On October 27, 2021, the Federal Trade Commission (FTC), citing the need to better protect the public from breaches and cyberattacks that lead to identity theft and financial loss, announced updates to the Safeguards Rule. These updates come after a years-long process of comments and proposed rulemaking.
As you may recall, the Gramm-Leach-Bliley Act (GLBA), enacted in 1999, requires that financial institutions (which includes dealerships that extend credit and lease terms) protect the security and confidentiality of personal information collected from customers. Pursuant to the directive in the GLBA, the FTC created the Safeguards Rule, which became effective in 2003. The Safeguards Rule requires financial institutions to develop and implement an appropriate written information security program designed to protect customer information. The requirements of the program include developing, implementing, and maintaining procedures to safeguard against risk to the security, confidentiality, and integrity of non-public customer information.
First, the Rule was amended to include more detailed requirements for what safeguards financial institutions must implement as part of their information security program, such as limiting who can access consumer data and using encryption to secure the data. Here are some additional pertinent highlights:
- Financial institutions must undertake risk assessments and implement safeguards to address the identified risks. The risk assessments must be in writing and include criteria for evaluating risks and assessing the security of customer information as well as ways the identified risks will be addressed.
- Customer information must be encrypted both in transit over external networks and at rest.
- Financial institutions must implement multifactor authentication to access customer information.
- The new Rule requires either continuous monitoring or annual penetration testing and vulnerability assessments every six months of information systems.
- Financial institutions under the new Rule now are required to affirmatively dispose of customer information no later than two years after the last date the information was used unless it is otherwise required to be retained (i.e., if a company is required to retain it by law).
- Financial institutions must implement policies, procedures, and controls to monitor and log the activity of authorized users and detect unauthorized access or use of customer information.
- The new Rule requires establishing a written incident response plan designed to promptly respond to and recover from any security breach. The Rule also creates specific requirements of what must be included in an incident response plan.
- The new Rule requires financial institutions to select service providers that maintain appropriate safeguards, and requires the financial institutions to periodically assess their service providers to ensure compliance.
The amended Rule now requires the designation of a single Qualified Individual to be responsible for the information security program (recall the old version of the Rule allowed there to be “an employee or employees” in charge of this responsibility). This Qualified Individual is required to provide a written status report at least annually to the board of directors (or governing body of the company). The report must include an update on the overall status of the information security program and the financial institution’s compliance, including all security events that happened over the past year.
Third, an exemption was included for financial institutions that collect information on fewer than 5,000 consumers from certain requirements of the new Rule.
The definition of “financial institution” was also expanded to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This change brings “finders”–companies that bring together buyers and sellers of a product or service–within the scope of the Rule.
Finally, the Rule was updated to include several definitions and related examples, including “financial institution,” in the Rule itself rather than incorporate them by reference from the Privacy of Consumer Financial Information Rule.
Although some amendments to the Safeguards Rule will become effective 30 days after publication in the Federal Register, the key requirements (i.e., appointment of a qualified individual, written risk assessments, new elements of the information security plan, continuous monitoring or annual penetration testing and biannual vulnerability assessment, additional training, etc.) will become effective one year from the date of publication. Essentially, dealers will need to comply with the bulk of the amended requirements by around the fourth quarter of 2022.
In addition to announcing these updates, the FTC also announced that it is opening a 60-day comment period about whether it should further amend the Safeguards Rule to require financial institutions to disclose to the FTC specific data breaches and other security incidents where 1,000 or more customers are affected.
Dealers are advised to pay attention to any further updates on the amendments to the Safeguards Rule and to carefully review these amendments to ensure compliance. Dealers are encouraged to contact competent counsel in this regard.
If you have any questions regarding this, or any other situation that may arise in your sales or service departments, hotline clients are invited to contact us at (800) 785-2880 (then press “4” for hotline) or firstname.lastname@example.org.