Final week, within the fruits of a course of that started in 2016, the Federal Trade Commission (FTC) issued a Final Rule to replace the Safeguards Rule promulgated beneath the Gramm-Leach-Bliley Act. The Safeguards Rule applies to monetary establishments, together with non-banking firms “significantly engaged” in offering monetary services or products corresponding to mortgage brokers, automotive sellers, and payday lenders, requiring these establishments to develop and implement complete safety to maintain their clients’ info secure.
Cyberattacks and different threats to client information have increased over the course of the COVID-19 pandemic, escalating regulatory scrutiny and enterprise dangers. These new adjustments to the Safeguards Rule largely deal with clarifying expectations for monetary establishments, together with:
Extra detailed necessities. The Closing Rule creates clearer expectations with extra detailed necessities for how monetary establishments ought to develop and set up their info safety packages, corresponding to setting clearer necessities for worker coaching, establishing that threat assessments have to be set forth in writing, and growing safeguards by information encryption and authentication.
Certified Particular person. With a purpose to enhance accountability, the Closing Rule designates one key individual (to be generally known as the Certified Particular person) at every monetary establishment to be accountable for overseeing and implementing the knowledge safety program.
Board reporting. Financial establishments should schedule periodic studies on the knowledge safety packages to their board of administrators or governing our bodies, in hopes that the packages will obtain the help and assets essential for profitable upkeep.
Change in scope. The Closing Rule expands the definition of economic establishments to incorporate “finders”—firms that carry collectively the patrons and sellers of a great or service, in a transfer that makes the definition of economic establishment extra analogous to that within the Financial institution Firm Holding Act. As well as, some monetary establishments that accumulate info on fewer than 5,000 shoppers are exempted from written threat evaluation, incident response plan, and board reporting necessities.
Financial establishments regulated by the GLBA ought to familiarize themselves with the up to date Safeguards Rule and consider their info safety insurance policies, specializing in making certain they’re compliant with the brand new necessities. The FTC also announced it’s soliciting feedback relating to reporting of information safety incidents, signaling the potential for further adjustments within the close to future.