The Federal Trade Commission (“FTC”) held its public workshop on the proposed changes to the Safeguards Rule under the Gramm-Leach-Bliley Act of 1999 (“GLBA”). The FTC has not updated the Safeguards Rule since implementing it in 2003. With substantial developments in the way businesses increasingly depend and operate using non-public personal information through electronic means (such as during the COVID-19 outbreak), the FTC has stated it seeks to modify the Safeguards Rule to “add more detailed requirements for what should be included in the comprehensive information security program[.]” Troutman Pepper attended the workshop to understand the FTC’s goals further and to learn about the potential concerns the FTC is receiving from leaders across a myriad of backgrounds, such as those from business and academia. Following some background on the Safeguards Rule, we discuss significant points that came up during the workshop below.

The Safeguards Rule Today:

The Safeguards Rule requires financial institutions, and potentially affiliates, to keep non-public personal information secure.

The Safeguards Rule Applies to Financial Institutions

The term “financial institutions” could be somewhat deceiving to those not familiar with the Safeguards Rule. A financial institution could mean “any institution the business of which is engaging in financial activities,” such as those providing financial services to consumers including, banks, life insurance companies, mortgage lenders, etc. but also those extending credit by issuing credit cards to consumers, real estate appraisers, and some automobile dealerships offering specific financing, warranty and servicing services to consumers. The term could also apply to colleges and universities providing financial aid to its students.

The Safeguards Rule Requires Institutions to Maintain Non-Public Personal information Secure

Institutions covered by the Safeguards Rule are required to “develop, implement, and maintain a comprehensive information security program.” A comprehensive information security program should (1) designate staff to coordinate the information within the security program; (2) identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of such information; (3) maintain information safeguards to control for risks that were identified, which includes that the precautions are tested or monitored for effectiveness; (4) oversee service providers to ensure that non-public personal information is maintained secure; and (5) evaluate and adjust the program, if necessary.

The Safeguards Rule Does Not Currently Provide Specific Requirements

When implementing the Safeguards Rule in the early 2000s, the FTC recognized that not all financial institutions would require the same level of complexity regarding information security programs; as a result, the Safeguards Rule was enacted to require business leaders to implement a comprehensive information security program based on the size and complexity, the nature and scope of activities, and the type of non-public personal information of the financial institution. As the FTC now recognizes, the Rule is flexible, but it fails to provide precise, detailed, requirements that are process-based while also still adaptable to changes in technology and business practice.

Some of the Proposed Changes:

In proposing amendments to the Safeguards Rule, the FTC seeks to maintain the existing flexibility of the Rule while also including more detailed requirements for comprehensive security plans so that financial institutions implement a more process and risk-based approach to each program. Some of the proposed changes would require financial institutions to: (1) designate one qualified individual to be responsible for overseeing the program; (2) periodically perform additional risk assessments and monitor the effectiveness of the program, including assessing service providers; and (3) ensure that their comprehensive information security program addresses certain general and specific requirements.

Businesses Must Designate One Qualified Individual for Overseeing the Comprehensive Information Security Program

The proposed rule would require that a single qualified individual be designated to oversee an institution’s comprehensive security program. The FTC does not require that a qualified individual meet specific qualifications to oversee a program; rather, a qualified individual is one who is capable of overseeing—considering the size and complexity of the network in question. The proposed rule would also allow institutions to assign employees of an affiliate or a qualified third party to oversee the institution’s security program (i.e., institutions do not need to assign one of their employees).

Potential Benefits Expressed by Panelists Regarding this Proposal:

One speaker shared this could improve efficiency and accountability for an institution that may need to make “hard calls” during critical times. A single individual would be better situated to document how, why, and when a decision is made—often an essential piece to understanding the efficacy of a security program.

Another benefit discussed dealt with potentially removing the conflict of interests currently existing when security responsibilities apply among several individuals. For example, individuals who must weigh whether to meet their quota for a specified task within a specific timeframe may be incentivized to forego particular security concerns, in the name of efficiency. A single individual in charge of a security program could eliminate this potential scenario if asked to focus on security rather than to juggle several competing interests.

