• Deborah

On October 27, 2021, the Federal Trade Commission (FTC) published its Final Rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule) containing modifications to the existing Rule including the following provisions:


  1. More detailed guidance on developing and implementing specific aspects of an overall information security program, such as access controls, authentication, and encryption

  2. Guidance to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies and the designation of a single Qualified Individual to be responsible for the information security program

  3. Exemptions for financial institutions that collect information from less than 5,000 customers from certain requirements such as a written risk assessment and incident response plan

  4. Expanded definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board (FSB) determines to be incidental to financial activities, in particular, companies that act as “finders”, “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate”


The Safeguard Rule requires financial institutions under FTC’s jurisdiction to have measures in place to keep customer information secure. A supplemental notice of proposed rulemaking was also published on October 27, requesting public comment on a proposal for a requirement that financial institutions report security events to the FTC. The request for comments includes:

  • Appropriate deadline for reporting security events after discovery

  • Whether all security events should require notification or whether notification should be required only under certain circumstances

  • Whether such reports should be made public

  • Whether events involving encrypted information should be included in the requirement

  • Whether the requirement should allow law enforcement agencies to prevent or delay notification if notification would affect law enforcement investigation


Recent Posts

See All

22/09/2022 - Coming into force of certain requirements regarding the Québec’s Act respecting the protection of personal information in the private sector, introduced by Bill 64, including but limited