The Federal Trade Commission recently finalized a long-discussed update to its cybersecurity Safeguards Rule that includes more specific criteria for what financial institutions must implement as part of their information security programs. Among other key changes, many companies are likely to be impacted by an expansion of the rule’s scope to include “finders,” which may allow such businesses (including fintech firms) to avoid the current regulatory burden and confusion of state law requirements.
As part of its implementation of the Gramm-Leach Bliley Act (GLBA), in 2002, the Federal Trade Commission (FTC) issued the Safeguards Rule (the Rule), which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. Until the recent update, the FTC had not amended the Rule since it was initially promulgated. The new Rule is the culmination of extensive work by the FTC that initially began in 2016.
Under the longstanding previous version of the Rule, companies are required to develop a written information security plan that implements administrative, technical, and physical safeguards appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of the customer information they handle.
The prior iteration also requires companies to assess and address the risks to customer information in all areas of their operations. In addition, covered companies are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care. Companies have enjoyed substantial flexibility in compliance under the prior version of the Rule, but sometimes found the lack of specifics frustrating. The FTC has now provided more specific instruction.
Significantly, the definition of “financial institution” under the Rule includes many businesses that may not normally describe themselves that way. In fact, the Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. The Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions.
The update includes six main changes:
The added requirements of the updated Rule (e.g., qualified individual appointments, written risk assessments, annual penetration testing and biannual vulnerability assessments, periodic assessment of service providers, and written incident response plans) will take effect one year after its publication in the Federal Register (which makes the ultimate compliance date likely to be sometime in Q4 2022).
Most of these additional items may not be novel to companies that already have developed a robust information security program. As stated by the FTC itself in the preamble to the updated Rule:
The Commission believes that many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.
Many commentators have already noted that the measures closely track recently enacted regulations by state financial regulators such as the New York Department of Financial Services Cybersecurity Regulations and the Massachusetts Cybersecurity Regulations.
At the same time, the FTC published a supplemental notice of proposed rulemaking seeking comments on whether to make an additional change to the Rule to require financial institutions to report certain data breaches and other security events to the FTC.
Given the onus of compliance with an ever-changing state privacy law landscape, many entities may actually find it beneficial to be considered a “financial institution” under the Rule in order to be exempt from state laws, which generally have an exemption for entities or information subject to a federal privacy/cybersecurity law.
The update makes this somewhat easier by expanding the definition of a financial entity to include entities that are “significantly engaged in activities that are incidental to financial activity” as defined by the Bank Holding Company Act. This change brings one activity into the definition that was not covered before—the act of “finding” defined as “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.” “Finders” can be read broadly to include a variety of commercial enterprises, including many fintech business models.
The preamble to the updated Rule notes that there are certain limitations to what businesses are considered “finders” under the Rule, namely that only finding services involving consumer transactions will be covered and that the Rule only applies to the information of customers (consumers with which a financial institution has a continuing relationship). However, the addition of “finders” still allows for various types of entities to make a compelling argument that they are subject to the Rule.
Even with the addition of more prescriptive security requirements, being subject to the Rule may still be a straightforward way for companies to avoid wading into the confusing landscape of the current state law privacy regime. Additionally, the trend in certain privacy-related state laws—such as the California Consumer Privacy Act (CCPA) and in Virginia—has been to give consumers various opt-out and request rights that have not yet been adopted under federal law.
As an additional example of the expansiveness of state law when compared to the Rule, the FTC refused to include data that is “reasonably linkable” to individuals as “personally identifiable financial information.” This excludes from the scope of the Rule aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses but could possibly be linked to an individual. Such information is included as personal information under the CCPA.
Morgan Lewis has a global team of counselors that regularly assist clients in the compliance of privacy and cybersecurity regulations.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Catherine North Hounfodji
 12 CFR 225.86(d)(1).