New requirements for financial institutions include vulnerability assessments, employee training
The US Federal Trade Commission (FTC) has amended its data protection policy, implementing tougher rules for financial institutions that process customer information.
The agency’s Standards for Safeguarding Customer Information (the ‘Safeguards Rule’) has been changed under the Gramm-Leach-Bliley Act (GLBA).
This revamping – the first time in the rule’s history – is designed to address the significantly increased complexity of information security and relentless chain of damaging data breaches that have plagued the financial services industry in recent years.
It brings with it wholesale changes to the obligations that financial institutions must satisfy.
Certain aspects of the amended rule – such as requiring written risk assessments, penetration testing and vulnerability assessments, and employee training – will take effect one year after the date of publication of the Final Rule in the Federal Register, while all other provisions will take effect 30 days after publication.
As such, all financial institutions that fall under the scope of the rule are well-advised to take proactive action now to enhance their information security programs – especially as the FTC continues to place a greater emphasis on policing the industry.
The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions at the federal level.
Among other things, the GLBA requires financial institutions to provide customers with information about covered institutions’ privacy practices and their opt-out rights, and to implement security safeguards for customer information.
Pursuant to the GLBA, the FTC promulgated the Safeguards Rule – applicable to any financial institution over which the FTC has jurisdiction – to establish standards for the administrative, technical, and physical safeguards that must be maintained and used when processing or handling data.
The FTC’s recent amendments modify the scope and reach of the rule in two major ways.
First, the definition of ‘financial institution’ has been expanded include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
Most notably, this change brings ‘finders’ – companies that bring together buyers and sellers of a product or service – within the scope of the rule.
At the same time, the amendments also narrow the scope of the rule to some extent by exempting smaller entities that process the data of fewer than 5,000 individuals from the written risk assessment, incident response planning, and annual reporting elements of the rule.The changes that will have the most significant impact on financial institutions’ compliance obligations are those that set new, particular criteria pertaining to the specific safeguards that financial institutions must now utilize as part of their information security programs.
Some of the more noteworthy requirements that have been added to the mix include:
- Risk Assessments – financial institutions must include specific criteria in their risk assessments, which must also be in writing. These risk assessments must also be periodically updated by re-examining evolving risks to customer information and the systems that process or store that data.
- Security controls – financial institutions must implement and maintain certain specified security controls to safeguard customer information, such as encrypting all data as well as requiring multi-factor authentication for any individuals accessing an institution’s systems.
- Data retention limitations – customer information must be disposed of no later than two years after the last date the information is used in connection with providing a product or service to the customer. Further, policies and procedures must be put in place to facilitate compliance with these data retention limitations and thereafter periodically reviewed to minimize the unnecessary retention of data.
- Regular testing and monitoring – financial institutions must conduct regular testing and monitoring of the effectiveness of their key data security controls, including continuous monitoring or periodic penetration testing and vulnerability assessments of applicable information systems.
Oversight and reporting
The amended rule also requires financial institutions to designate a single “qualified individual” charged with responsibility for overseeing and implementing the institution’s information security program and periodically reporting to the entity’s board of directors or an equivalent governing body, such as a senior officer in charge of information security.
This is similar to Europe’s GDPR ruling, which requires a key officer tasked with overseeing the reports to governing bodies.
With the recent amendments to the Safeguards Rule, the FTC has signaled its intent to continue focusing its efforts on policing the privacy and security practices of financial institutions for the foreseeable future.
Combined with the fact that, beyond the GLBA/Safeguards Rule, the financial services industry itself is already highly regulated, financial institutions and related entities should expect to see significantly increased scrutiny of their privacy and security practices – as well as heavy-handed penalties in the event of a failure to safeguard customer information that results in a data breach.
Importantly, because it may be a major undertaking to make all of the changes required by the amended rule, covered financial institutions should take action immediately and consult with experienced privacy counsel to get a head start on making the necessary modifications.