Updated FTC rule requires financial institutions, dealers, to beef up data security

The commission voted 3-2 to publish the updates to the Safeguards Rule in the Federal Register.

The Federal Trade Commission, citing an uptick in data breaches and cyberattacks, on Wednesday issued a long-debated set of updates to its rule mandating financial institutions establish safeguards to protect customers' financial information.

In short, the FTC's 145-page amended "Safeguards Rule"stipulates that non-banking financial institutions — including auto dealerships — establish and maintain more "comprehensive" security systems to protect customers' information.

The Safeguards Rule, mandated by Congress under the 1999 Gramm-Leach-Bliley Act, has been the subject of scrutiny in recent years. The FTC asked for public comment on proposed changes to the rule back in 2019. The agency also held a public workshop on it last year, where potential fortifications to the rule were met with opposition from the National Automobile Dealers Association. NADA has not yet commented on the final rule.

"Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it," FTC Bureau of Consumer Protection Director Samuel Levine said in a statement. "The updates adopted by the Commission to the Safeguards Rule detail commonsense steps that these institutions must implement to protect consumer data from cyberattacks and other threats."

A spokesman for the National Automobile Dealers Association said the final amendments have "a significant number of new and expanded requirements for dealers" that depart from the FTC's usual "flexible and self-modernizing approach."

"While we are pleased that the FTC, in direct response to NADA’s input, made significant changes and provided important clarifications to the proposed amended rule, many of the new requirements being imposed still lack the scalability and flexibility that will make them achievable by smaller businesses," the spokesman said. "Unfortunately, this will likely lead to increased costs and liability exposure for dealers without producing corresponding benefits to consumers.” 

The commission voted 3-2 to publish the updates to the Safeguards Rule in the Federal Register. Noah Joshua Phillips and Christine Wilson, the two commissioners who voted no, issued a dissenting statement.

"In fact, as several commenters observed, the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions," the two commissioners wrote.

The FTC said it also is seeking additional input about whether it should further alter the Safeguards Rule to require financial institutions to disclose specific data breaches and other security incidents in which misuse of customer information has occurred or at least 1,000 customers have been affected.

Members of the public will have 60 days to submit a comment on that once the FTC publishes a notice in the Federal Register.

Key takeaways

One update to the rule will require financial institutions to designate one individual to head up their information security programs and report periodically to their organization's board of directors or senior officer in charge of information security, the FTC said.

Another part of the FTC's updated rule says financial institutions should be prepared to explain their safeguards — including how they access, collect, process, protect, store, use, transmit and dispose of customers' information.

Modifications

In all, the final rule contains five main modifications.

It adds provisions to establish information security programs that incorporate access controls, authentication and encryption. It also adds provisions to boost financial institutions' accountability by requiring the aforementioned periodic reports to boards of directors and governing bodies.

Financial institutions that collect less customer information are exempted from some requirements, according to the updated rule.

It also expands the definition of financial institution to "include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities" — which brings buyers and sellers of a product or service under the scope of the rule.

Finally, the rule defines several terms and provides related examples within itself instead of incorporating them by reference from the Privacy of Consumer Financial Information Rule.

Staff writer Lindsay VanHulle contributed to this report.

RECOMMENDED FOR YOU
Ally expects low inventory, elevated auto loan originations in '22
Letter
to the
Editor

Send us a letter

Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

Recommended for You
ALLY-MAIN_i.jpg
Ally expects low inventory, elevated auto loan originations in '22
Ally to buy Fair Square Financial for $750 million
Ally to buy Fair Square Financial for $750 million
Associated Bank begins indirect auto lending, seeks $1B portfolio by '22
Associated Bank begins indirect auto lending, seeks $1B portfolio by '22
Sign up for free newsletters
Digital Edition
Automotive News 10-25-21
THIS WEEK'S EDITION
See our archive
Fixed Ops Journal
Fixed Ops Journal 10-11-21
Read the issue
See our archive