US Federal Trade Commission Proposes Prescriptive Data Security Requirements and Other Updates to Its Gramm-Leach-Bliley Act Regulations - Mayer Brown
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
March 22, 2019
US Federal Trade Commission Proposes Prescriptive Data
Security Requirements and Other Updates to Its
Gramm-Leach-Bliley Act Regulations
On March 5, 2019, the Federal Trade institutions complying with the NYDFS Cyber
Commission (the “FTC” or the “Commission”) Regulation should be well-prepared if the
proposed a number of revisions to its Gramm- proposed changes are adopted by the
Leach-Bliley Act1 (“GLBA”) regulations. Most Commission.5
significantly, the Commission departs from its
Two commissioners issued a dissenting
current non-prescriptive approach to data
statement on the Safeguards Rule proposal.6
security by proposing to revise the Safeguards
Rule2 to require financial institutions to The FTC also proposes several amendments to
implement specific information security its GLBA Privacy Rule,7 which requires financial
controls, including with respect to data institutions to inform consumers about their
encryption, multi-factor authentication, privacy practices and to give consumers an
incident response planning, board reporting opportunity to opt out of the sharing of
and program accountability. The proposal personal information with certain nonaffiliated
draws heavily in this regard from the third parties. In particular, the proposal would
cybersecurity regulations issued by the New update the Privacy Rule to reflect a statutory
York Department of Financial Services exemption to the annual privacy notice
(“NYDFS Cyber Regulation”) in March 20173 requirement that was enacted by Congress in
and the insurance data security model law 2015. It also would streamline the Privacy Rule
issued by the National Association of to focus on motor vehicle dealers (the only
Insurance Commissioners (“NAIC Model Law”) type of financial institution over which the
in October 2017.4 Finance companies and Commission continues to have Privacy Rule
other non-bank lenders who are licensed in rulemaking authority).
New York will need to comply with both the Finally, in order to harmonize the FTC
NYDFS Cyber Regulation and the FTC’s regulations with those promulgated by the
Safeguards Rule. Because the NYDFS Cyber Bureau of Consumer Financial Protection (the
Regulation imposes additional requirements “CFPB”), the Securities and Exchange
and has provisions similar to those of the FTC Commission (the “SEC”) and the federal
proposal but broader in scope, financial banking agencies, the Commission also
proposes to expand the definition of “financial Chief Information Security Officer
institution,” both in the Safeguards Rule and Under the proposed rule, a financial institution
the Privacy Rule, to include so-called “finders” would be required to designate a qualified
(i.e., those who charge a fee to connect individual responsible for overseeing,
lenders with loan applicants) and other implementing and enforcing its information
entities engaged in activities that are security program (a “Chief Information
incidental to financial activities. Security Officer” or “CISO”). The CISO may be
Interested parties must submit written employed by the financial institution, an
comments to the Commission within 60 days affiliate, or a service provider. To the extent,
after the proposals’ publication in the Federal however, that the CISO is employed by a
Register. service provider or an affiliate the financial
institution would be required to: (i) retain
Safeguards Rule responsibility for compliance with the
Safeguards Rule; (ii) designate a senior
The proposal would make four main member of its personnel responsible for
modifications to the existing Safeguards Rule. direction and oversight of the CISO; and (iii)
First, it would provide covered financial require the service provider or affiliate to
institutions with more guidance on how to maintain an information security program that
develop and implement specific aspects of an protects the financial institution in accordance
overall information security program, with the requirements of the Safeguards Rule.
