AGENCY:

Federal Trade Commission.

ACTION:

Final rule.

SUMMARY:

The Federal Trade Commission (“FTC” or “Commission”) is issuing a final rule (“Final Rule”) to amend the Standards for Safeguarding Customer Information (“Safeguards Rule” or “Rule”). The Final Rule contains five main modifications to the existing Rule. First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption. Second, it adds provisions designed to improve the accountability of financial institutions' information security programs, such as by requiring periodic reports to boards of directors or governing bodies. Third, it exempts financial institutions that collect less customer information from certain requirements. Fourth, it expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the Rule. Finally, the Final Rule defines several terms and provides related examples in the Rule itself rather than incorporates them from the Privacy of Consumer Financial Information Rule (“Privacy Rule”).

DATES:

Effective date: This rule is effective January 10, 2022.

Applicability date: The provisions set forth in § 314.5 are applicable beginning December 9, 2022.

FOR FURTHER INFORMATION CONTACT:

David Lincicum (202-326-2773), Katherine McCarron (202-326-2333), or Robin Wetherill (202-326-2220), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Background

Congress enacted the Gramm Leach Bliley Act (“GLB” or “GLBA”) in 1999.^[1] The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. Among other things, the GLBA requires financial institutions to provide customers with information about the institutions' privacy practices and about their opt-out rights, and to implement security safeguards for customer information.

Subtitle A of Title V of the GLBA required the Commission and other Federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information.^[2] Pursuant to the Act's directive, the Commission promulgated the Safeguards Rule (16 CFR part 314) in 2002. The Safeguards Rule became effective on May 23, 2003.

The current Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program that consists of the administrative, technical, and physical safeguards the financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.^[3] The information security program must be written in one or more readily accessible parts.^[4] The safeguards set forth in the program must be appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.^[5] The safeguards must also be reasonably designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.^[6]

In order to develop, implement, and maintain its information security program, a financial institution must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information.^[7] The financial institution must then design and implement safeguards to control the risks identified through the risk assessment, and must regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.^[8] The Rule also requires the financial institution to evaluate and adjust its information security program in light of the results of this testing and monitoring, any material changes in its operations or business arrangements, or any other circumstances it knows or has reason to know may have a material impact on its information security program.^[9] The financial institution must also designate an employee or employees to coordinate the information security program.^[10]

Finally, the current Safeguards Rule requires financial institutions to take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information and require those service providers by contract to implement and maintain such safeguards.^[11]

II. Regulatory Review of the Safeguards Rule

On September 7, 2016, the Commission solicited comments on the Safeguards Rule as part of its periodic review of its rules and guides.^[12] The Commission sought comment on a number of general issues, including the economic impact and benefits of the Rule; possible conflicts between the Rule and state, local, or other Federal laws or regulations; and the effect on the Rule of any technological, economic, or other industry changes. The Commission received 28 comments from individuals and entities representing a wide range of viewpoints.^[13] Most commenters agreed there is a continuing need for the Rule and it benefits consumers and competition.^[14]

On April 4, 2019, the Commission issued a notice of proposed rulemaking (NPRM) setting forth proposed amendments to the Safeguards Rule (the “Proposed Rule”).^[15] In response, the Commission received 49 comments from various interested parties Start Printed Page 70273 including industry groups, consumer groups, and individual consumers.^[16] On July 13, 2020, the Commission held a workshop concerning the proposed changes and conducted panels with information security experts discussing subjects related to the Proposed Rule.^[17] The Commission received 11 comments following the workshop.^[18] After reviewing the initial comments to the Proposed Rule, conducting the workshop, and then reviewing the comments received following the workshop, the Commission now issues final amendments to the Safeguards Rule.

III. Overview of Final Rule

As noted above, the Final Rule modifies the current Rule in five primary ways. First, the Final Rule amends the current Rule to include more detailed requirements for the development and establishment of the information security program required under the Rule. For example, while the current Rule requires financial institutions to undertake a risk assessment and develop and implement safeguards to address the identified risks, the Final Rule sets forth specific criteria for what the risk assessment must include, and requires the risk assessment be set forth in writing. As to particular safeguards, the Final Rule requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. And while the Final Rule retains the requirement from the current Rule that financial institutions provide employee training and appropriate oversight of service providers, it adds mechanisms designed to ensure such training and oversight are effective. Although the Final Rule has more specific requirements than the current Rule, it still provides financial institutions the flexibility to design an information security program appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.

