The Federal Trade Commission has finalized amendments to the Customer information protection standards (“Safeguard rule”), specific to defined financial institutions, designed to enhance the security of consumers’ financial information following a recent increase in data breaches.
The changes contain four main changes to the existing rule that outline additional protections financial institutions must implement when handling sensitive consumer data.
- First of all, the amendments provide additional guidance to financial institutions regarding the development and implementation of an information security program, including access controls, authentication and encryption.
- Second, the changes increase accountability by requiring financial institutions to periodically report to boards or governing bodies on information security programs.
- Third, the amendments expand the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board considers to be incidental to financial activities, including “researchers”, that is, brokers or other companies that bring together buyers and sellers of a product or service.
- Fourth, the changes reduce the burden on financial institutions that collect small amounts of customer information by exempting them from certain requirements.
According to Samuel Levine, director of the FTC’s Office of Consumer Protection, the changes “detail common sense steps” that financial institutions and other entities that collect sensitive consumer data “must take to protect data. consumers against cyber attacks and other threats ”.
The amendments were passed 3-2 by the FTC, even though Rohit Chopra left as head of the Consumer Financial Protection Bureau and the agency temporarily only has four commissioners. Under obscure FTC rules, while Chopra weighed in on pending proceedings before he left, his votes continue to count and Democrats continue to have a “majority” even though he is gone. Agency rules do not impose a time limit for the disclosure of votes cast by a commissioner before he leaves the commission. Chopra’s replacement, privacy expert Alvaro Bedoya, has been appointed but his confirmation hearing has not yet been scheduled.
The two Republican commissioners, Noah Joshua Phillips and Christine S. Wilson, opposed the amendments. In a joint statement, they expressed concern that “the new prescriptive requirements could weaken data security by diverting limited resources to a check-off compliance exercise and away from tailored risk management to meet the unique security needs of individual financial institutions ”.
The changes continue the trend of the expanded use of FTC regulator under FTC Chairman Khan and follow the recent release of the FTC policy statement clarifying the FTC’s position that Health applications and associated connected devices are subject to the health breach notification rule, which requires providers of personal health records (“PHR”) and entities related to PHRs to notify US consumers, the FTC , and in the case of some breaches involving more than 500 consumers, the media, whether there has been a breach of insecure identifiable health information. These actions, combined with the increased attention to privacy concerns, sparked discussions about the potential need for a privacy office within the FTC, which was fully supported by former David Vladeck Director of the Office of Consumer Protection, at a hearing of the Senate Commerce Subcommittee. in September titled Protecting Consumer Privacy.
Whether or not the FTC creates a new office dedicated to privacy concerns, businesses that collect or store consumer data should expect significantly increased scrutiny if they fail to protect the data.