The FTC Safeguards Rule, required by the Gramm Leach Bliley Act, has been around for a long time. Basically, the Rule added specificity to how creditors are to handle customer information. The objectives of a “Safeguards Policy” required by the Rule are to:

• adopt a safeguards policy that insures the security and confidentiality of customer information,
• protect against reasonably anticipated threats to security, and
• protect against unauthorized access to such information.

The FTC Rule sets forth some guiding principles to include in the Policy. I’ve written about the Safeguards Rule in the past. See Safeguarding Customer Information, Safeguarding Customer Information and Data Breach Security! and Safeguarding Consumer Information, Again.

Last week, the FTC completely rewrote the Safeguards Rule by amending its five principal provisions to:

• add a provision designed to provide more guidance on how to develop and implement information security programs
• add a provision to improve accountability
• exempt financial institutions that collect less customer information from certain requirements
• expand the definition of “financial institution.”
• add a number of definitions.

So, what does all of this mean for you? 

Well, first, if your company does not fall within the “5,000 consumer exemption” there are two new and profound requirements:

1.  A true risk assessment, meeting specific criteria spelled out in the Rule must be implemented as a part of the Policy; and
2. A single “qualified individual” must be designated to serve under the Policy and report to the company’s board of directors.

Now, if you maintain “customer information” concerning fewer than 5,000 consumers, then you are exempt from certain of the Rule’s more exacting requirements including that you:

• maintain a written risk assessment protocol that includes criteria for evaluation and categorization of risks;
• monitor and test;
• establish a written incident response plan; and
• require a qualified individual to report in writing, regularly to the board of directors.

Customer information means any record containing nonpublic personal information (NPI) about a customer of a creditor, whether in a paper, electronic, or another form, that is handled or maintained by or on behalf of the creditor or its affiliates. So, a creditor that is close to the 5,000-consumer ceiling, may want to think about ways to eliminate retention of the NPI on enough consumers to fall under or within the exemption. 

Creditors will have one year to act upon these changes—meaning the new Rule will become effective approximately November 1, 2022.

Please Note: As I say often, it is time to dust off your Safeguards Policy and determine what changes, if any, this latest FTC Rulemaking requires of you.

Please Note: This is the one hundred eighty-fifth blog in a series of Back to Basics blogs, in which relevant and resourceful information can be easily accessed by clicking Dentons - Consumer Finance Report.