Second, the Final Rule adds requirements designed to improve accountability of financial institutions' information security programs. For example, while the current Rule allows a financial institution to designate one or more employees to be responsible for the information security program, the Final Rule requires the designation of a single Qualified Individual. The Final Rule also requires periodic reports to boards of directors or governing bodies, which will provide senior management with better awareness of their financial institutions' information security programs, making it more likely the programs will receive the required resources and be able to protect consumer information.

Third, recognizing the impact of the additional requirements on small businesses, the Final Rule exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors.

Fourth, the Final Rule expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change brings “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the Rule. Finders often collect and maintain very sensitive consumer financial information, and this change will require them to comply with the Safeguards Rule's requirements to protect that information. This change will also bring the Rule into harmony with other Federal agencies' Safeguards Rules, which include activities incidental to financial activities in their definition of financial institution.

Finally, the Final Rule includes several definitions and related examples, including of “financial institution,” in the Rule itself rather than incorporate them from a related FTC rule, the Privacy of Consumer Financial Information Rule, 16 CFR part 313. This will make the rule more self-contained and will allow readers to understand its requirements without referencing the Privacy Rule.

IV. Section-by-Section Analysis

General Comments

The Commission received 49 comments in response to the NPRM for the Proposed Rule, from a diverse set of stakeholders, including industry groups, individual businesses, consumer advocacy groups, academics, information security experts, government agencies, and individual consumers. It also hosted a workshop on the Proposed Rule, which included approximately 20 security experts. Some of the comments simply expressed general support ^[19] or general disapproval ^[20] of the Proposed Rule. Many, however, offered detailed responses to specific proposals in the NPRM. In general, industry groups were opposed to most or all of the Proposed Rule, and consumer advocacy groups, academics, and security experts were generally in favor of the amendments. The comments and workshop record are discussed in the following Section-by-Section analysis.

Sec. 314.1: Purpose and Scope

The Purpose and Scope section of the current Rule generally states the Rule implements the Gramm-Leach-Bliley Act and applies to the handling of customer information by financial institutions over which the FTC has jurisdiction. In its NPRM, the Commission proposed adding a definition of “financial institution” modeled on the definition included in the Commission's Privacy Rule (16 CFR part 313) and a series of examples providing guidance on what constitutes a financial institution under the Commission's jurisdiction. Other than expanding the definition of “financial institution” as discussed below, the new language was not meant to reflect a substantive change to the Safeguards Rule; rather, it was meant to allow the Rule to be read on its own, without reference to the Privacy Rule.^[21] The Commission received no comments that addressed this section specifically, and Start Printed Page 70274 the Commission adopts the language of the Proposed Rule in the Final Rule.^[22]

Sec. 314.2: Definitions

The Proposed Rule added a number of definitions to § 314.2. The Proposed Rule also retained paragraph (a), which states terms used in the Safeguards Rule have the same meaning as set forth in the Privacy Rule.

The American Council on Education (ACE) suggested all terms from the Privacy Rule, such as “consumer,” “customer,” and “customer information,” be included in the Final Rule in order to make the Final Rule easier for regulated entities to understand.^[23] On the other hand, HITRUST recommended no definitions from the Privacy Rule be duplicated in the Safeguards Rule, reasoning that in the event of a need to amend the terms, it would require the amendment of two rules rather than one.^[24]

The Commission is persuaded including all terms from the Privacy Rule within the Safeguards Rule will improve clarity and ease of use. Accordingly, the Commission has determined to delete paragraph (a), since it is no longer necessary to state all terms in the Safeguards Rule have the same meaning as in the Privacy Rule. It also adds the Privacy Rule definitions of “consumer,” “customer,” “customer relationship,” “financial product or service,” “nonpublic personal information,” “personally identifiable financial information,” “publicly available information,” and “you” to the definitions in the Final Rule. No substantive change to these definitions is intended.

Authorized User

The Proposed Rule added a definition for the term “authorized user” as paragraph (b). Proposed paragraph (b) defined an authorized user of an information system as any employee, contractor, agent or other person that participates in your business operations and is authorized to access and use any of your information systems and data. This term was used in § 314.4(c)(10) of the Proposed Rule, which required financial institutions to implement policies to monitor the activity of “authorized users” and detect unauthorized access to customer information.