Concerns Expressed by Panelists Regarding this Proposal:

Concerns did arise, however, regarding this rule change, prominently dealing with cost to businesses. For example, if businesses are required to assign a single “qualified” individual to oversee an existing program, they may need to hire someone outside of the institution—especially considering that the term “qualified” is still unclear. Additionally, businesses who currently depend on the collective knowledge of several individuals to oversee various parts of an existing security program will now need to consolidate that collective knowledge to one individual, which could prove costly to hire and train, especially in a time where businesses are strapped for cash during the COVID-19 pandemic.

Businesses are to Periodically Monitor the Effectiveness of their Existing Program

The proposed rule modifications would require periodic evaluations, which would include assessing service providers, reviewing and updating an incident response plan, and requiring the designated individual share written reports to a board (or another similar body within the organization).

Potential Benefits Expressed by Panelists Regarding this Proposal:

This rule could elevate leaders’ attention to security controls when monitoring existing programs, especially when done periodically. Leaders are in unique positions to assist organizations’ in reducing cyber risks. Periodic reviews would provide businesses additional opportunities for discussing security concerns among various departments. For ideas and more information, check out our handy PDF guide and discussion on five ways a business’s staff could reduce their cyber risks.

Additionally, businesses required to implement incident response plans and to review those plans would allow more productive and efficient responses to potential incidents—which often occur with little time to weigh possible options. For business leaders who have not dealt with, or created, incident response plans, click here for a list of questions to consider before a cyber emergency.

Concerns Expressed by Panelists Regarding this Proposal:

Smaller businesses lacking resources may be unable to perform specific assessments or monitor the effectiveness of existing security programs, which would eventually require those businesses to seek costly external assistance.

Additionally, leaders receiving written reports may require additional training or perspective, something the rule does not address. Consider, on the one hand, the difficulty of measuring success in a comprehensive security program—where a writing describes “nothing to report because no incidents occurred;” whereas, on the other hand, a writing could include an entire list of potential security flaws. Success would be entirely dependent on the “qualification” of the individual designated to oversee a business’s security program, which, as the term is proposed, is vague.

The Comprehensive Information Security Program Must Address Certain Elements

A financial institution’s implementation of a comprehensive information security program must be able to address certain specific elements, such as to ensure that institutions implement encrypted and multi-factor authentication procedures within internal systems to protect non-public personal information.

Encryption: Institutions are required to encrypt non-public personal information that is held or transmitted, whether in transit or at rest. If a financial institution determines, however, that encryption is not feasible, then the institution may use another method that is approved by the qualified designated individual.

Multi-factor Authentication: This requirement would apply to all individuals with access to non-public personal information within the internal network of the business. The FTC defines multi-factor authentication to include at least two of the following elements: Knowledge Factor (password, biographical information); Possession Factor (tokens, possession of devices); and Inherence Factor (fingerprint, voice, or facial recognition).

Potential Benefits Expressed by Panelists Regarding this Proposal:

The proposed change enhances the security of non-public personal information—especially as businesses are increasingly dependent on a remote workforce. Institutions could protect non-public personal information accessed from a business server to a staff member’s home network through inexpensive encryption methods, such as by implementing Transport Layer Security (TLS). The proposed rule also appears to be sufficiently flexible to allow most institutions to design their systems specific to their needs.

Concerns Expressed by Panelists Regarding this Proposal:

During periodic assessments, smaller institutions are going to have a difficult time requiring larger service providers to implement encryption or multi-factor authentication. This may mean that smaller institutions will have less service provider options due to increased requirements. Fewer opportunities to choose from may also mean higher costs for smaller institutions unable to bargain effectively.

Risks are also unique to each financial institution; requiring all institutions covered by this proposal to implement specific security procedures may prove to be impracticable.

Conclusion:

The FTC’s workshop echoed many of the concerns already submitted by commenters in months prior. The FTC is currently evaluating workshop inputs to adjust the proposed amendments further. Troutman Pepper will continue to monitor developments regarding the GLBA’s Safeguards Rule, in addition to other privacy and information security events; stay tuned to learn more.