The Safeguards Rule of the Gramm-Leach-Bliley Act of 1999 requires financial institutions to implement security programs in order to keep customer information secure. The Safeguards Rule also extends contractually to affiliates and/or service providers of those financial institutions, including possibly “finders” (i.e., entities charging a fee to connect consumers looking for loans to lenders).

As Troutman Sanders previously reported in a prior post, the Federal Trade Commission proposed changes to the Privacy and Safeguards Rules on March 5, 2019, in response to comments submitted in 2016. The FTC sought to change the Safeguards Rule to “add more detailed requirements for what should be included in the comprehensive information security program[.]” The Safeguards Rule amendment proposal would require financial institutions to: (1) encrypt all customer data; (2) implement access controls to prevent unauthorized users from accessing customer information; (3) use multifactor authentication to access customer data; and (4) submit periodic reports to their board of directors.

After reviewing comments received in 2019 on the proposed changes, the FTC announced a scheduled workshop, which will be held on May 13. The FTC’s public workshop will focus on comments of the proposed changes seeking input on various topics, such as:

  • price models for specific elements of information security programs;
  • standards for security in various industries;
  • the availability of third-party information security services aimed at different sized institutions;
  • information about penetration and vulnerability testing; and
  • the costs of and possible alternatives to encryption and multifactor authentication.

The FTC will be accepting additional comments until June 12. More information, including instructions for submitting comments, may be found here.

Troutman Sanders will continue monitoring the FTC’s proposed amendments to the Gramm-Leach-Bliley Act and other issues relating to data security.