AGENCY:

Federal Trade Commission.

ACTION:

Final rule; delay of effectiveness.

SUMMARY:

The Federal Trade Commission is delaying the effective date of portions of the amended Safeguards Rule as published on December 9, 2021.

DATES:

Effective date: This final rule is effective November 23, 2022.

Applicability date: The applicability of the provisions set forth in § 314.5 is delayed from December 9, 2022 until June 9, 2023.

FOR FURTHER INFORMATION CONTACT:

David Lincicum (202-326-2773), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Final Rule and Delay of Effectiveness

On December 9, 2021, the Federal Trade Commission (Commission) amended the Safeguards Rule, 16 CFR part 314. While portions of the amended rule became effective on January 10, 2022, certain provisions were originally to become effective December 9, 2022. 16 CFR 314.5.

The Commission is aware there is a reported shortage of qualified personnel to implement information security programs and supply chain issues may lead to delays in obtaining necessary equipment for upgrading security systems.^[1] In addition, these difficulties were exacerbated by the COVID-19 pandemic that has been active as financial institutions have attempted to come into compliance with the amended Safeguards Rule. These issues may make it difficult for financial institutions, especially small ones, to come into compliance with the amended Safeguards Rule by December 9, 2022. Accordingly, the Commission is delaying the effective date of those portions of the Safeguards Rule that were to go into effect on December 9, 2022, until June 9, 2023.^[2]

II. Administrative Procedure Act

The Commission is issuing the final rule without prior notice and the opportunity for public comment and, as explained below, without the delayed effective date ordinarily prescribed by the Administrative Procedure Act (APA).^[3] Pursuant to section 553(b)(3)(B) of the APA, general notice and the opportunity for public comment are not required with respect to a rulemaking when an “agency for good cause finds (and incorporates the finding and a brief statement of reasons therefor in the rules issued) that notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest.” ^[4]

The Commission believes the public interest is best served by revising 16 CFR 314.5 to delay the effective date of certain portions of the Safeguards Rule and by making such revision effective immediately upon publication in the Federal Register . As noted above, the COVID-19 pandemic has disrupted economic activity in the United States. This has exacerbated a reported shortage of qualified information security personnel and supply chain issues that can lead to delays involving equipment necessary to upgrade information security systems. Delaying the effective date of these portions of the amended Safeguards Rule will allow financial institutions additional time to effectively and efficiently bring their information security programs into compliance with the Rule.^[5] For these reasons, the Commission finds that there is good cause consistent with the public interest to issue the rule without advance notice and comment.^[6]

The APA also requires a 30-day delayed effective date, except for “(1) substantive rules which grant or recognize an exemption or relieve a restriction; (2) interpretative rules and statements of policy; or (3) as otherwise provided by the agency for good cause.” ^[7] As noted above, the Commission finds there is good cause to revise the effective date of the portions of the Safeguards Rule that were previously designated to go into effect on December 9, 2022, immediately.^[8] The Commission recognizes that, while this rule revision goes into effect immediately, the result of the revision is to give regulated parties additional time to come into compliance, so they would not be prejudiced if the change goes into effect immediately. Furthermore, the delay of an effective date of a substantive rule requirement is a “substantive rule[]” that “relieve[s] a restriction” for a period of time, which makes it eligible to take effect without the ordinary wait of 30 days.^[9]

III. Paperwork Reduction Act

In accordance with the requirements of the Paperwork Reduction Act (PRA), an agency may not conduct or sponsor, and a respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The Commission has reviewed this final rule pursuant to authority delegated by the OMB and has determined it does not contain any collections of information pursuant to the PRA.

IV. Regulatory Flexibility Act and Congressional Review Act

The Regulatory Flexibility Act (RFA) ^[10] requires an agency to consider whether the rules it proposes will have a significant economic impact on a substantial number of small entities. The RFA applies only to rules for which an agency publishes a general notice of proposed rulemaking pursuant to 5 U.S.C. 553(b). As discussed previously, consistent with section 553(b)(3)(B) of the APA, the Commission has determined for good cause that general notice and opportunity for public comment is unnecessary, and therefore the Commission is not issuing a notice of proposed rulemaking. Accordingly, the Commission has concluded the RFA's requirements relating to initial and final regulatory flexibility analyses do not apply. In any event, the extension of the effective date will reduce the burden of complying with the Rule for all covered financial institutions, including small businesses.

Pursuant to the Congressional Review Act (5 U.S.C. 801 through 808), the Office of Information and Regulatory Affairs designated this rule as not a “major rule,” as defined by 5 U.S.C. 804(2).

List of Subjects in 16 CFR Part 314

• Consumer protection
• Credit
• Data protection
• Privacy
• Trade practices

For the reasons stated above, the Federal Trade Commission amends 16 CFR part 314 as follows:

PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION

1. The authority citation for part 314 continues to read as follows:

Authority: 15 U.S.C. 6801(b), 6805(b)(2).

2. Revise § 314.5 to read as follows:

Note:

the following statement will not appear in the Code of Federal Regulations.

Concurring Statement of Commissioner Christine S. Wilson

The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect customer information.^[1] In 2021, the Commission updated the Safeguards Rule to add several prescriptive requirements that necessitate significant investment to effectively implement.^[2] I voted against the revisions to the rule, in part, because I feared the new obligations would inhibit flexibility and impose substantial costs, especially on small businesses.^[3] Despite assurances that financial institutions were already implementing many of the requirements of the amended rule or had sophisticated compliance programs that could easily adopt and pivot to address new obligations, I was concerned that the Commission did not understand fully the economic impact of the proposed changes. It has become clear that the Commission may have underestimated the burdens imposed by the rule revisions.

While I continue to note my concerns about the revisions to the recently amended Safeguards Rule, I support extending the effective date. Labor shortages of qualified personnel have hampered efforts by companies to implement information security programs. Some estimates place the shortage of cybersecurity professionals in the 500,000 range.^[4] Supply chain issues also have led to delays in obtaining necessary equipment for upgrading systems. These factors are outside the control of financial institutions and have complicated efforts by companies to meet the requirements of the amended rule by year end.

The revisions finalized in December 2021 did not merely codify basic security practices of most financial institutions. Rather, the modifications imposed new onerous, misguided, and complex obligations. Safeguarding customer information is important. But it is still unclear whether these mandates will translate into a significant reduction in data security risks or offer other substantial consumer benefits. Regardless of the rule's effects, companies should be given the time necessary to correctly implement the final rule's burdensome requirements. For these reasons, I support extending the effective date until June 2023.

Footnotes