US FTC’s revised standards for safeguarding customer financial information

On October 27, the United States Federal Trade Commission (FTC) announced as final a revised safeguards rule for financial institutions under the FTC's jurisdiction that have nonpublic personal information. The FTC announced the revised rule as necessary in light of "widespread data breaches and cyberattacks [which] have resulted in significant harms to consumers, including monetary loss, identity theft and other forms of financial distress." Note that the revised rule has not yet been officially published in the Federal Register, so it is not yet in effect.

The amended rule requires non-banking financial institutions to develop, implement and maintain a comprehensive security system to keep their customers' information safe. It adds provisions to provide guidance and improve accountability for specific aspects of a covered financial institution's overall information security program—such as access controls, authentication, record retention and encryption, as well as such actions as regular reports to the board of directors and the designation of a single qualified individual responsible for the information security program. The amended rule also expands the definition of "financial institution" to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, while at the same time exempting from certain requirements financial institutions which collect less customer information.

Scope

The scope of covered institutions under the revised rule remains fairly narrow. The "financial institutions" subject to the Commission's enforcement authority are those that are "not otherwise subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805." More specifically, the revised rule states that those entities include, but are not limited to:

• Mortgage lenders
• "Payday" lenders
• Finance companies
• Mortgage brokers
• Account servicers
• Check cashers
• Wire transferors
• Travel agencies operated in connection with financial services
• Collection agencies
• Credit counselors and other financial advisors
• Tax preparation firms
• Non-federally insured credit unions
• Investment advisors that are not required to register with the Securities and Exchange Commission
• Entities acting as "finders."

The FTC describes a "finder" as "[a] company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate is a financial institution because acting as a finder is an activity that is financial in nature or incidental to a financial activity listed in 12 CFR 225.86(d)(1)."

New obligations

The FTC has added substantial new obligations to the formerly brief safeguards rule. Although the revised rule contains the full details of all of the requirements, below is a brief summary:

The revised rule now requires the covered financial institutions to:

• Designate a single qualified individual to have overall responsibility for the information security program. The FTC pointed out that this individual does not need to be an employee and, depending upon the circumstances, may not need to be full-time.
• Have that single qualified individual make at least an annual report to the board of directors (or other governing body) on the status of the information security program, compliance with the FTC safeguards rule, and material matters and issues with the program. Responding to a comment that a qualified individual from a third-party service provider could provide a report that was "filled with platitudes and/or efforts to 'upsell' the dealership on additional CISO services," the FTC noted that "such a report would not meet the requirements of this provision, and the financial institution would be justified in terminating their relationship with that provider or, at least, demanding a revised report that did meet those requirements."

The revised rule now also requires covered financial institutions to implement safeguards to control risks, including:

• Access controls. The revised rule requires reviews of access controls, with a focus on permitting authorized users access only to information needed to perform the authorized function (a "minimum necessary" approach). The FTC specifically noted that more sensitive information could be protected by stricter access controls.
• Data inventory and classification. This broad section requires a financial institution to "identify and manage the data, personnel, devices, systems and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy." The FTC explained that this "inventory of systems must include all systems that are a part of the business so that the financial institution can locate all customer information it controls, the systems that are connected to that information and how they are connected."
• Encryption. The revised rule requires encryption both in transit over external networks and at rest or an alternate compensating control approved by the qualified individual. The FTC received comments on this requirement, some believing that it was too strict and others concerned that it did not go far enough. The FTC responded to these comments by stating that there are many free and low-cost ways to encrypt data. The FTC also pointed out that, although the FFIEC Guidelines do not require encryption at rest, the revised Safeguards rule was designed for implementation by financial institutions, rather than a guide for auditors of financial institutions. With respect to those who wanted to expand the rule to require encryption of data in transit over internal networks, the FTC acknowledged that, due to cloud computing and mobile devices, the line between internal and external networks was becoming blurry at this point in time requiring all covered financial institutions to implement encryption in transit over internal networks would be unduly burdensome.
• Secure development practices. The amended rule now requires financial institutions to adopt secure development practices for internally-developed applications, and procedures for "evaluating, assessing or testing" externally-developed applications, for applications utilized to transmit, access or store customer information. For internally developed applications, the financial institution could "set up automated searches regarding vulnerabilities, patches, and updates to software listed on the financial institution's inventory." For software developed by a third party, "[s]oftware that has been thoroughly tested by third parties may need little more than a review of the test results, while software that has not been widely used and tested will require closer examination."
• Authentication. Somewhat similar to the encryption requirements, the revised rule requires implementation of multi-factor authentication for accessing any information system or a compensating control approved by the qualified individual. The FTC noted that this requirement does not prohibit the use of single sign-on: "The Commission does not view the rule as preventing such a system, if the user has used multi-factor authentication to access the system and the system is designed to ensure that any user of a given application has been subjected to multi-factor authentication."
• Information disposal procedures. In what may be the most significant change for covered financial institutions, the FTC has adopted a mandatory destruction requirement:

(i) Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained; and

(ii) Periodically review your data retention policy to minimize the unnecessary retention of data.

