On October 27, 2021, the Federal Trade Commission (“FTC”) announced significant updates to the Safeguards Rule. The FTC asked for comments on the Rule in 2019, and held a public workshop on the Rule in 2020. The Final Rule was published in the Federal Register on December 9, 2021. The Rule is effective on January 10, 2022, however, most of the substantive provisions of the Rule take effect a year from the publication date.
Per the final rule summary, the amended Rule contains five primary changes:
- “First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption.
- Second, it adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.
- Third, it exempts financial institutions that collect less customer information from certain requirements.
- Fourth, it expands the definition of ‘financial institution’ to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This change adds ‘finders’–companies that bring together buyers and sellers of a product or service–within the scope of the Rule.
- Finally, the Final Rule defines several terms and provides related examples in the Rule itself rather than incorporate them by reference from the Privacy of Consumer Financial Information Rule (‘Privacy Rule’).”
Substantively, the amended Rule generally follows the approach outlined in the 2019 proposal with certain amendments and clarifications.
The 2021 changes to the Safeguards Rule passed by a 3-2 vote by the FTC with the three “yes” votes coming from Democrats and 2 “no” votes from Republicans. Commissioners Noah Joshua Phillips and Christine S. Wilson dissented. Commissioner Rebecca Kelly and Chair Lina M. Khan also released a joint statement. The split vote on the final Rule, as well as on the 2019 proposed Rule, reflect a change from prior rulemakings in the security space which had passed on unanimous or near unanimous votes.
Chair Khan’s statement recognized that “In the twenty years since the Rule was first issued, the complexity of information security has increased drastically, the use of computer networks in every aspect of life has expanded exponentially, and, most notably, an unending chain of damaging data breaches caused by inadequate security have cost Americans heavily.” It further noted that the “amendments adopted today require financial institutions to develop information security programs that can meet the challenges of today’s security environment.”
The dissenting statement criticized the “one-size-fits-all approach” adopted by the updated Rule, emphasizing that the Commission had repeatedly emphasized that principle, given “a world of continuously evolving threats and standards[.]” The dissent further noted that the “FTC has never demanded ‘perfect’ security because the Commission has recognized that data security is neither cost- nor consequence-free, and often requires tradeoffs.”
The FTC is also seeking comments on whether additional changes to the Safeguards Rule are needed to require data breach and security event reporting by financial institutions. Comments must be received on or before February 7, 2022.
The Thompson Coburn Cybersecurity Team discussed the changes to the Safeguards Rule and potential impacts on November 17, 2021, and a recording of the webinar can be accessed here.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.