-
Start Preamble
AGENCY:
Federal Trade Commission.
ACTION:
Final rule; delay of effectiveness.
SUMMARY:
The Federal Trade Commission is delaying the effective date of portions of the amended Safeguards Rule as published on December 9, 2021.
DATES:
Effective date: This final rule is effective November 23, 2022.
Applicability date: The applicability of the provisions set forth in § 314.5 is delayed from December 9, 2022 until June 9, 2023.
Start Further Info Start Printed Page 71510FOR FURTHER INFORMATION CONTACT:
David Lincicum (202-326-2773), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
I. Final Rule and Delay of Effectiveness
On December 9, 2021, the Federal Trade Commission (Commission) amended the Safeguards Rule, 16 CFR part 314. While portions of the amended rule became effective on January 10, 2022, certain provisions were originally to become effective December 9, 2022. 16 CFR 314.5.
The Commission is aware there is a reported shortage of qualified personnel to implement information security programs and supply chain issues may lead to delays in obtaining necessary equipment for upgrading security systems.[1] In addition, these difficulties were exacerbated by the COVID-19 pandemic that has been active as financial institutions have attempted to come into compliance with the amended Safeguards Rule. These issues may make it difficult for financial institutions, especially small ones, to come into compliance with the amended Safeguards Rule by December 9, 2022. Accordingly, the Commission is delaying the effective date of those portions of the Safeguards Rule that were to go into effect on December 9, 2022, until June 9, 2023.[2]
II. Administrative Procedure Act
The Commission is issuing the final rule without prior notice and the opportunity for public comment and, as explained below, without the delayed effective date ordinarily prescribed by the Administrative Procedure Act (APA).[3] Pursuant to section 553(b)(3)(B) of the APA, general notice and the opportunity for public comment are not required with respect to a rulemaking when an “agency for good cause finds (and incorporates the finding and a brief statement of reasons therefor in the rules issued) that notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest.” [4]
The Commission believes the public interest is best served by revising 16 CFR 314.5 to delay the effective date of certain portions of the Safeguards Rule and by making such revision effective immediately upon publication in the Federal Register . As noted above, the COVID-19 pandemic has disrupted economic activity in the United States. This has exacerbated a reported shortage of qualified information security personnel and supply chain issues that can lead to delays involving equipment necessary to upgrade information security systems. Delaying the effective date of these portions of the amended Safeguards Rule will allow financial institutions additional time to effectively and efficiently bring their information security programs into compliance with the Rule.[5] For these reasons, the Commission finds that there is good cause consistent with the public interest to issue the rule without advance notice and comment.[6]
The APA also requires a 30-day delayed effective date, except for “(1) substantive rules which grant or recognize an exemption or relieve a restriction; (2) interpretative rules and statements of policy; or (3) as otherwise provided by the agency for good cause.” [7] As noted above, the Commission finds there is good cause to revise the effective date of the portions of the Safeguards Rule that were previously designated to go into effect on December 9, 2022, immediately.[8] The Commission recognizes that, while this rule revision goes into effect immediately, the result of the revision is to give regulated parties additional time to come into compliance, so they would not be prejudiced if the change goes into effect immediately. Furthermore, the delay of an effective date of a substantive rule requirement is a “substantive rule[]” that “relieve[s] a restriction” for a period of time, which makes it eligible to take effect without the ordinary wait of 30 days.[9]
III. Paperwork Reduction Act
In accordance with the requirements of the Paperwork Reduction Act (PRA), an agency may not conduct or sponsor, and a respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The Commission has reviewed this final rule pursuant to authority delegated by the OMB and has determined it does not contain any collections of information pursuant to the PRA.
IV. Regulatory Flexibility Act and Congressional Review Act
The Regulatory Flexibility Act (RFA) [10] requires an agency to consider whether the rules it proposes will have a significant economic impact on a substantial number of small entities. The RFA applies only to rules for which an agency publishes a general notice of proposed rulemaking pursuant to 5 U.S.C. 553(b). As discussed previously, consistent with section 553(b)(3)(B) of the APA, the Commission has determined for good cause that general notice and opportunity for public comment is unnecessary, and therefore the Commission is not issuing a notice of proposed rulemaking. Accordingly, the Commission has concluded the RFA's requirements relating to initial and final regulatory flexibility analyses do not apply. In any event, the extension of the effective date will reduce the burden of complying with the Rule for all covered financial institutions, including small businesses.
Pursuant to the Congressional Review Act (5 U.S.C. 801 through 808), the Office of Information and Regulatory Affairs designated this rule as not a “major rule,” as defined by 5 U.S.C. 804(2).
Start List of SubjectsList of Subjects in 16 CFR Part 314
- Consumer protection
- Credit
- Data protection
- Privacy
- Trade practices
For the reasons stated above, the Federal Trade Commission amends 16 CFR part 314 as follows:
Start PartPART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
End Part Start Amendment Part1. The authority citation for part 314 continues to read as follows:
End Amendment Part Start Amendment Part2. Revise § 314.5 to read as follows:
End Amendment PartStart Printed Page 71511Start SignatureEffective date.Sections 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (h), and (i) are effective as of June 9, 2023.
By direction of the Commission.
April J. Tabor,
Secretary.
Note:
the following statement will not appear in the Code of Federal Regulations.
