The Federal Trade Commission, citing an uptick in data breaches and cyberattacks, on Wednesday issued a long-debated set of updates to its rule mandating financial institutions establish safeguards to protect customers’ financial information.
In short, the FTC’s 145-page amended “Safeguards Rule”stipulates that non-banking financial institutions — including auto dealerships — establish and maintain more “comprehensive” security systems to protect customers’ information.
The Safeguards Rule, mandated by Congress under the 1999 Gramm-Leach-Bliley Act, has been the subject of scrutiny in recent years. The FTC asked for public comment on proposed changes to the rule back in 2019. The agency also held a public workshop on it last year, where potential fortifications to the rule were met with opposition from the National Automobile Dealers Association. NADA has not yet commented on the final rule.
“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” FTC Bureau of Consumer Protection Director Samuel Levine said in a statement. “The updates adopted by the Commission to the Safeguards Rule detail commonsense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”
The commission voted 3-2 to publish the updates to the Safeguards Rule in the Federal Register. Noah Joshua Phillips and Christine Wilson, the two commissioners who voted no, issued a dissenting statement.
“In fact, as several commenters observed, the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions,” the two commissioners wrote.
The FTC said it also is seeking additional input about whether it should further alter the Safeguards Rule to require financial institutions to disclose specific data breaches and other security incidents in which misuse of customer information has occurred or at least 1,000 customers have been affected.
Members of the public will have 60 days to submit a comment on that once the FTC publishes a notice in the Federal Register.