The Commission received one comment on this proposed definition from the National Automobile Dealers Association (NADA), which suggested the term “authorized user” was used inconsistently and was too vague.^[25] NADA pointed out while “authorized user” is a defined term, the term “authorized individual” was used in proposed § 313.4(c)(1) (addressing access controls for information systems) and (c)(3) (addressing access controls for physical data). NADA also argued the inclusion of “other person that participates in the business operations of an entity” within the definition of “authorized user” was unclear and created ambiguity in its application.^[26]

The Commission agrees with NADA's points, and, in response, modifies the Final Rule in two ways. First, the Final Rule replaces the term “authorized individual” with “authorized user” in § 313.4(c)(1). As described further below, because the Final Rule combines § 313.4(c)(3) with § 313.4(c)(1), there is no need to make a corresponding change to that section.

Second, because the Commission agrees the ambiguities in the definition of “authorized user” from the Proposed Rule could create confusion, it makes several changes to the definition. It deletes the phrase “other person that participates in the business operations of an entity.” The Commission agrees this phrase was vague. The Commission had intended it to cover any person the financial institution allows to access information systems or data, including, for example, “customers” of the financial institutions. For the purpose of controlling authorized access and detecting unauthorized access (which is where the definition of “authorized user” appears), financial institutions should monitor anomalous patterns of usage of their systems, not only by employees and agents, but also by customers and other persons authorized to access systems or data. To clarify this point, the Commission adds “customer or other person” to the definition of “authorized users.”

The Commission intends that the definition of “authorized users” should include anyone who the financial institution authorizes to access an information system or data, regardless of whether that user actually uses the data. Thus, for clarity, the Commission has deleted the requirement that the authorized user be authorized to use the information system or data. Finally, the definition of authorized user should include users who can access both “information systems and data” and users authorized to access either information systems or data. Accordingly, for clarification purposes, the Commission modifies the definition of authorized user in the Final Rule as any employee, contractor, agent, customer or other person that is authorized to access any of your information systems or data.

Security Event

In proposed paragraph (c), the Commission defined security event as an event resulting in unauthorized access to, or disruption or misuse of, an information system or information stored on such information system. This term was used in provisions requiring financial institutions to establish a written incident response plan designed to respond to security events. It also appeared in the provision requiring the coordinator of a financial institution's information security program to provide an annual report to the financial institution's governing body; the required report must identify all security events that took place that year.

Commenters expressed three main concerns with this definition. The first relates to whether the term “security event” should be expanded to instances in which there is unauthorized access to, or disruption or misuse of, information in physical form, as opposed to electronic form. The Proposed Rule used the term “security event” instead of “cybersecurity event” to clarify that an information security program encompasses information in both digital and physical forms and that unauthorized access to paper files, for example, would also be a security event under the Rule. The Money Services Round Table (MSRT), however, noted despite the use of the more general “security” in the defined term, the definition itself is limited to events involving information systems.^[27] The Commission agrees this creates a contradiction. Accordingly, the Final Rule includes the compromise of customer information in physical form in the definition of “security event.”

Second, some industry groups argued a “security event” should occur only when there is “unauthorized access” to an information system, not in cases in which there has been a “disruption or misuse” of such systems ( e.g., a ransomware attack).^[28] These Start Printed Page 70275 commenters argued the disruption or misuse of information systems is not directly related to the protection of customer information and is, therefore, outside the Commission's statutory authority.^[29] The Commission disagrees. Requiring a financial institution to protect against disruption and misuse of its information system is within the Commission's authority under the GLBA, which directed the Commission to promulgate a rule that required financial institutions to “to protect against any anticipated threats or hazards to the security or integrity” of customer information. A disruption or misuse of an information system will be, in many cases, a threat to the “integrity” of customer information. In addition, disruption or misuse may also indicate the existence of a security weakness that could be exploited to gain unauthorized access to customer information. For example, an event in which ransomware placed on a system is used to encrypt customer information, rendering it useless, raises the possibility similar software could have been used to exfiltrate customer information. Accordingly, the Final Rule retains the inclusion of “misuse or disruption” within the definition of “security event.”

Third, several commenters suggested the definition of “security event” be limited to events in which there is a risk of consumer harm or some other negative effect.^[30] Similarly, some commenters argued the definition should exclude events that involve encrypted information in which the encryption key was not compromised or when there is evidence the information accessed has not been misused.^[31] The Commission declines to narrow the provision in this manner. It believes a financial institution should still engage in its incident response procedures to determine whether the event indicates a weakness that could endanger customer information and to respond accordingly. The financial institution can then take the appropriate steps in response. Further, § 314.4(h) of the Final Rule, which sets forth the requirement for an incident response plan, requires the incident response plan be designed to respond only to security events “materially affecting the confidentiality, integrity, or availability of customer information,” limiting the impact of the definition of “security event.”

