2 April 2019
Last month, the Federal Trade Commission issued notices requesting comments on proposed amendments to its Financial Privacy and Safeguards Rules, regulations promulgated under
the Gramm-Leach-Bliley Act that aim to protect the privacy and security of customer information held by financial institutions. While the proposed revisions to the Financial Privacy Rule are relatively minor, the revisions to the Safeguards Rule will have significant impacts on covered financial institutions if they are adopted. The proposed amendments draw heavily from the cybersecurity regulations issued by the New York Department of Financial Services and the insurance data security model law issued by the National Association of Insurance Commissioners and enumerate specific requirements for security measures covered financial institutions are required to take, such as having a data incident response plan. The notices also seek comment on whether to adopt certain additional requirements such as requiring entities that suffer a data security incident to report it to the FTC. The proposed amendments are the latest in a string of developments aimed at strengthening the patchwork of data privacy and cybersecurity laws that protects data in the US.