FTC Looks to NY’s Cyber Regulation in Proposed Changes to Safeguards Rule
When New York’s far-reaching cybersecurity law for financial institutions was enacted more than two years ago, some predicted it would serve as a national blueprint for future data security laws. Now, as the U.S. Federal Trade Commission considers changes to two privacy rules designed to safeguard customer information held by financial institutions, the proposed changes to one law – the Safeguards Rule – hue closely to a handful of requirements already in place in New York.
It’s not surprising, then, that New York’s cybersecurity regulation – which was enacted in 2017 and covers banks and insurance companies that operate within the state’s borders -- has taken a front seat, even with federal regulators, as a model for comprehensive data security regulation.
Last week, the FTC announced that it would seek public comment not only on proposed changes to the Safeguards Rule, but also to the Privacy Rule, which has been in effect since 2000, and requires financial institutions to tell customers about their information-sharing practices and allows the customer to opt out of having their information shared with certain third parties.
Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said the aim of the proposals is to "provide more certainty to business ... [and] are informed by the FTC’s almost 20 years of enforcement experience. It also shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments.”
Both rules are offspring of the Gramm Leach Bliley Act or GLBA, enacted in 1999, and provide a general framework for regulating the privacy and data security practices of financial institutions.
The 2003 Safeguards Rule mandates that financial institutions “develop, implement, and maintain a comprehensive information that consists of the administrative, technical, and physical safeguards the financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.” As it stands, the Safeguards Rule has few detailed requirements but instead directs financial institutions to take reasonable steps to safeguard customer information.
This isn’t the first time the commission has solicited public comments on the Safeguards Rule. In August 2016, the FTC first asked for public input with respect to proposed changes to the rule. But this time around, the proposed amendments are detailed and mirror aspects of New York cyber regulation. In particular, the proposed changes to the Safeguards Rule include:
- Designation of a Chief Information Security Officer or CISO, who would be the “single qualified individual responsible for overseeing and implementing the financial institution’s security program….”
- Elaborating on the existing risk assessment requirement, including requiring a written report;
- Requiring encryption of customer data, both at rest and in transit;
- Implementing access control protocols aimed to prevent unauthorized users from accessing customer information;
- Mandating the use of multi-factor authentication to access customer data;
- Requiring the establishment of incident response plans or data security response plans in the event of an incident; and,
- Elevating cyber governance to a board-level issue and requiring periodic reports to an organization’s board of directors or other governing bodies.
The proposed amendments also move the Safeguards Rule closer to the NIST framework as well as the model law issued by the National Association of Insurance Commissioners.
The proposal to amend the Safeguards Rule wasn’t without controversy. Two FTC Commissioners, Noah Joshua Phillips and Christine S. Wilson, dissented from the proposal, arguing that the proposed approach “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.”
The dissenters noted that the proposed changes to the Safeguards Rule “are based in substantial part on regulations promulgated two years ago by the New York State Department of Financial Services … [and] [w]e do not have data about the impact and efficacy of those regulations, so whether to adopt a version of them at the federal level and whether that version should be a floor for should preempt state-level rules seem like questions worthy of more study.”
The deadline for public comments for both proposals is November 7, 2019.