[BreachExchange] FTC Announces New Cybersecurity Requirements, Privacy Rule Update

[Destry Winant]

https://www.jdsupra.com/legalnews/ftc-announces-new-cybersecurity-98009/

In March, the Federal Trade Commission announced proposed updates to
two key privacy and security regulations, the Safeguards Rule and
Privacy Rule. Both rules implement regulations under the federal Gramm
Leach Bliley Act, and the FTC seeks comments for both.

The FTC’s proposed update to the Safeguards Rule would impose a number
of information security requirements partially modelled off of New
York’s Cybersecurity Regulations. These include requirements to:

- designate a Chief Information Security Officer, required to report
annually in writing to the board of directors or equivalent body
regarding the status of the institution’s information security;
- develop an information security program based on a written risk assessment;
oversee service providers, including periodic risk assessments of the
continuing adequacy of service providers’ safeguards; and
- develop a written incident response program.

The new Safeguards Rule would require a financial institution’s
information security program to include the following elements:

- access controls;
- data, personnel, device, systems and facilities management;
- encryption of all customer information both in transit and at rest;
- adoption of secure development practices;
- “multi-factor authentication for any individual accessing customer
information”;
- audit trails to detect and respond to cybersecurity events;
- limited retention of customer information and secure disposal techniques; and
- “policies, procedures and controls” designed to monitor user
activity and detect unauthorized access or use of customer
information.

These and other detailed requirements could have significant impacts
on companies engaged in financial activities over which the FTC claims
authority. Such companies include mortgage brokers and lenders,
finance companies, pay-day lenders, check cashers and wire
transferors, collection agencies, tax preparers, non-federally insured
credit unions and certain investment and financial advisors. The
updated Safeguards Rule provides limited exceptions to certain
requirements for companies which maintain customer information for
fewer than five thousand individuals.

Proposed updates to the Privacy Rule will address annual privacy
notice requirements and clarify the limited scope of the FTC’s
rulemaking authority under Gramm Leach Bliley. These updates reflect
amendments to Gramm Leach Bliley by the 2010 Dodd-Frank Act and the
2015 FAST Act. In keeping with changes to the FTC’s rulemaking
authority under Dodd-Frank, the updated Privacy Rule removes
references to financial institutions who are not motor vehicle
dealers. Based on the FAST Act, the FTC will additionally update the
Privacy Rule to remove the requirement to provide annual privacy
notices in certain circumstances. These updates to the annual privacy
notice requirements substantially reflect the FTC’s adoption of the
(previously-blogged) CFPB approach to the FAST Act.