As an update to prior coverage of the FTC’s final revisions to the Gramm-Leach-Bliley Safeguards Rule (Final Rule), following its publication in the Federal Register on December 9, 2021, the Final Rule now will take effect on January 8, 2022, 30 days after publication in the Federal Register.
Revisions to the Final Rule include an expansion of the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, harmonizing the rule with other federal agencies’ Safeguards Rules. This includes application of the Final Rule to “finders,” or companies that bring together buyers and sellers “of any product or service for the transactions that the parties themselves negotiate and consummate.” Additionally, financial institutions must comply with sections 4(d)(1) the updated testing and monitoring, 4(f)(1)-(2) service provider oversight, and 4(g) re-evaluation of Written Information Security Program (WISP) sections beginning 30 days after publication date. Financial institutions are given a year, however, to come into compliance with the following sections: 4(a) qualified individual, 4(b)(1) risk assessments, 4(c)(1)-(8) required safeguards, 4(d)(2) monitoring, 4(e) training, 4(f)(3) service provider, 4(h) incident response plan, and 4(i) qualified individual report. For a more detailed description of what each section effectively requires, please see our post from November.
The FTC’s request for comment on the proposed reporting requirement of certain cybersecurity events was also published on December 9, 2021, and commenters have 60 days to submit comments to the FTC. The proposed reporting obligation would require a covered financial institution to report a cybersecurity event in which it determines customer information has been misused or is reasonably likely to be misused and the information of 1,000 or more consumers has been affected or reasonably may be affected by the security incident. Financial institutions would be required to provide the Commission: (1) the name and contact information of the reporting financial institution; (2) a description of the types of information of the reporting financial institution; (3) if the information is possible to determine, the date or date range of the security event; and (4) a general description of the security event. The FTC further proposes to make this information publicly available.