including with respect to access controls,
authentication, encryption, incident response, Risk Assessment
and accountability. Second, it would exempt A financial institution also would be required
small businesses from certain requirements. to base its information security program on a
Third, it would expand the definition of risk assessment that identifies reasonably
“financial institution” to include finders. Finally, foreseeable internal and external risks to the
it would incorporate the definition of security, confidentiality and integrity of
“financial institution” and related examples customer information that could result in the
into the Safeguards Rule itself, instead of by unauthorized disclosure, misuse, alteration,
cross-reference to the Privacy Rule. destruction or other compromise of such
information. This process also must assess the
INFORMATION SECURITY CONTROLS
AND PROGRAM ACCOUNTABILITY sufficiency of any safeguards in place to
control these risks. The risk assessment must
The existing Safeguards Rule largely is non-
be in writing and include:
prescriptive, in that it allows financial
institutions to tailor their information 1. Criteria for the evaluation and
programs to the size and scope of their categorization of identified security risks
operations and to the sensitivity and amount or threats faced by the institution;
of customer information they collect. In its 2. Criteria for the assessment of the
proposal, the FTC indicates that, while it confidentiality, integrity and availability
generally intends to preserve this flexibility, it of the institution’s information systems
believes that mandating more specific and customer information, including the
requirements with respect to certain controls adequacy of the existing controls in the
will benefit financial institutions by providing context of the identified risks or threats;
them with more guidance and certainty. and
2 Mayer Brown | US Federal Trade Commission Proposes Prescriptive Data Security Requirements
and Other Updates to Its Gramm-Leach-Bliley Act Regulations3. Requirements describing how identified institution, whether in transit over
risks will be mitigated or accepted based external networks or at rest; or (ii) to the
on the risk assessment and how the extent that such encryption is not
information security program will feasible, securing such customer
address the risks. information using effective alternate
A financial institution would be required compensating controls reviewed and
periodically to perform additional risk approved by the CISO;
assessments to reexamine the reasonably 6. Adopting secure development practices
foreseeable internal and external data security with respect to self-developed
risks and to reassess the sufficiency of any applications for transmitting, accessing
safeguards in place to control such risks. or storing customer information;
Performing a risk assessment is also a key 7. Adopting procedures for evaluating,
element of the NYDFS Cyber Regulation and assessing or testing the security of any
the NAIC Model Law. The risk assessment such applications which are externally
enables a financial institution to tailor its developed;
information security program to reflect the 8. Either: (i) implementing multi-factor
actual risks faced by the institution rather than authentication for any individual
those risks faced by the industry. accessing customer information; or (ii)
implementing reasonably equivalent or
Encryption, Multi-factor Authentication and more secure access controls with respect
Other Safeguards to any individual accessing internal
The proposal also would require a financial networks that contain customer
institution to design and implement particular information, provided that the CISO has
safeguards to control the risks that it identifies approved such alternate controls in
through its risk assessment process, including: writing;8
1. Placing access controls on information 9. Including audit trails within the
systems, including controls to information security program designed
authenticate and permit access only to to detect and respond to security
authorized individuals to protect against events;
the unauthorized acquisition of 10. Developing, implementing and
customer information; maintaining procedures for the secure
2. Periodically reviewing such access disposal of customer information in any
controls; format that is no longer necessary for
business operations or for other
3. Identifying and managing the data,
legitimate business purposes, except
personnel, devices, systems and facilities
where such information is otherwise
that enable the institution to achieve
required to be retained by law or
business purposes in accordance with
regulation, or where targeted disposal is
their relative importance to business
not reasonably feasible due to the
objectives and risk strategy;
manner in which the information is
4. Restricting access at physical locations maintained;
containing customer information only to
11. Adopting change management
authorized individuals;
procedures; and
5. Either: (i) encrypting all customer
information held or transmitted by the
3 Mayer Brown | US Federal Trade Commission Proposes Prescriptive Data Security Requirements
and Other Updates to Its Gramm-Leach-Bliley Act Regulations12. Implementing policies, procedures and service provider) sufficient to manage
controls designed to monitor the activity the institution’s information security
of authorized users and to detect risks and to perform or oversee the
unauthorized access or use of, or information security program;
tampering with, customer information 3. Providing information security personnel
by such users. with security updates and training
sufficient to address relevant security
Testing and Monitoring risks; and
The proposal would require a financial 4. Verifying that key information security
institution to regularly test or otherwise personnel take steps to maintain current
monitor the effectiveness of key information knowledge of changing information
security controls, systems and procedures, security threats and countermeasures.
including those to detect actual and
attempted attacks on, or intrusions into, Service Provider Oversight
information systems. Absent effective
The proposal contemplates that financial
continuous monitoring or other systems to
institutions would be required to oversee
detect, on an ongoing basis, changes in
service providers, by:
information systems that may create
vulnerabilities, a financial institution would be 1. Taking reasonable steps to select and
required to conduct: retain service providers that are capable
of maintaining appropriate safeguards
1. Annual penetration testing of its
for the customer information at issue;
information systems determined each
given year based on relevant identified 2. Requiring service providers by contract
risks in accordance with the risk to implement and maintain such
assessment; and safeguards; and
2. Biannual vulnerability assessments, 3. Periodically assessing service providers
including any systemic scans or reviews based on the risk they present and the
of information systems reasonably continued adequacy of their safeguards.