Accordingly, the Final Rule defines security event as an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form. The Proposed Rule placed this definition as paragraph (c), out of alphabetical order. The Final Rule adopts it as paragraph (p), placing it in alphabetical order with the other definitions in § 314.2.

Encryption

Proposed paragraph (e) defined encryption as the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key. This term was used in proposed § 314.4(c)(4), which generally required financial institutions to encrypt customer information. This definition was intended to define the process of encryption while not requiring any particular technology or technique for achieving the protection provided by encryption.

NADA argued this definition should be made more flexible by adding an alternative so it would read “the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key or securing information by another method that renders the data elements unreadable or unusable” (emphasis added).^[32] On the other hand, others argued the Proposed Rule's definition did not sufficiently protect customer information.^[33] For example, the Princeton University Center for Information Technology Policy (“Princeton Center”) suggested the Rule should be changed “to clarify that encryption must be consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.” ^[34] Similarly, ACE argued the definition should include “the transformation of data in accordance with industry standards.” ^[35]

The Commission agrees the proposed definition should be tethered to some technical standard, without being too prescriptive about what that standard is. Under the proposed definition, as well as NADA's proposed definition, financial institutions could have claimed they were “encrypting” data if they were aggregating it, scrambling it, or redacting it in a way that made it possible to re-identify the data through, for example, the application of common algorithms or programs. The Commission does not believe this would have provided consumers with sufficient protection. The Commission also agrees with the commenters who stated the definition should signal that encryption should be cryptographically based.

Accordingly, the Final Rule defines encryption as the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material. This definition does not require any specific process or technology to perform the encryption but does require that whatever process is used be sufficiently robust to prevent the deciphering of the information in most circumstances.

Financial Institution

Incidental Activity

The Proposed Rule made one substantive change to the definition of “financial institution” it incorporated from the Privacy Rule. The change was designed to include entities “significantly engaged in activities that are incidental to [] financial activity” as defined by the Bank Holding Company Act. This proposed change brought only one activity into the definition that was not covered before: the act of “finding” as defined in 12 CFR 225.86(d)(1). The proposed revision to paragraph (f) added an example of a financial institution acting as a finder by “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.” This example used the language set forth in 12 CFR 225.86(d)(1), which defines “finding” as an activity incidental to a financial activity under the Bank Holding Company Act. The Commission Start Printed Page 70276 adopts this proposal without modification.

The change to the definition of “financial institution” brings it into harmony with other agencies' GLB rules.^[36] The change is supported by the language of the Gramm-Leach-Bliley Act.^[37] The Act defines a “financial institution” as any institution “the business of which is engaging in financial activities as described in section 1843(k) of title 12.” ^[38] That section, in turn, describes activities that are financial in nature as those the Board has determined “to be financial in nature or incidental to such financial activity.” ^[39] The Final Rule's definition mirrors this language. The change will not lead to a significant expansion of the Rule coverage as it expands the definition only to include entities engaged in activity incidental to financial activity, as determined by the Federal Reserve Board. The Board has determined only one activity to be incidental to financial activity—“acting as a finder.” ^[40]

Several commenters who addressed this issue supported the inclusion of activities incidental to financial activities.^[41] Other commenters expressed concern the proposed change in the definition would expand the Rule's coverage to businesses that should not be considered financial institutions.^[42] They argued the definition of the term “finder” is too broad and companies that connect buyers and sellers in non-financial contexts would be swept inappropriately into the definition of “financial institution.” The Association of National Advertisers argued advertising agencies could be considered “finders” because they play a role in connecting buyers and sellers.^[43]

In response, the Commission notes the Federal Reserve Board describes acting as a finder as “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.” ^[44] The Board sets forth several activities within the scope of acting as a finder, such as “[i]dentifying potential parties, making inquiries as to interest, introducing and referring potential parties to each other, [] arranging contacts between and meetings of interested parties” and “[c]onveying between interested parties expressions of interest, bids, offers, orders and confirmations relating to a transaction.” ^[45]

Although this language is somewhat broad, its scope is significantly limited in the context of the Safeguards Rule. First, the Safeguards Rule applies only to transactions “for personal, family, or household purposes.” ^[46] Therefore, only finding services involving consumer transactions will be covered. Second, the Safeguards Rule applies only to the information of customers, which are consumers with which a financial institution has a continuing relationship.^[47] Therefore, it will not apply to finders that have only isolated interactions with consumers and do not receive information from other financial institutions about those institutions' customers. This significantly narrows the types of finders that will have obligations under the Rule, excluding, the Commission believes, most advertising agencies and similar businesses that generally do not have continuing relationships with consumers who are using their services for personal or household purposes.

