FTC Delays Safeguards Rule Implementation for Certain Financial Institutions
Wednesday, November 23, 2022
FTC Extends Implementation Deadline of Safeguard Rule
Print Mail Download i

The Federal Trade Commission (“FTC”) announced last week that it is delaying the date by which certain financial institutions must comply with certain provisions of its updated Safeguards Rule by six months, with the compliance date now being June 9, 2023. Applicable to non-banking institutions such as mortgage brokers, motor vehicle dealers, and licensed lenders, the FTC’s iteration of the Safeguards Rule (16 C.F.R. 34) — which implements data security requirements from the Gramm-Leach-Bliley Act (“GLBA”) — was updated in December 2021. 

The FTC’s new requirements are not without controversy. The Safeguards Rule has been hailed as uniquely effective over the two decades it has been in place because it is technology-agnostic and instead requires all financial institutions to maintain data security programs that are commercially reasonable, compared to their cohorts. Indeed, in a dissenting opinion from Commissioners Noah Joshua Phillips and Christine S. Wilson, they note that “the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions.”

To that end, the following provisions have been delayed:

  • Designating a qualified individual to oversee the information security program;

  • Developing a written security risk assessment;

  • Limiting and monitoring who in their organization, and among their service providers and other third parties, can access sensitive customer information;

  • Encryption of all sensitive information;

  • Training of security personnel;

  • Development of an incident response plan;

  • Periodic assessment of the security practices of service providers; and

  • Implementation of multi-factor authentication, or another method of equivalent protection.

While most of these provisions are part of a robust information security program, the FTC cited the need for the delay as stemming from the multitude of small businesses affected by the Safeguards Rule that are still struggling with resuming business as usual after the pandemic.

© Copyright 2024 Cadwalader, Wickersham & Taft LLP

Current Legal Analysis

More from Cadwalader, Wickersham & Taft LLP

How to Address Your Control Issues
by: Jeffrey Nagle , Eric Starr
Another Step Nearer for CARF in the UK
by: Tax Practice at Cadwalader
Energy Tax Credit Guidance Continues to Blossom
by: Tax Practice at Cadwalader
It’s Raining Crypto Bots on the IRS
by: Tax Practice at Cadwalader
IRS Hints at Revolution in Tax-Free Spin-Off Rules, Ruling Practice
by: Tax Practice at Cadwalader
Balancing Uncle Sam’s Checkbook: Biden’s Tax Proposals
by: Adam Blakemore , Jon Brose
Shining a Light on European “Security-Lite” Financings
by: George Pelling
UK’s Financial Conduct Authority Publishes Business Plan
by: Alix Prentice
CFTC’s MRAC Tackles AI and Climate Change
by: Peter Y. Malyshev
Court Finds Corporate Transparency Act Unconstitutional and Unenforceable as to NSBA Members
by: Christian Larson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins