Clifford Chance

After a two-year notice and comment period, on October 27, 2021, the Federal Trade Commission (FTC) unveiled its finalized rules amending the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.

The Safeguards Rule is one of the most significant data privacy compliance regulations in the U.S., and it requires financial institutions to perform data risk assessments and to ensure the security and confidentiality of customer information by protecting against threats, hazards, and unauthorized access.

The amended Safeguards Rule, passed in a split vote between the commissioners, is more prescriptive than the previous rule, and removes some of the flexibility financial institutions used to have in complying with the rule. Significantly, the amended Safeguards Rule (1) requires a more regimented risk assessment that considers specific criteria and (2) creates a new baseline of safeguards that financial institutions must consider in their compliance plans.

Opponents of the amendment argue that it unnecessarily replaces a 20-year rule and deprives financial institutions of the flexibility to set appropriate and realistic safeguards for their own organizations. The amended Rule, they contend, lacks support from on-the-record data, imposes substantial costs, unnecessarily inserts the FTC into internal governance decisions, and incorrectly advocates for a "one-size-fits-all" approach to data security in an evolving arena.

Proponents of the revised Rule emphasize its timeliness after a rise in serious data breaches—like the recent Equifax breach which exposed nearly 150 million Social Security numbers. Though it requires institutions to address areas like access control, change management, information disposal, and user activity monitoring, institutions are not required to utilize any particular method and can design their own information security programs consistent with their needs, size, and complexity.

New Requirements Under the Amended Safeguards Rule

Under the GLBA, financial institutions are defined broadly to cover any institution that engages in financial activities, including, among other things, lending money, insuring against loss, providing financial advice, and dealing in securities. Under the GLBA, the FTC has enforcement powers against financial institutions not subject to the jurisdiction of other federal financial regulators. Additionally, in a nod to small businesses, the FTC will exempt financial institutions collecting information on fewer than 5,000 consumers from a number of the new requirements.

While risk assessments were previously required, they must now be conducted in writing and consider specific criteria. In particular, the risk assessment must evaluate and categorize identified security risks, assess the confidentiality, integrity, and availability of information systems, and set out how risks will be mitigated or accepted.

With regard to specific safeguards, the amended rule creates, among others, the following requirements for financial institutions:

• Designate an individual to oversee and implement the information security program;
• Encrypt all customer information;
• Implement multi-factor authentication for any individual accessing any information system;
• Implement procedures for change management and disposal of customer information;
• Monitor the effectiveness of controls, including by conducting yearly penetration tests; and
• Report annually to the Board of Directors on the status of the implementation of the security program.

In addition, financial institutions must establish a written incident response plan that includes the following elements:

• The goals of the incident response plan;
• The internal processes for responding to a security event;
• The definition of clear roles, responsibilities, and levels of decision-making authority;
• External and internal communications and information sharing;
• Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
• Documentation and reporting regarding security events and related incident response activities; and
• The evaluation and revision as necessary of the incident response plan following a security event.

Key Takeaways

Significant violations of the Safeguards Rule can carry hefty monetary penalties. In a recent high profile example, Equifax agreed to pay $575 million to settle an FTC investigation into alleged violations of the Safeguards Rule.

In light of these amendments, financial institutions should assess their information security programs to ensure that they are compliant with these new, more stringent requirements. Additionally, as required by the new regulations, financial institutions should ensure that they have drafted internal cyber incident response policies.