January 28, 2022

Volume XII, Number 28

Advertisement
Advertisement

January 28, 2022

Subscribe to Latest Legal News and Analysis

January 27, 2022

Subscribe to Latest Legal News and Analysis

January 26, 2022

Subscribe to Latest Legal News and Analysis

Federal Trade Commission Updates Cybersecurity “Safeguards Rule” for Financial Institutions

Last week, in the culmination of a process that began in 2016, the Federal Trade Commission (FTC) issued a Final Rule to update the Safeguards Rule promulgated under the Gramm-Leach-Bliley Act. The Safeguards Rule applies to financial institutions, including non-banking companies “significantly engaged” in providing financial products or services such as mortgage brokers, automotive dealers, and payday lenders, requiring those institutions to develop and implement comprehensive security to keep their customers’ information safe.

Cyberattacks and other threats to consumer data have increased over the course of the COVID-19 pandemic, escalating regulatory scrutiny and business risks. These new changes to the Safeguards Rule largely focus on clarifying expectations for financial institutions, including:

  • More detailed requirements. The Final Rule creates clearer expectations with more detailed requirements for how financial institutions should develop and establish their information security programs, such as setting clearer requirements for employee training, establishing that risk assessments must be set forth in writing, and increasing safeguards through data encryption and authentication.

  • Qualified Individual. In order to increase accountability, the Final Rule designates one key person (to be known as the Qualified Individual) at each financial institution to be responsible for overseeing and enforcing the information security program.

  • Board reporting. Financial institutions must schedule periodic reports on the information security programs to their board of directors or governing bodies, in hopes that the programs will receive the support and resources necessary for successful maintenance.

  • Change in scope. The Final Rule expands the definition of financial institutions to include “finders”—companies that bring together the buyers and sellers of a good or service, in a move that makes the definition of financial institution more analogous to that in the Bank Company Holding Act. In addition, some financial institutions that collect information on fewer than 5,000 consumers are exempted from written risk assessment, incident response plan, and board reporting requirements.

Financial institutions regulated by the GLBA should familiarize themselves with the updated Safeguards Rule and evaluate their information security policies, focusing on ensuring they are compliant with the new requirements. The FTC also announced it is soliciting comments regarding reporting of data security incidents, signaling the possibility of additional changes in the near future.

© 2022 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume XI, Number 305
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Caitlin Throne Law Clerk Dinsmore Law Firm
Law Clerk

Caitlin focuses her practice on corporate law. Her prior experience includes working with private equity clients to evaluate market performance and potential acquisitions. She earned her J.D. from The Ohio State University Moritz College of Law.

Education

  • The Ohio State University Moritz College of Law  (J.D., magna cum laude, 2021)

    • Ohio State Law Journal, executive editor

    • Three CALI Awards for Excellence, including Debtor and Creditor Law

  • Carleton College  (B.A., cum laude, 2015)...

614-227-4222
Kurt R. Hunt, Dinsmore Shohl, Regulatory Compliance Attorney, Corporate Transactions Lawyer, Ohio,
Associate

Kurt focuses his practice on telecommunications and public utilities law, advising clients on general corporate and administrative issues, regulatory compliance, transactions, privacy obligations, and intellectual property matters. He is also an experienced litigator, and routinely represents clients in state and federal courts, as well as before administrative agencies and public utility commissions.

Knowing that public utilities operate inside a highly-regulated and specialized environment, Kurt is adept at tailoring his approach to fit each...

(513) 977-8101
Christian Gonzales, banking, corporate and securities lawyer, Dinsmore law firm
Associate

Christian advises clients on various aspects of banking, corporate and securities law, including mergers and acquisitions, securities offerings, business formation, regulatory compliance, and general corporate governance matters. 

Christian has extensive experience servicing the financial sector clients ranging from multi-billion dollar financial institutions to community banks and thrifts. Christian assists financial institutions in strategic growth, M&A transactions and other critical situations, and he has a broad range of experience in...

614-628-6921
Advertisement
Advertisement
Advertisement