New FTC Rule Has Implications for How Financial Companies Manage Data

New FTC Rule Has Implications for How Financial Companies Manage Data

Posted by

On October 27, 2021 the Federal Trade Commission (FTC) updated the Safeguard Rule of the Gramm-Leach-Blilely Act (known as the GBLA), with important implications for how financial institutions collect, manage, and utilize consumer information. The GLBA Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care. The Safeguards Rule applies to non-bank lenders, mortgage companies and brokers, property or real estate appraisers, some motor vehicle dealers, debt collectors, and tax preparers and credit reporting agencies.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.  Levine added, “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

The amendments modify the Safeguards Rule in the following key ways[1]:

  1. It requires written risk assessments about information security that address the following:
  • access controls;
  • data inventory and classification;
  • encryption;
  • secure development practices;
  • authentication;
  • information disposal procedures;
  • change management;
  • testing;
  • incident response;
New FTC Rule Has Implications for How Financial Companies Manage Data

2. Requires the designation of a single individual responsible for overseeing implementation of a financial institution’s information security program (the “Qualified Individual”), and for the Qualified Individual to make periodic reports to their boards of directors or governing bodies regarding their information security program;

3. Exempts from certain Safeguards Rule requirements financial institutions that collect information fewer than 5,000 consumers;

[1] Sources:

4. Expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. The final Safeguards Rule now applies to “finders,” including companies that bring together buyers and sellers of a product or service;

5. Defines key terms and provides relevant examples within the Safeguards Rule itself.

The updated Safeguards Rule alsosets forth more detailed requirements for information security plans. These requirements directly address the ways regulated businesses approach data management, including requirements for encrypting customer information, tracking an inventory of consumer data, and putting procedures in place to delete consumer data (see detailed list below).

Many of the requirements described above overlap with data privacy laws, such as the California Consumer Privacy Act (CCPA), which has explicit requirements for businesses that collect consumer information from California residents. It is important to note that while the CCPA and other state laws create some exemptions for management of consumer information regulated under the GLBA, those exemptions have limitations (for more click here).

Financial businesses seeking to comply with both CCPA and the GBLA’s Safeguard Rules may at times be burdened with figuring out which consumer datasets are covered by which regulation. For instance, personal information collected by a lender during a marketing campaign to a California consumer before actually providing a financial product to that consumer may not be covered under the GBLA, but would likely require compliance with the CCPA. The common thread between implementation of the updated GBLA Safeguards Rule and consumer privacy laws is a requirement for robust data inventory management and the capability to audit data privacy implementation.

A more detailed list of the GBLA Final Rule requirements for information security plans is provided below[2]:

  • Implement and periodically review access controls to (1) authenticate and permit access only to authorized users and (2) limit authorized users’ access only to customer information that they need to perform their duties and functions.
  • Inventory and manage data, personnel, devices, systems, and facilities.
  • Encrypt all customer information both in transit over external networks and at rest.
  • Adopt secure development practices for in-house developed applications that process customer information and procedures for evaluating, assessing, or testing the security of externally developed apps.
  • Implement multifactor authentication for any individual accessing any information system or use other reasonably equivalent or more secure access controls.
  • Develop, implement and maintain procedures for the secure disposal of customer information no later than two years after the last date the information is used.
  • Adopt procedures for change management.
  • Monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information.

[2] Source:

The final rule is effective 30 days after the date it is published in the Federal Register.

Leave a Reply