Concurring Statement of Commissioner Christine S. Wilson
The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect customer information.[1] In 2021, the Commission updated the Safeguards Rule to add several prescriptive requirements that necessitate significant investment to effectively implement.[2] I voted against the revisions to the rule, in part, because I feared the new obligations would inhibit flexibility and impose substantial costs, especially on small businesses.[3] Despite assurances that financial institutions were already implementing many of the requirements of the amended rule or had sophisticated compliance programs that could easily adopt and pivot to address new obligations, I was concerned that the Commission did not understand fully the economic impact of the proposed changes. It has become clear that the Commission may have underestimated the burdens imposed by the rule revisions.
While I continue to note my concerns about the revisions to the recently amended Safeguards Rule, I support extending the effective date. Labor shortages of qualified personnel have hampered efforts by companies to implement information security programs. Some estimates place the shortage of cybersecurity professionals in the 500,000 range.[4] Supply chain issues also have led to delays in obtaining necessary equipment for upgrading systems. These factors are outside the control of financial institutions and have complicated efforts by companies to meet the requirements of the amended rule by year end.
The revisions finalized in December 2021 did not merely codify basic security practices of most financial institutions. Rather, the modifications imposed new onerous, misguided, and complex obligations. Safeguarding customer information is important. But it is still unclear whether these mandates will translate into a significant reduction in data security risks or offer other substantial consumer benefits. Regardless of the rule's effects, companies should be given the time necessary to correctly implement the final rule's burdensome requirements. For these reasons, I support extending the effective date until June 2023.
End Supplemental InformationFootnotes
1. See, e.g., James Legg, “Confronting the shortage of security professionals,” Forbes.com (Oct. 21, 2021), https://www.forbes.com/sites/forbesbusinesscouncil/2021/10/21/confronting-the-shortage-of-cybersecurity-professionals/; Cyber Seek, Cybersecurity Supply/Demand, https://www.cyberseek.org/heatmap.html; Robert Triggs, “The global computer chip shortage explained,” Androidauthority.com (June 5, 2022), https://www.androidauthority.com/computer-chip-shortage-1212941/.
Back to Citation2. The Safeguards Rule's ongoing rulemaking was included in the Commission's Spring 2022 Regulatory Agenda, but that Agenda did not contemplate this final rule extending the effective date of parts of the final rule issued on December 9, 2021. See Fed. Trade Comm'n, Standards for Safeguarding Consumer Information, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202204&RIN=3084-AB35. Pursuant to Section 22(d)(4) of the FTC Act, 15 U.S.C. 57-b3(d)(4), this Rule was not included in the Commission's Spring 2022 Regulatory Agenda because the Commission first considered this final rule and the reasons supporting it after its approval of the Agenda.
Back to Citation4. Id. at 553(b)(3)(B).
Back to Citation5. The revised deadline should also go into effect as soon as possible because the original deadline in December 2022 is imminent.
Back to Citation7. Id. at 553(d).
Back to Citation8. See id. at 553(d)(3).
Back to Citation9. Id. at 553(d)(1).
Back to Citation2. The amended Rule was published in the Federal Register on December 9, 2021. 86 FR 70272 (Dec. 9, 2021). As I noted at the time of the final rule's publication, I appreciated Staff's diligent work on the Safeguards Rule and commitment to consider input from all relevant parties. Staff's continued commitment to address the serious concerns of parties impacted by the Safeguards Rule is laudable.
Back to Citation3. Dissenting Statement of Commissioner Noah Joshua Phillips and Commissioner Christine S. Wilson, Final Rule Amending the Gramm-Leach-Bliley Act's Safeguards Rule (Oct. 27, 2021), https://www.ftc.gov/system/files/documents/public_statements/1597994/joint_statement_of_commissioners_phillips_and_wilson_in_the_matter_of_regulatory_review_of_the_1.pdf; Dissenting Statement of Commissioner Noah Joshua Phillips and Commissioner Christine S. Wilson, Review of Safeguards Rule (Mar. 5, 2019), https://www.ftc.gov/system/files/documents/public_statements/1466705/reg_review_of_safeguards_rule_cmr_phillips_wilson_dissent.pdf.
Back to Citation4. Data gathered under a Commerce Department grant indicates that there are over 500,000 unfilled cybersecurity job openings. The research indicates that nationally, there are only enough cybersecurity workers in the United States to fill 68% of the cybersecurity jobs that employers demand. Cyber Seek, Cybersecurity Supply/Demand Heat Map, https://www.cyberseek.org/heatmap.html (last visited Nov. 14, 2022).
Back to Citation[FR Doc. 2022-25201 Filed 11-22-22; 8:45 am]
BILLING CODE 6750-01-P
Document Information
- Effective Date:
- 11/23/2022
- Published:
- 11/23/2022
- Department:
- Federal Trade Commission
- Entry Type:
- Rule
- Action:
- Final rule; delay of effectiveness.
- Document Number:
- 2022-25201
- Dates:
- Effective date: This final rule is effective November 23, 2022.
- Pages:
- 71509-71511 (3 pages)
- RINs:
- 3084-AB35: Standards for Safeguarding Customer Information
- RIN Links:
- https://www.federalregister.gov/regulations/3084-AB35/standards-for-safeguarding-customer-information
- Topics:
- Consumer protection, Credit, Privacy, Trade practices
- PDF File:
- 2022-25201.pdf
- Supporting Documents:
- » Standards for Safeguarding Customer Information
- » Standards for Safeguarding Customer Information
- CFR: (1)
- 16 CFR 314.5