The Federal Trade Commission (FTC) announced its updated rule addressing data security safeguards that financial institutions are required to implement to protect their customers’ financial information. The FTC is enhancing its Safeguards Rule in hopes that financial institutions and other entities that collect sensitive consumer data protect it better to reduce the risk of breaches and cyberattacks.
The final rule details the required risk assessments to the existing Safeguards Rule found here. The Final Rule requires that financial institutions address “access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. Training is still required but the Rule continues to allow financial institutions the flexibility of designing an information security program that is appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.
Second, the Rule now requires a designation of a single “Qualified Individual” who is responsible for the information security program. It also requires periodic reports to boards of directors or other governing bodies, which will provide senior management with better awareness of the information security programs. The Rule also provides an exemption for financial institutions that collect information for fewer than 5,000 consumers from the updates to relieve small businesses of the additional burden.