US Federal Trade Commission strengthens security safeguard rules to deal with widespread data breaches

November 2, 2021 |

Another sign, if more more were needed, that data breaches are a chronic and increasingly damaging phenomana when the US Federal Trade Commission (the “FTC”) has issued amendments to the Standards for Safeguarding Customer Information

The Final Rule is a very substantial document. It is a useful document for those interested in privacy and cybersecurity generally. Given the dearth of clear and precise definitions, practices and protocols in Australia it is quite useful in Australia.  Like NIST publications it is a much more substantial and useful documents than the vague and opaque guidelines issued by regulators in Australia.

Those who are responsible for maintaining cyber security and establishes procedures and protocols to protect personal information could do worse than read these rules.  It is only a matter of time before the Information Commissioner prepares detailed guidelines which are more consistent with the voluminous GDPR documents or the direct and also comprehensive FTC rules.

Some of the more significant provisions include:

  • to include more detailed requirements for the development and establishment of the information security program required under the Rule. There will be a requirement for:
    • specific criteria for what the risk assessment must include, and
    •  risk assessment be set forth in writing.
    • setting out details of particular safeguards regarding access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.
  • adding requirements designed to improve accountability of financial institutions’ information security programs
  • designate a single qualified person to be responsible for the information security program.
  • requires periodic reports to boards of directors or governing bodies, which will provide senior management with better awareness of their financial institutions’ information security programs, making it more likely that the programs will receive the required resources and be able to protect consumer information.
  • expanding the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. 
  • including definitions and related examples, including of “financial institution,” from the Privacy of Consumer Financial Information Rule. Those terms include  “consumer,” “customer,” “customer relationship,” “financial product or service,” “nonpublic personal information,” “personally identifiable financial information,” “publicly available information,”
  • defining a “security event” as “an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.”
  • defines “encryption” as “the transformation of data  into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.”
  • defining “multi-factor authentication” as “authentication through verification of at least two of the following types of authentication factors: 1) knowledge factors, such as a password; 2) possession factors, such as a token; or 3) inherence factors, such as biometric characteristics.”  It also requires financial institutions to implement multi-factor authentication for any individual accessing any information system, unless  Qualified Individual has approved in writing the use of reasonably  equivalent or more secure access controls.
  • defining defined “penetration testing” as a “test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.”
  • requiring the financial institution to designate “a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.”
  • requiring  the risk assessment be written and include: 1) criteria for the evaluation and categorization of identified security risks or threats the financial institution faces; 2) criteria for the assessment of the
    confidentiality, integrity, and availability of the financial institution’s information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats to the financial institution; and 3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the financial institution’s risks.
  • requiring“implementing and periodically reviewing access controls on customer information, including technical and, as appropriate, physical controls to (1) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information and (2) limit authorized users’ access only to customer information that they need to perform their duties and functions, or, in the case of customers, to access their own information.”
  • requiring the financial institution to “[i]dentify and manage the data, personnel, devices, systems, and facilities that enable [the financial institution] to achieve business purposes in accordance with their relative importance to business objectives and [the financial institution’s] risk strategy.”
  • requiring financial institutions to encrypt all customer information, both in transit over external networks and at rest.
  • requiring financial institutions to “[a]dopt secure development practices for in-house developed applications utilized” for “transmitting, accessing, or storing customer information.”
  • financial institutions are expected to use logging to “monitor” active users and reconstruct past event
  • require the deletion of customer information two years after the last time the information is used in connection with providing a product or service to the customer unless the information is required for a legitimate business purpose.
  • requiring financial institutions to adopt procedures for change management. Change management procedures govern the addition, removal, or modification of elements of an information system. Financial institutions are required to develop procedures to assess the security of devices, networks, and other items to be added to their information system, or the effect of removing such items or otherwise modifying the information system.
  • requiring financial institutions to perform vulnerability assessments at least once every six months and, additionally, whenever there are material changes to their operations or business arrangements and whenever there are circumstances they know or have reason to know may have a material impact on their
    information security program
  • requiring financial institutions to provide their personnel with “security awareness training that is updated to reflect risks identified by the risk assessment
  • requiring financial institutions to “[p]rovid[e] information security personnel with security updates and training sufficient to address relevant security risks.”
  • requiring that financial institutions to periodically assess service providers “based on the risk they present and the continued adequacy of their safeguards.”

The media release relevantly provides:

The Federal Trade Commission today announced a newly updated rule that strengthens the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information. In recent years, widespread data breaches and cyberattacks have resulted in significant harms to consumers, including monetary loss, identity theft, and other forms of financial distress. The FTC’s updated Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

The changes adopted by the Commission to the Safeguards Rule include more specific criteria for what safeguards financial institutions must implement as part of their information security program such as limiting who can access consumer data and using encryption to secure the data. Under the updated Safeguards Rule, institutions must also explain their information sharing practices, specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information. In addition, financial institutions will be required to designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.

The Safeguards Rule was mandated by Congress under the 1999 Gramm-Leach-Bliley Act. Today’s updates are the result of years of public input. In 2019, the FTC sought comment on proposed changes to the Safeguards Rule and, in 2020 held a public workshop on the Safeguards Rule.

In addition to the updates, the FTC is seeking comment on whether to make an additional change to the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the Commission. The FTC is issuing a supplemental notice of proposed rulemaking, which will be published in the Federal Register shortly. The public will have 60 days after the notice is published in the Federal Register to submit a comment.

Today, the FTC also announced it adopted largely technical changes to its authority under a separate Gramm-Leach Bliley Act rule, which requires financial institutions to inform customers about their information-sharing practices and allow customers to opt out of having their information shared with certain third parties. These changes align the rule with changes made under the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). Under Dodd-Frank, Congress narrowed the FTC’s jurisdiction under that rule to only apply to motor vehicle dealers.


Leave a Reply

Verified by MonsterInsights