FTC Amends the Safeguards Rules for Customer Information

On October 27, The Federal Trade Commission (FTC) issued a Final Rule that amended the Standards for Safeguarding Customer Information, known as “the Safeguards Rule,” under the Gramm-Leach-Bliley Act.

According to the FTC press release, these amendments to the Safeguards Rule requires non-banking financial institutions — such as mortgage brokers, motor vehicle dealers, and payday lenders — to “develop, implement, and maintain a comprehensive security system to keep their customers’ information safe.”

The amendment contains five main modifications to the existing Rule:

• It adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program.

• It adds provisions designed to improve the accountability of financial institutions’ information security programs.

• It exempts small businesses from certain requirements.

• It expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.

• The Commission proposes to include the definition of “financial institution” and related examples in the Rule itself rather than cross-reference them from a related FTC rule, the Privacy of Consumer Financial Information Rule.

In addition to the updates, the FTC is seeking comment on whether to make an additional change to the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the Commission. The FTC is issuing a supplemental notice of proposed rulemaking, which will be published in the Federal Register shortly. The public will have 60 days after the notice is published in the Federal Register to submit a comment.