On October 27, 2021, the Federal Trade Commission (FTC) released a final rule that updates the Safeguards Rule of the Gramm-Leach-Bliley Act (Final Rule). This Final Rule comes after the FTC sought comment on proposed changes to the Safeguards Rule in 2019 and held a public workshop in 2020.
The Safeguards Rule applies to non-banking financial institutions, including certain financial technology companies, that are engaged in financial activities. The Final Rule makes significant updates to the original Safeguards Rule promulgated in 2003, most notably by 1) requiring financial institutions to follow more specific criteria for implementing safeguards to help protect their customers' information; and 2) adding provisions that are intended to increase the accountability of information security programs.
Key Provisions
Key provisions in the Final Rule include:
The final updated Safeguards Rule was passed 3-2, with Commissioners Noah Joshua Phillips and Christine S. Wilson dissenting. In their dissent, Phillips and Wilson criticized the updated rule for being too inflexible and prescriptive, and claimed that the record failed to show a need for updates to the Rule at all. The dissent argued that both competition and security itself would suffer, as smaller companies are less able to absorb the financial costs of new regulatory mandates, and covered companies may be incentivized to engage in a check-the-box exercise, rather than a thoughtful risk assessment. Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter wrote separately to push back on the dissenting commissioners' criticisms, and assert that these updates were necessary to protect consumer information and address an increasing amount of data breaches.
Separately, the FTC is also inviting comments on a proposed rulemaking to add a reporting requirement to the Safeguards Rule, which would require covered financial institutions to report data breaches and other security events to the commission.
Conclusion
Financial institutions—including financial technology companies—that are covered by the GLBA are encouraged to reexamine their information security programs under the new Safeguards Rule to ensure compliance. Wilson Sonsini Goodrich & Rosati routinely assists financial technology companies with GLBA compliance, and will monitor developments in enforcement and industry standards to continue to assist our clients.
For more information or advice concerning the updated Safeguards Rule, or for assistance with drafting a comment to the FTC about its proposed rulemaking, please contact Libby Weingarten, Roger Li, or another member of the firm's privacy and cybersecurity practice.