Co-authored by Alison Bird
On March 5, 2019, the Federal Trade Commission (FTC) announced proposed amendments to the Safeguards Rule under the Gramm-Leach-Bliley Act (GLB), which addresses the obligations of financial institutions to protect the security of customer information. In some ways modeled on the New York Department of Financial Services Cybersecurity Regulation, the proposal maintains GLB’s process — or risk-based — approach to data protection, but it also outlines explicit cyber controls that regulated entities would be required to implement. While many firms may already have instituted some of those controls, certain proposed amendments are new or more explicit, and they may create significant implementation challenges. Five of the most noteworthy proposed amendments are detailed here.
- Appointment of a Chief Information Security Officer (CISO).Financial institutions would no longer be able to designate multiple people to coordinate an information security program. This change is intended to ensure that a single person is accountable for overseeing the institution’s entire information security program. Utilization of the CISO title is not required. Nor is the CISO required to be an employee, although the proposal makes clear that the financial institution retains responsibility for compliance if the CISO role is outsourced. The CISO would be required to report to the board of directors, or an equivalent governing body, at least annually.
- Encryption of Customer Information Both in Transit and at Rest.While many companies may currently encrypt data in transit, the requirement to encrypt data at rest is likely to present significant operational challenges for many enterprises. Nevertheless, the FTC believes that encryption is an appropriate and important way to protect customer information “in most circumstances,” even for data at rest. No particular technology or technique was mandated, and the proposal allows for utilization of alternative means if reviewed and approved by the company’s CISO.
- Implementation of Multi-Factor Authentication (MFA).MFA is flexibly defined in the proposal but is viewed as a “minimum standard” for allowing access to customer information. The proposal would require verification of at least two of the following factors: 1) knowledge factors, such as a password; 2) possession factors, such as a token; or 3) inherence factors, such as biometric characteristics. Requiring both a password and the receipt of a one-time passcode on a registered device would be acceptable. The proposal differs from the NYDFS Regulation in that it mandates MFA only for accessing customer information.
- Personnel Requirements. The proposal requires that companies provide appropriate personnel training and utilize only “qualified information security personnel” to manage security risks or oversee the information security program. Companies also would be required to provide such qualified personnel with security updates and training, and must verify that key information security personnel maintain up-to-date knowledge of security threats and countermeasures. This could be accomplished by offering incentives or funds for key personnel to take continuing education, including a requirement to stay current in employee performance metrics, or conducting an annual assessment of key personnel’s knowledge of threats related to their information systems.
- Data Minimization. The days of indefinitely retaining customer information appear to be coming to an end. Under the proposal, customer information must be discarded when it is no longer necessary for a “legitimate business purpose,” an undefined term in the proposal. The FTC noted that keeping records for longer than necessary and improper records disposal both create the risk of unauthorized disclosure of or access to customer information. That risk is mitigated by secure and timely disposal of such records. To comply, companies will need to identify the records they are holding, the related business purpose for retention, and establish processes for compliant targeted disposal. To maintain ongoing compliance, companies will need to implement appropriate records retention and disposal policies and procedures.
Next Steps and Recommendations
Written comments to the proposal will be due within 60 days its publication in the National Register, and it is possible that certain proposed amendments will be modified. Nevertheless, the proposal is similar to and consistent with a growing national trend of regulations requiring financial institutions to address cyber security in a comprehensive, top-down way. Achieving compliance with the proposed amendments will require financial and personnel resource commitments from the regulated entity well in advance of the eventual compliance deadline.
Importantly, regulated businesses, and even currently unregulated entities, should consider that the FTC’s proposed amendments are likely to become a default cyber security industry standard. Financial institutions — and their business partners – would be well served by not waiting for the regulatory hammer to come down before addressing cyber security issues in line with this regulatory trend.