designed to identify publicly known
Program Evaluation
security vulnerabilities based on the risk
assessment. A financial institution would be required to
evaluate and adjust its information security
Program Implementation programs in light of the results of the required
Financial institutions would be required to testing and monitoring, any material changes
implement policies and procedures to ensure to its operations or business arrangements;
that their personnel are able to enact the the results of its periodic risk assessments or
information security program, including by: any other circumstances that the institution
knows or has reason to know may have a
1. Providing personnel with security material impact on the program.
awareness training that is updated to
reflect risks identified by the risk Incident Response Plan
assessment; The proposal would require each financial
2. Using qualified information security institution to establish a written incident
personnel (whether employed by the response plan designed to promptly respond
financial institution or by an affiliate or to, and recover from, any security event
4 Mayer Brown | US Federal Trade Commission Proposes Prescriptive Data Security Requirements
and Other Updates to Its Gramm-Leach-Bliley Act Regulationsmaterially affecting the confidentiality, arrangements, results of testing, security
integrity or availability of customer events or violations and management’s
information in its possession. The incident responses thereto, and
response plan would be required to address recommendations for changes in the
the following areas: information security program.
1. The goals of the incident response plan; SMALL BUSINESS EXEMPTIONS
2. The internal processes for responding to The FTC proposes to exempt small business
a security event; from certain of the Safeguard Rule’s
3. The definition of clear roles, requirements. Specifically, financial institutions
responsibilities and levels of decision- that maintain customer information
making authority; concerning fewer than 5,000 consumers would
4. External and internal communications not be required to comply with:
and information sharing; 1. Section 314.4(b)(1), regarding the
5. Identification of requirements for the contents of the written risk assessment;
remediation of any identified 2. Section 314.4(d)(2), regarding
weaknesses in information systems and continuous monitoring or periodic
associated controls; penetration testing and vulnerability
6. Documentation and reporting regarding assessments;
security events and related incident 3. Section 314.4(h), regarding the written
response activities; and incident response plan; or
7. The evaluation and revision, as 4. Section 314.4(i), regarding the
necessary, of the incident response plan requirement for the CISO to report in
following a security event. writing, at least annually, to the
institution’s board of directors or
Board Reporting equivalent governing body.
The CISO would be required to report in
While the NYDFS Cyber Regulation and the
writing, at least annually, to the financial
NAIC Model Law have exemptions, these
institution’s board of directors or equivalent
typically apply based on the number of
governing body. If no such board of directors
employees or gross revenue rather than the
or equivalent governing body exists, such
number of customers.
report would be required to be timely
presented to a senior officer responsible for DEFINITION OF “FINANCIAL
the institution’s information security program. INSTITUTION”
The report would be required to address: When it first promulgated the Privacy Rule in
1. The overall status of the information 2000, the FTC determined that companies
security program and the institution’s engaged in activities that are “incidental to
compliance with the Safeguards Rule; financial activities” would not be considered
and “financial institutions.” The FTC also decided
2. Material matters related to the that activities that were determined to be
information security program, financial in nature after the enactment of the
addressing issues such as risk GLBA would not automatically be covered by
assessment, risk management and its GLBA rules; rather, the Commission would
control decisions, service provider have to take additional action to include them.
The result was that – unlike the equivalent
5 Mayer Brown | US Federal Trade Commission Proposes Prescriptive Data Security Requirements
and Other Updates to Its Gramm-Leach-Bliley Act Regulationsregulations promulgated by the CFPB and the Privacy Rule
other federal agencies with GLBA rulemaking
authority – the FTC version of the Privacy Rule The FTC proposes to make three types of
(and by extension, the Safeguards Rule), does change to the Privacy Rule: (i) technical
not consider a loan “finder” to be a financial changes to correspond to the reduced scope
institution. of the rule pursuant to the Dodd-Frank Wall
Street Reform and Consumer Protection Act9
The FTC now proposes to harmonize the (the “Dodd-Frank Act”) (e.g., removing
Safeguards Rule and Privacy Rule with the references inapplicable to motor vehicle
other agencies’ GLBA regulations by dealers); (ii) modifications to the annual
amending the definition of “financial privacy notice requirements to reflect the
institution” to include “incidental” activities changes made to the GLBA by the Fixing
and activities determined to be financial or America’s Surface Transportation Act10 (the
incidental after 1999. This change would bring “FAST Act”) in 2015; and (iii) as discussed
“finders” within the scope of the two rules. above, modifications to the scope and
(The proposed change would not bring any definition of “financial institution” to include
other activities under the coverage of the rules “finders” and other entities engaged in
at this time, because the Federal Reserve activities that are incidental to financial
Board has not determined any activity other activities.
