In October 2021, the Federal Trade Commission (“FTC”) approved changes to its Standards for Safeguarding Information (“Safeguards Rule”) to include more specific criteria for data protection provisions financial institutions must implement as part of their information security programs. The Safeguards Rule implements the requirements of Section 501(b) of the Gramm-Leach-Bliley Act, which mandates certain regulators to issue regulations to ensure the safeguarding of customer information.
While many provisions of the Safeguards Rule went into effect 30 days after publication of the Rule in the Federal Register, other sections of the Rule were set to go into effect on December 9, 2022. This deadline has been extended by six months, meaning that covered entities must comply with the Rule’s provisions by June 9, 2023.
The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers and some other real estate companies, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. For purposes of the Safeguards Rule, a “customer” is a natural person who obtains a financial product or service for a personal, family, or household purpose and has established a customer relationship with the financial institution.
The Safeguards Rule applies to financial institutions who are under the FTC’s jurisdiction and not subject to the enforcement authority of another regulator (e.g., Securities and Exchange Commission, federal banking agencies, or state insurance regulators) under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. For example, banks, broker-dealers, registered investment advisers, and insurance companies are covered by the rules issued by their regulators and therefore the Safeguards Rule does not apply to them. While the Consumer Financial Protection Bureau issues the regulations implementing the privacy rules under the Gramm-Leach-Bliley Act, it is not responsible for the Safeguards Rule. An entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956. This includes the following types of companies:
- Entities that provide real estate settlement services;
- Personal property and real estate appraisers, unless they are only providing one-time appraisal services to the consumer (i.e., not establishing customer relationships);
- Mortgage brokers; and
- Companies acting as “finders” in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.
However, it is important to note that entities that maintain customer information of fewer than 5,000 consumers are classified as exempt, even if they meet the definition of financial institution listed above.
Information Security Program
Covered financial institutions must develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. These information security programs must be written and appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information at issue. The objectives of these security programs are to:
- Ensure the security and confidentiality of customer information;
- Protect against anticipated threats or hazards to the security or integrity of that information; and
- Protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.
Data Privacy and Security Provisions
Covered entities must also implement the following specific data privacy and security provisions:
- Designate a qualified individual to oversee their information security program;
- Develop a written risk assessment;
- Limit and monitor who can access sensitive customer information;
- Encrypt all sensitive information in transit and at rest;
- Test and monitor effectiveness of key controls, systems, and procedures;
- Train security personnel;
- Develop an incident response plan;
- Oversee service providers by taking reasonable steps to select, retain, and periodically assess their security practices; and
- Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.