FTC proposes amendments to the GLBA regulations

Key points

• FTC is proposing to amend its regulations implementing the GLBA to add specific data security requirements including encryption, access, and authentication. The FTC’s regulations apply to financial institutions not otherwise regulated by the Federal Reserve, FDIC, OCC, SEC, NCUA or state insurance authorities.
• The proposed changes are generally consistent with the NYDFS cybersecurity regulations and the NAIC model law for insurance data security.
• Other federal regulatory activity is expected given the focus on operational resiliency, recent public policy attention on customer data sharing and breaches, as well as both increasing state privacy activity and the EU’s General Data Protection Regulation (GDPR).

The Federal Trade Commission (FTC) has released two proposed rules that would amend its regulations implementing the Gramm-Leach-Bliley Act (GLBA). These regulations, known as the Safeguards Rule and the Privacy Rule, provide a framework for regulating the data security and data privacy practices of the financial institutions under the FTC’s jurisdiction.*

In each of the two releases, the FTC proposes to expand the definition of “financial institution” to make the FTC’s rules more consistent with those of the other regulators covered by the GLBA. In particular, the revised definition would include entities that are engaged in activities that are incidental to financial activities as described in section 4(k) of the Bank Holding Company Act of 1956. Such an addition would bring “finders”- companies that bring together buyers and sellers – within the scope of the rules.

Safeguard Rule

The FTC’s Safeguards Rule requires financial institutions subject to its authority under the GLBA to implement and maintain an information security program to safeguard the security and confidentiality of customer information.

The FTC is proposing amendments to its Safeguards Rule that would introduce more specificity into the existing requirements. The amendments are primarily based on the cybersecurity regulations issued by the New York Department of Financial Services (NYDFS) and the insurance data security model law issued by the National Association of Insurance Commissioners (NAIC). They would require applicable financial institutions to:

• Designate a single qualified individual to serve as the Chief Information Security Officer (CISO).
• Conduct information security risk assessments.
• Design and implement elements within the information security program, including:
  • Access controls to authenticate users of information systems.
    
  • Access controls to restrict access to customer information in physical locations (i.e., areas, papers, devices).
  • Inventories of data, personnel, devices, systems, and facilities.
  • Encryption of all customer information in transit and at rest.
  • Secure development practices for applications developed in-house and used for transmitting, accessing, or storing information.
  • Multi-factor authentication for any individual accessing customer information or internal networks that contain customer information.
  • Audit trails to detect and respond to “security events.”
  • Secure disposal procedures for customer information that is no longer necessary for “business operations or other legitimate business purpose.”
  • Change management procedures for additions, deletions, or modifications to the information systems.
  • Monitoring for authorized user activity and unauthorized access, use, or tampering of customer information.
  • Providing employee “security awareness training.”
  • Periodic risk-based assessments of service providers.
  • An Incident response plan (notably, the proposed amendments do not include a requirement for financial institutions to notify the FTC of any security event).
  • Reporting by the CISO, at least annually, to the Board or equivalent.

Financial institutions that maintain customer information for fewer than 5,000 consumers would be exempt from certain of the proposed requirements.

Privacy Rule

Unlike the FTC’s Safeguards Rule, its Privacy Rule applies only to certain motor vehicle dealers.

The FTC’s proposed amendments to the Privacy Rule are primarily technical in nature and would:

• Remove references that do not apply to motor vehicle dealers.
• Modify the definition of “financial institution” to include entities “engaged in activities that are financial in nature or are incidental to such financial activities.”
• Reflect changes to the GLBA annual privacy notice requirements made by the FAST Act, including clarifications regarding initial notices and exceptions impacting motor vehicle dealers.

Dissenting Statement

Two FTC Commissioners concurrently published a dissenting statement indicating their belief the proposed amendments to the Safeguards Rule may be premature, given that there is not yet data on the impact and efficacy of the NYDFS Cybersecurity Regulations and that the Congress and the Executive Branch are discussing potential privacy and data security legislation.

*  The GLBA requires the FTC, Federal Reserve, OCC, FDIC, NCUA, SEC, and state insurance authorities to each establish information security standards for the entities under their jurisdiction. The Federal Reserve, OCC, and FDIC jointly issued Interagency Guidelines Establishing Information Security Standards for the entities they supervise, including insured depository institutions, holding companies, and the branches and agencies of foreign banks, along with the subsidiaries of those entities except for broker-dealers, persons providing insurance, investment companies, and investment advisers. The FTC promulgated the Safeguards Rule for those entities under its authority, which extends to financial institutions not otherwise regulated by the other agencies covered by the GLBA.

The Dodd-Frank Act transferred the GLBA privacy notice rulemaking authorities of the Federal Reserve OCC, FDIC, NCUA and the FTC (except for certain motor vehicle dealers) to the CFPB. The CFPB finalized the implementing regulations as Regulation P.