuously monitor systems or conduct penetration testing annually and vulnerability assessments at least every six months and when there are material changes to business operations or there is a material impact on the business’s ISP.
- Businesses must implement policies and procedures to ensure personnel are able to carry out the information security program, including security awareness training.
- Effective immediately, businesses must take reasonable steps to select service providers capable of properly safeguarding customer information. Beginning December 9, 2022, businesses must periodically evaluate such service providers based on risks they present and for the adequacy of their safeguards.
- Under the Rule, businesses must establish a written incident response plan to promptly respond to security events. The FTC is evaluating requiring businesses to report security incidents affecting more than 1,000 consumers, but has not yet issued this requirement.
Although the new rule took effect January 10, 2022, most of the ISP element requirements will be effective on December 9, 2022, giving businesses some time to prepare. Small businesses are exempt from certain requirements. Covered businesses should consider incorporating all required Rule elements into their ISP as soon as possible. Strengthening safeguards to prevent security compromises is more important now than ever as the number of security incidents is on the rise and consumers increasingly demand that businesses protect their data.
A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.