On October 27, 2021, the Federal Trade Commission (FTC) published its Final Rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule) containing modifications to the existing Rule including the following provisions:
More detailed guidance on developing and implementing specific aspects of an overall information security program, such as access controls, authentication, and encryption
Guidance to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies and the designation of a single Qualified Individual to be responsible for the information security program
Exemptions for financial institutions that collect information from less than 5,000 customers from certain requirements such as a written risk assessment and incident response plan
Expanded definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board (FSB) determines to be incidental to financial activities, in particular, companies that act as “finders”, “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate”
The Safeguard Rule requires financial institutions under FTC’s jurisdiction to have measures in place to keep customer information secure. A supplemental notice of proposed rulemaking was also published on October 27, requesting public comment on a proposal for a requirement that financial institutions report security events to the FTC. The request for comments includes:
Appropriate deadline for reporting security events after discovery
Whether all security events should require notification or whether notification should be required only under certain circumstances
Whether such reports should be made public
Whether events involving encrypted information should be included in the requirement
Whether the requirement should allow law enforcement agencies to prevent or delay notification if notification would affect law enforcement investigation
Comentários