than finding to be financial in nature, or
incidental to such activity, since the enactment TECHNICAL CHANGES
of the GLBA.) The Dodd-Frank Act amended the FTC’s
rulemaking authority under the GLBA such
CONSOLIDATION OF DEFINITIONS
that the Privacy Rule only applies to motor
Currently, the definition of “financial vehicle dealers. The FTC proposes to delete
institution” in the Privacy Rule—which governs references in the Privacy Rule to entities other
the scope of the Safeguards Rule—applies to than motor vehicle dealers, so as to avoid
all financial institutions within FTC jurisdiction, confusion as to the existing, narrower scope of
despite the fact that most types of financial the Privacy Rule.
institution are now subject to the privacy rules
promulgated by the CFPB, the SEC, and the Specifically, the proposed amendments
federal banking agencies. The FTC notes in its narrow the description of the scope of the
proposed rule that this creates a confusing Privacy Rule to those financial institutions that
situation where the Privacy Rule, on its face, are predominantly engaged in the sale and
appears to cover types of “financial institution” servicing of motor vehicles or the leasing and
that no longer are subject to the rule. servicing of motor vehicles, excluding those
dealers that directly extend credit to
To resolve this confusion, the FTC proposes to consumers and do not routinely assign the
revise the Privacy Rule to make its limited extensions of credit to an unaffiliated third
scope more clear, and to transfer the broader party. The amendments also would remove
definition of “financial institution” and its the reference to “other persons” from the
accompanying examples from the Privacy Rule section of the Privacy Rule that describes its
to the Safeguards Rule. This modification is scope, because even though the FTC
intended only to increase clarity – it would continues to have enforcement authority over
have no substantive effect on the scope of the “other persons” covered by the CFPB’s
rules or their enforcement. Regulation P, the Commission no longer has
6 Mayer Brown | US Federal Trade Commission Proposes Prescriptive Data Security Requirements
and Other Updates to Its Gramm-Leach-Bliley Act RegulationsPrivacy Rule rulemaking authority with respect the standard timing requirements, treating the
to such persons. revised privacy notice as an initial privacy
notice. If the institution no longer qualifies for
ANNUAL PRIVACY NOTICE the exemption because the institution has
On December 4, 2015, President Obama changed its policies or practices in such a way
signed the FAST Act, which contains a that Section 313.8 does not require a revised
provision that modified the GLBA annual privacy notice, the institution would be
privacy notice requirement. The FAST Act required to provide an annual privacy notice
provision states that a financial institution is within 100 days of the change in its policies or
not required to provide an annual privacy practices.
notice if it: (i) only shares nonpublic personal
information with nonaffiliated third parties in DEFINITION OF “FINANCIAL
a manner that does not require an opt-out INSTITUTION”
right be provided to customers (e.g., if the As discussed above, the current versions of
institution discloses nonpublic personal the Safeguards Rule and Privacy Rule do not
information to a service provider or for fraud cover “finders” or other entities engaged in
detection and prevention purposes); and (ii) activities that are incidental to financial
has not changed its policies and practices with activities. As with the Safeguards Rule, the
respect to disclosing nonpublic personal Commission proposes to expand the
information since it last provided a privacy definition of “financial institution” in the
notice to its customers. Privacy Rule to harmonize with the equivalent
regulations promulgated by the CFPB, the SEC
In order to incorporate this exemption into
and the federal banking regulators.
the Privacy Rule, the Commission proposes to
revise the regulation to indicate that a
financial institution is not required to deliver
Conclusion
an annual privacy notice if it: While the proposed Privacy Rule updates are
non-controversial, the proposed revisions to
1. Provides nonpublic personal information
the Safeguards Rule would apply to a broad
to nonaffiliated third parties only in
range of financial industry participants and
accordance with one or more opt-out
reflect a marked change in the approach that
exceptions; and
federal regulators historically have taken with
2. Has not changed its policies and respect to information security. For financial
practices with regard to the disclosure of institutions also covered by the NYDFS Cyber
nonpublic personal information from Regulation, the proposed revisions to the
those disclosed to the customer in the Safeguards Rule are very similar and should
institution’s most recent GLBA privacy not require any significant changes to existing
notice. cybersecurity policies and procedures. Other
If a financial institution takes advantage of this financial institutions likely will need to revisit
exemption and subsequently changes its their existing information security policies and
policies or practices in such a way that it no procedures if the proposed revisions
longer qualifies for the exemption, and eventually are adopted by the Commission.