The FTC explained the rationale for this new requirement as follows:

In situations where the information is no longer needed for a legitimate business purpose, though, the risk to the customer information becomes unreasonable because the retention is no longer benefiting the customer or financial institution. Disposing of unneeded customer information, therefore, is a vital part of protecting customer information and serves the purpose of the GLB Act.

• Change management. The new requirement reads simply: "Adopt procedures for change management." The FTC commented: "As with all of the requirements of the rule, though, the exact nature of these procedures will vary depending on the size, complexity and nature of the information system." The FTC's rationale for the requirement is "Alterations to an information system or network introduce heightened risk of cybersecurity incidents; thus, it is important to expressly require change management to be a part of an information security program."
• Logging. The revised rule also requires the covered financial institutions to adopt policies and controls to monitor and activities of authorized or unauthorized users accessing customer information. The FTC pointed out that "no requirement that a separate staff member would be required to exclusively monitor system use."
• Testing. The amended rule gives financial institutions a choice: (a) continuous monitoring or (b) an annual penetration test and vulnerability assessments every six months. The FTC commented that larger financial institutions may choose to do both.
• Incident response. The revised rule now requires a written incident response plan, which must cover seven areas, ranging from processes for responding to a security event, to communications, to requirements for remediation. According to the FTC, the plan should focus on events that "materially" affect customer information. Thus, the required incident response plan does not require a plan to address every security event that may occur." The FTC also clarified that the requirement relates to information within the financial institution's "control" rather than "possession," in order to include data stored in the cloud.

The revised rule also expands on existing requirements relating to:

• Risk assessments. The FTC now requires written risk assessments that include criteria for assessing internal and external risks and describing the safeguards in place to control the risks. The amended rule does not require any specific methodology or approach for performing the assessment.
• Training. In addition to requiring security awareness training for personnel, the revised rule now also requires training for information security personnel "sufficient to address relevant security risks." The FTC emphasized that training program "updates are required only when needed by changes in the financial institution or new security threats."
• Service provider oversight. The FTC has added a requirement that a covered financial institution periodically assess the service providers "based on the risk they present and the continued adequacy of their safeguards." The revised rule requires financial institutions "only to assess the risks that service providers present and evaluate whether they continue to provide the safeguards required by contract, which need not include extensive investigation of a service provider's systems." The FTC indicated that third-party certifications from vendors may suffice in some circumstances.

Limited exception

The FTC added a new limited exception for small institutions. The amended rule exempts financial institutions that collect information on fewer than 5,000 consumers only from the requirements of a written risk assessment, continuous monitoring/penetration testing and vulnerability assessments, incident response plan and written report to the board of directors.

Effective date

Most of the revised rule will go into effect one year after publication in the Federal Register. The few segments that will go into effect immediately upon publication include: conducting periodic risk assessments, regularly testing system controls, providing general security awareness training, having a qualified information security personnel manage or oversee the information security program and periodically assessing service providers.

Comparison with NYDFS Cybersecurity Regulation

Although the scope of the FTC's amended safeguards rule is fairly narrow, it has some elements in common with the New York Department of Financial Services' (NYDFS) Cybersecurity Regulation. For example, both regulations require a risk assessment that forms the basis of the financial institution's cybersecurity program. The NYDFS Regulation and the FTC rule but both require policies to protect personal information, data governance, asset inventory, system and network monitoring, application development, vendor management, incident response, designation of a qualified individual with overall responsibility for the program, annual reporting to the board of directors, audit trails, limiting user access privileges and reviewing that access, security and testing of internally and externally developed applications, periodic risk assessments, describing how risks will be mitigated and/or accepted, providing general cyber training to personnel and special training to cybersecurity personnel, multi-factor authentication or an approved other control, disposal of information no longer needed for business operations, monitoring and detecting authorized and unauthorized users, encryption or an approved alternate measure and a written incident response plan. Both the NYDFS Regulation and the FTC rule provide limited exceptions to smaller covered entities. The NYDFS Regulation also provided for a compliance period before all provisions became effect, although that compliance period ended March 1, 2019.

Preview of coming attractions: security breach reporting

The FTC had also requested comment on requiring the covered financial institutions to notify the FTC in the event of a security event. Because the FTC's original notice did not contain any details about the proposed reporting obligation, the FTC will be issuing a Notice of Supplemental Rulemaking that proposes adding a requirement that covered financial institutions notify the FTC of detected security events under certain circumstances. Note that the revised Safeguards Rule already contains a definition of "security event": "Security event means an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system or customer information held in physical form."