FTC Proposes Amendments to Safeguards Rule to Track NY DFS Cybersecurity Regulation (and amendments to its Privacy Rule)

As we’ve been predicting, including here, the Cybersecurity Regulation adopted by the NY DFS for insurance, banking and other financial services continues to drive the conversation in the U.S.  The latest manifestation is the FTC proposal, announced March 5, 2019, to amend it Safeguards Rule adopted pursuant to the Gramm-Leach-Bliley Act of 1999 (GLBA) to require financial institutions to adopt certain safeguards to protect the nonpublic personal information of consumers.  In proposing its amendments, available here, the FTC stated they are “based primarily on” the NY DFS Cybersecurity Regulation and the NAIC data security model law, both of which have been reviewed in our prior articles, including the article linked above.

Key proposed changes to the Safeguards Rule include:

• Defining “security event” to include events that could compromise important systems as well as customer information
• Requiring an “information security program” addressing specified elements far beyond the current requirement for “safeguards,” and based on a prescribed “risk assessment”
• Specific requirements for a Chief Information Security Officer, or CISO, including reporting to the Board
• Multi-factor authentication or other, equivalent access controls
• Specifically requiring encryption of data, in transit and at rest
• Requiring certain written policies, including an incident response plan
• Specific requirements for data retention and disposal
• Monitoring of authorized users, and training and education requirements
• Audit trail requirements for security events
• Annual penetration tests and biannual vulnerability scans
• Requirements for managing third party service provider cybersecurity risk
• Reporting requirements

At the same time, the FTC issued proposed changes to its Privacy Rule under the GLBA to effect certain technical changes related to auto dealers, to modify the requirement for annual privacy notices in accordance with the FAST Act amendments, and to expand the definition of financial institution to include entities engaged in activities incidental to financial activities.  The proposed amendment to the Privacy Rule is available here.

The comment period for the proposed FTC amendments ends 60 days after publication (expected to be on or shortly after March 8, 2019) in the Federal Register.