FTC Adopts New Requirements to Strengthen Financial Data Security
The FTC adopted additional amendments to its Standards for Safeguarding Customer Information (the "Safeguards Rule") to strengthen the data security measures that financial institutions must implement to protect consumer financial data. The amendments include:
imposing additional requirements for an information security program, including access controls, encryption, and authentication protocols; and
increasing the potential for individual liability for breaches at financial institutions by (i) designating a single individual chief information security officer responsible for the security program and (ii) requiring periodic reports by that individual to the firm's directors.
Amendments made to FTC Rule 314.4 ("Elements") will go into effect one year after publication in the Federal Register; certain other amendments will go into effect 30 days after their publication in the Federal Register.
FTC Commissioners Noah Joshua Phillips and Christine S. Wilson dissented, stating that the amendments are "wholly unsupported by record evidence of prevalent failures at the senior managerial level." Mr. Phillips and Ms. Wilson also argued that the amendments (i) were premature, (ii) reduce flexibility and (iii) impose substantially increased costs that will be difficult for smaller firms to bear.
FTC Chair Lina M. Khan and FTC Commissioner Rebecca Kelly Slaughter supported the amendments pointing to the Equifax breach as well as to "the recent history of major data breaches," in support of their positions.
The FTC also requested comment on a proposal to further amend the Safeguards Rule by requiring financial institutions to report to the FTC a security breach that could affect the information of at least 1,000 consumers. Comments to that proposal must be submitted within 60 days of its publication in the Federal Register.