FTC Delays Implementation of Certain Provisions of the Safeguards Rule
On November 15, 2022, the Federal Trade Commission (FTC) announced that it is delaying the compliance deadline for certain provisions of its updated Safeguards Rule (the “Rule”) to June 9, 2023.
The Rule “requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.”
Amendments to the Rule were approved by the FTC on October 27, 2021 so that the Rule would “include more specific criteria for what safeguards financial institutions must implement as part of their information security program such as limiting who can access consumer data and using encryption to secure the data.”
Many provisions of the Rule were effective within 30 days after the amendments were published in the Federal Register, while the following sections were set to go into effect on December 9, 2022. However, the FTC determined that extending the effective date of these sections based on reports that “there is a shortage of qualified personnel to implement information security programs and that supply chain issues may lead to delays in obtaining necessary equipment for upgrading security systems.” This basis apparently stems from a statement made by Deputy Chief Counsel Major L. Clark in a letter[1] sent by the Small Business Administration’s Office of Advocacy, outlining how these issues are magnified for small entities[.]”
In a concurring statement,[2] Commissioner Christine S. Wilson stated that this extension was necessary, “[d]espite assurances that financial institutions were already implementing many of the requirements of the amended rule or had sophisticated compliance programs that could easily adopt and pivot to address new obligations,” due to the economic impact and burden that the proposed changes may have caused the covered institutions.
By the new June 9, 2023 effective date, financial institutions must:
designate a qualified individual to oversee their information security program,
develop a written risk assessment,
limit and monitor who can access sensitive customer information,
encrypt all sensitive information,
train security personnel,
develop an incident response plan,
periodically assess the security practices of service providers, and
implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
Considering the basis for the delay, covered financial institutions should begin their compliance efforts with the amended Rule as these types of changes often require an institution to expel significant effort and resources.