After nearly twenty years, considering the increase of cyber attacks and the advent of crypto currency, the Federal Trade Commission (FTC) enacted a radically different Safeguards Rule that became effective January 10, 2022. Cybercriminals choose their targets wisely because they want maximum impact and profit. Financial institutions make juicy targets for cybercriminals due to their vast and ever-growing digitally stored, sensitive, non-personal information and the undeniable transformation of financial transactions of all types being conducted online. For example, the 2017 Equixfax data breach impacted 147 million customers and, as a result, Equifax agreed to pay at least $575 million (and potentially up to $700 million) as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and fifty U.S. states and territories. The settlement alleged the credit reporting company’s failure to take reasonable administrative, technical, and physical safeguards to protect consumers’ information from unauthorized use or access caused the data breach.
The Equifax data breach was a disaster on multiple fronts. The four primary flaws that facilitated the security breach were:
- The company failed to patch a well-known vulnerability (CVE-2017-5638) for its Open Source developing framework Apache Struts. At the time of the breach, the patch for CVE-2017-5638 had been available for six months.
- Equifax failed to segment its ecosystem, allowing the attackers to seamlessly access multiple servers after gaining access through the web portal breach.
- Usernames and passwords were stored in plain text, which the hackers used to escalate privileges to achieve deeper access.
- Equifax failed to renew an encryption certificate for one of their internal tools, which allowed the hackers to exfiltrate data undetected over a period of months.
Additionally, over a month went by before Equifax finally publicized the breach. During this period, top executives sold company stock, giving rise to insider trading accusations. This is just one of the many recent examples of data breaches that exposed millions of people’s private data.
The importance of consumer financial privacy drove Congress to enact the Gramm-Leach-Bliley Act (“GLBA”) in 1999. The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. The GLBA imposed both the Privacy Rule (customer notification requirements) and the Safeguards Rule (standards for safeguarding certain information) on financial institutions. The original Safeguards Rule (16 CFR part 314) became effective on May 23, 2003, and the FTC has administered the Safeguards Rule ever since.
Under the new, revised Safeguards Rule the definition of “financial institutions” has been broadened to focus on business activities that are financial in nature. Moreover, “nonpublic personal information” now covers all customers who provide the covered business with such records, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates. Additionally, the Safeguards Rule identifies nine elements that a covered business’s information security program must include:
- Designate a qualified individual responsible for overseeing and implementing a financial institutions information security program and enforcing their information security program. Qualifications will depend upon the size and complexity of a financial institution’s information system and the volume and sensitivity of the customer information that the financial institution possesses or processes.
- Conduct and continuously monitor systems and data inventories.
- Protect by encryption all the customer information that is held or transmitted in transit over external networks and at rest.
- Implement multi-factor authentication (MFA) for any individual accessing any information system, unless the use of reasonably equivalent or more secure access controls has been approved in writing by a qualified individual at the financial institution.
- Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates.
- Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
- Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information that is in the control of the financial institution.
- Regularly test, or otherwise monitor, the effectiveness of the safeguards’ key controls, systems, and procedures, including those used to detect actual and attempted attacks on, or intrusions into, information systems. Covered financial institutions are required to conduct penetration testing annually and vulnerability assessments at least every six months.
- Oversee service providers by requiring financial institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards.
The revised Safeguards Rule has some limits. First, the Safeguards Rule applies only to financial transactions “for personal, family, or household purposes.” Second, the Safeguards Rule exempts financial institutions that collect information on fewer than 5,000 customers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors. Lastly, key provisions, including the appointment of a qualified individual and conducting a written risk assessment, do not become effective until December 9, 2022.
The FTC’s strengthening of financial privacy protections is part of a larger societal and governmental awakening to the need for greater information privacy and security protections. This revision, among other changes, is a signal to all businesses that use nonpublic personal information to begin to assemble their data teams, including privacy counsel, to assess their data governance requirements and cybersecurity hygiene.
Covered financial institutions include: mortgage lenders, pay day lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, some travel agencies, automobile dealerships, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, non-SEC regulated investment advisors, entities acting as “finders,” and other entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. ↑