Following the barrage of data breaches and data security abuses, the Federal Trade Commission (FTC) announced its new targeted area for improvement: finance. What’s more, the FTC is widening its reach to include entities that engage in “incidental” banking activities, like financing purchases.
Formerly known as the Financial Services Modernization Act of 1999, the Gramm-Leach-Bliley Act (GLBA) initially deregulated certain portions of the banking industry. In 2002, the GLBA added the “Safeguards Rule” to protect consumers’ financial privacy. Since then, the Safeguards Rule was last revised in 2016.
On October 27, 2021, the FTC announced the supplemental and amended “Safeguards Rule,” which now requires non-financial institutions like mortgage brokers, vehicle dealers, and unconventional lenders to implement a “comprehensive security system” to protect consumer data. Changes from the new Safeguards Rule are broken into 5-categories and affected entities have 1 year (until October 27, 2022) to comply:
1. SPECIFIC SECURITY STANDARDS:
One of the few laws to include specific security requirements, the amended Safeguards Rules requires a written reports on risk assessments, vulnerability assessments and penetration testing, constant monitoring of information systems, written incident response plans, multi-factor authentication procedures, and contractually requiring security service vendors to meet the new Safeguards Rule (and periodically test them). The FTC tightened the definition of encryption, which must be enabled both when data is in transit and at rest. The FTC felt its prior encryption standard was too weak and wanted to prevent re-identification of data.
2. CHIEF SECURITY OFFICER FOR ACCOUNTABILITY: Previously, the FTC allowed financial institutions to simply hire a Chief Information Security Officer (CISO), which was often done in name-only. Recognizing this quality-control gap, the FTC now demands a “qualified” CISO responsible “for overseeing and implementing the security program.” The FTC recognizes the cost of such personnel as ranging from an average annual salary of $180,000 to upwards of $400,000 and therefore, recommends that businesses consider “virtual CISOs” (third-party entities) for compliance.
3. EXEMPTIONS: According to the FTC, it recognizes the financial “impact of the additional requirements on small businesses,” thus, “the Final Rule exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors.”
4. WIDENING THE NET:
The definition of “financial institution” is expanded to include entities engaged in activities that the Federal Reserve Board determines to be “incidental to financial activities,” as defined by the Bank Holding Company Act. Found in 12 CFR 225.86(d)(1)(f), the proposed revision added an example of a financial institution acting as a finder by “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.” This change targets companies that bring together buyers and sellers of a product or service. Car dealerships and other entities that conduct in-house financing can thank the Electronic Privacy Information Center (EPIC) for the change.
The definition of “information system” was further amended to include “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information or any such system connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems, that contains customer information or that is connected to a system that contains customer information.” In short, this definition includes EVERYTHING except paper records.
5. COLLECTIVE DEFINITIONS: Finally, the Final Rule defines several terms within itself, as opposed to incorporating them by reference from the Privacy of Consumer Financial Information Rule, 16 CFR part 313.
Financial institutions must be ready to explain their information sharing practices, “specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information.” Additionally, the FTC seeks public commentary about a proposed rule to require financial institutions to report their security events (not just breaches) to the FTC.
The Consumer Data Industry Association (“CDIA”) raised concerns about the risk assessment requirement providing “a roadmap for bad actors,” in how to best exploit compliant financial institutions. In response, the FTC surmised that risk assessments “should be protected as any other sensitive information would be” and CDIA’s concern is not a sufficient reason to prevent assessments. FTC advised that the concerned rationale could “apply to any written document that provides information regarding a financial institution’s information security procedures, from a network diagram to written security code.”
FTC further announced new authorities (that it issued to itself – very convenient) under a separate Gramm-Leach Bliley Act rule, which was unanimously adopted by the Commission. In accordance with the 2010 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) and similar to California’s Consumer Privacy Protection Act, financial institutions MUST inform customers about their information-sharing practices and allow customers to opt out of having their information shared with certain third parties.