Section 313.8 of the Privacy Rule requires the Financial institutions and their service
institution to provide a revised privacy notice, providers should provide the Commission with
the institution would be required to provide comments on the proposals, particularly with
an annual privacy notice in accordance with respect to any implementation concerns they
may have. Mayer Brown would be happy to
7 Mayer Brown | US Federal Trade Commission Proposes Prescriptive Data Security Requirements
and Other Updates to Its Gramm-Leach-Bliley Act Regulationsassist your company in preparing any
comments you wish to submit to the FTC.
For more information about the topics raised in
this Legal Update, please contact any of the
following lawyers.
David A. Tallman
+1 713 238 2696
dtallman@mayerbrown.com
Jeffrey P. Taft
+1 202 263 3293
jtaft@mayerbrown.com
Stephen Lilley
+1 202 263 3865
slilley@mayerbrown.com
Endnotes Rule is the information covered. The NYDFS Cyber
Regulation covers nonpublic information, which includes
1
15 U.S.C. §§6801 et seq. confidential information of the covered entity and not just
2
16 C.F.R. Part 314. customer information. Because GLBA and its implementing
regulations only covers nonpublic personally identifiable
3
23 NYCRR 500. The NYDFS Cyber Final Regulation applies
information, the scope of the Safeguards Rule is narrower.
to any person operating under or required to operate
under a license, registration, charter, certificate, permit
6
Dissenting Statement of Commissioner Noah Joshua
,accreditation or similar authorization under the New York Phillips and Commissioner Christine S. Wilson, Regulatory
Banking, Insurance or Financial Services Laws. For an Review of Safeguards Rule, Matter No. P145407 (March 5,
overview of the NYDFS Cyber Regulation, see 2019), available at
https://www.mayerbrown.com/en/perspectives- https://www.ftc.gov/system/files/documents/public_statem
events/publications/2017/03/cybersecurity-ny-adopts- ents/1466705/reg_review_of_safeguards_rule_cmr_phillips_
final-regulations-for-bank. wilson_dissent.pdf.
4
See NAIC, Insurance Data Security Model Law, available at
7
16 C.F.R. Part 313.
https://www.naic.org/store/free/MDL-668.pdf (last 8
The NYDFS Cyber Regulation does not limit the use of
accessed Mar. 12, 2019). The NAIC Model Law requires multi-factor authentication to accessing consumer
every insurance licensee in a state (unless they qualify for information but rather applies it more broadly to cover
an exemption) to maintain a written cybersecurity policy nonpublic confidential information and information
and implement a risk-based cybersecurity program. To systems.
date, the NAIC Model Law has been adopted in Michigan, 9
P.L. No. 111-203.
Ohio and South Carolina. For an overview of the NAIC 10
P.L. No. 114-94.
Model Law, see
https://www.mayerbrown.com/en/news/2017/11/dissectin
g-naics-insurance-data-security-model-law.
5
One of the key differences between the NYDFS Cyber
Regulation and the proposed changes to the Safeguards
8 Mayer Brown | US Federal Trade Commission Proposes Prescriptive Data Security Requirements
and Other Updates to Its Gramm-Leach-Bliley Act RegulationsMayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. With extensive reach across four continents, we are the only integrated law firm in the world with approximately 200 lawyers in each of the world’s three largest financial centers—New York, London and Hong Kong—the backbone of the global economy. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry. Our diverse teams of lawyers are recognized by our clients as strategic partners with deep commercial instincts and a commitment to creatively anticipating their needs and delivering excellence in everything we do. Our "one-firm" culture— seamless and integrated across all practices and regions—ensures that our clients receive the best of our knowledge and experience. Please visit mayerbrown.com for comprehensive contact information for all Mayer Brown offices. Any tax advice expressed above by Mayer Brown LLP was not intended or written to be used, and cannot be used, by any taxpayer to avoid U.S. federal tax penalties. If such advice was written or used to support the promotion or marketing of the matter addressed above, then each offeree should seek advice from an independent tax advisor. This Mayer Brown publication provides information and comments on legal issues and developments of interest to our clients and friends. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek legal advice before taking any action with respect to the matters discussed herein. Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively the “Mayer Brown Practices”) and non-legal service providers, which provide consultancy services (the “Mayer Brown Consultancies”). The Mayer Brown Practices and Mayer Brown Consultancies are established in various jurisdictions and may be a legal person or a partnership. Details of the individual Mayer Brown Practices and Mayer Brown Consultancies can be found in the Legal Notices section of our website. “Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown. © 2019 Mayer Brown. All rights reserved. 9 Mayer Brown | US Federal Trade Commission Proposes Prescriptive Data Security Requirements and Other Updates to Its Gramm-Leach-Bliley Act Regulations
You can also read
