According to the recent “Cost of Data Breach” report by IBM, the average cost of a single data breach in the US in 2022 was a staggering $9.4 million.
As a response to this growing concern, the Federal Trade Commission (FTC) has revised the Safeguards Rule, a key component of the Gramm-Leach-Bliley Act’s (GLBA) security and personal information protection requirements for consumers.
Originally set to take effect on December 9, 2022, the FTC extended the compliance deadline by six months due to public comments on staffing shortages and supply chain issues. Financial institutions must now be prepared to comply with the updated Safeguards Rule by June 9, 2023.
The updated Safeguards Rule takes a prescriptive approach by requiring specific elements be incorporated into a financial institution’s information security program — unlike the previous approach which permitted financial institutions the flexibility to determine what safeguards are appropriate (based on the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of customer information).
To comply with the updated Safeguards Rule, financial institutions must now follow these 12 key requirements:
- Designate a qualified person responsible for overseeing and implementing the information security program;
- Base the information security program on a written risk assessment that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of any safeguards in place to control those risks;
- Implement access controls to access customer information and to limit such access only to perform job duties and functions;
- Encrypt customer information in transit or at rest;
- Adopt secure developments practices for both in-house and externally developed applications;
- Implement multi-factor authentication;
- Maintain procedures for secure disposal of customer information and review data retention policies to minimize unnecessary retention of data;
- Adopt procedures for change management;
- Monitor and log activity to detect unauthorized access through continuous monitoring, annual penetration testing, and biannual vulnerability assessments;
- Provide security awareness training;
- Oversee service providers; and
- Establish a written incident response plan.
Additionally, the updated Safeguards Rule also seeks to increase accountability among financial institutions by requiring periodic reports to boards of directors about the overall status of the information security program, as well as recommendations for changes in response to material matters such as security incidents and violations.
Although the FTC acknowledges that the updated Safeguards Rule may negatively affect small businesses, it provides an exemption only for financial institutions that collect nonpublic personal information about fewer than 5,000 customers. However, this exemption is not complete, and these institutions are still required to adhere to certain requirements, such as the written risk assessment, incident response plan, and annual reporting to the board of directors.
Once the updated Safeguards Rule goes into effect, the FTC may take enforcement actions against financial institutions that violate it. This includes finders, mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that are not required to register with the Securities and Exchange Commission.
In conclusion, the updated Safeguards Rule is an important step towards protecting customer information and preventing data breaches. Financial institutions must be proactive in implementing and adhering to the requirements to safeguard their customers’ information and avoid hefty penalties for non-compliance.