The Federal Trade Commission (FTC) proposed amendments to two regulations in place under the Gramm-Leach-Bliley Act (GLBA). The regulations – the Safeguards Rule and the Privacy Rule – protect the privacy and security of consumer information held by financial institutions.

The Safeguards Rule

The Safeguards Rule, in place since 2003, requires financial institutions to develop, implement and maintain a comprehensive information security program to protect consumer data. The FTC would like to add more specific requirements, which would require applicable financial institutions to:

  • Designate a qualified Chief Information Security Officer (CISO).
  • Conduct information security risk assessments.
  • Include certain elements within the information security program, such as:
    • Access controls to authenticate users of information systems.
    • Access controls to restrict access to consumer information in physical locations.
    • Inventories of data, personnel, devices, systems and facilities.
    • Encryption of all consumer information in transit and at rest.
    • Secure development practices for applications developed in-house and used for transmitting, accessing or storing information.
    • Multi-factor authentication for anyone accessing consumer information or internal networks that contain consumer information.
    • Audit trails to detect and respond to security concerns.
    • Secure disposal procedures for consumer information that is no longer necessary for business operations.
    • Changing of management procedures for additions, deletions or modifications to the information systems.
    • Monitoring for authorized user activity and unauthorized access, use or tampering of consumer data.
    • Providing security awareness training for employees.
    • Periodic risk-based assessments of service providers.
    • An incident response plan.
    • Reporting by the CISO to the board or equivalent at least annually.

Note that financial institutions maintaining secure information for fewer than 5,000 consumers would be exempt from certain requirements.

The Privacy Rule

The Privacy Rule, which went into effect in 2000, requires financial institutions to inform consumers of its information-sharing practices and allows consumers to choose not to have their information shared with third parties. However, unlike the Safeguards Rule, this rule only applies to certain motor vehicle dealers. The proposed changes would:

  • Remove references that do not apply to motor vehicle dealers.
  • Alter the definition of “financial institution” to include entities “engaged in activities that are financial in nature or are incidental to such financial activities.”
  • Reflect changes to the GLBA annual privacy notice requirements made by the FAST Act, including clarifications regarding initial notices and exceptions impacting motor vehicle dealers.

For both rules, the FTC proposes expanding the definition of “financial institution” to include “finders,” or companies that connect consumers looking for a loan with a lender.

Currently the proposed amendments are in a 60-day commenting period. As more information is made available our Financial Institutions Group will keep you updated. Stay tuned! In the meantime, should you have any questions about how this may impact your financial institution, contact one of our team members.