The Commission believes entities that perform finding services for consumers with whom they have an ongoing relationship are properly considered “financial institutions” for purposes of the Rule. Accordingly, the Commission adopts the changes to the definition of “financial institution” as proposed.

Other Changes to Definition of “Financial Institutions”

Other commenters suggested modifying the definition of “financial institution” ^[48] in different ways. The Electronic Privacy Information Center (EPIC) argued the definition should be expanded by treating more activities as financial activities.^[49] EPIC pointed out information shared with social media companies, retailers, apps, and devices generally is not covered under the Safeguards Rule. The Commission understands the concern that many businesses fall outside the coverage of the Safeguards Rule, despite handling sensitive consumer information, but the Commission's authority to regulate activity under the Safeguards and Privacy Rules is established by the GLBA. The Rule's application is limited to financial institutions as defined by that statute and cannot be extended beyond that definition.^[50] The institutions discussed by EPIC, however, are still covered by the FTC Act's prohibition against deceptive or unfair conduct, including with respect to their use and protection of consumer information.^[51]

The National Federation of Independent Business (NFIB) argued individuals and sole proprietors should be excluded from the definition of “financial institution” because an individual cannot be an “institution.” ^[52] When the Privacy Rule was promulgated in 2000, commenters also suggested the definition should exclude sole proprietors.^[53] The Commission noted there was no basis to exclude sole proprietors and “[w]hether or not a Start Printed Page 70277 commercial enterprise is operated by a single individual is not determinative” of whether the enterprise is a financial institution. The Commission has not changed its position on this matter and declines to make this change to the definition of “financial institution.”

The Final Rule adopts this definition as proposed without change.

Information Security Program

Paragraph (i) of the Final Rule adopts the existing Rule's paragraph (c) and does not alter the definition of “information security program.” The Commission received no comments on this definition, and accordingly, adopts the current definition in the Final Rule.

Information System

Proposed paragraph (h) defined information system as a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. The term “information system” was used throughout the proposed amendments to designate the systems that must be covered by the information security program.

The MSRT suggested this definition was too narrow in some respects and too broad in others.^[54] It argued the definition of “information system” was too narrow because it did not include physical systems or employees and would exclude them from some of the provisions of the Rule. Specifically, the MSRT argued that based on this definition, the penetration tests required by § 314.4(d)(2) would not be required to test “potential human vulnerabilities” such as social engineering or phishing.^[55] The Commission does not agree. Penetration testing, as defined by the Final Rule, is a process through which testers “attempt to circumvent or defeat the security features of an information system.” ^[56] One way such security features are tested is through social engineering and phishing.^[57] The fact that the testing involves employees with access to the information system, rather than just the system itself, does not exclude such tests from the definition of “penetration testing.” Attempted social engineering and phishing are important parts of testing the security of information systems and would not be excluded by this definition.

The MSRT also argued the definition was too broad, and was joined by other commenters in this concern.^[58] These commenters shared a concern the proposed definition would include systems that are in no way connected to customer information and would require financial institutions to include all systems in their possession, regardless of their involvement with customer information. The Commission agrees the definition should be limited to those systems that either contain customer information or are connected to systems that contain customer information, and adds that limitation to the Final Rule. The Rule does not limit the definition to only those systems that contain customer information, because a common source of data breaches is a vulnerability in a connected system that an attacker exploits to gain access to the company's network and move within the network to obtain access to the system containing sensitive information.^[59] Accordingly, the definition of information system in the Final Rule is modified to a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information or any such system connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems, that contains customer information or that is connected to a system that contains customer information.

Multi-Factor Authentication

Proposed paragraph (i) defined multi-factor authentication as authentication through verification of at least two of the following types of authentication factors: Knowledge factors, such as a password; possession factors, such as a token; or inherence factors, such as biometric characteristics. This term was used in proposed § 314.4(c)(6),^[60] which required financial institutions to implement multi-factor authentication for individuals accessing networks that contain customer information.

Several commenters argued the definition should explicitly include SMS text messages as an acceptable example of a possession factor or otherwise to be explicitly allowed.^[61] The Proposed Rule did not include SMS text messages as an example of a possession factor.^[62] Most commenters who addressed this issue interpreted this exclusion from the examples as forbidding financial institutions from using SMS text messages as a possession factor for multi-factor authentication. That is not the effect of this exclusion, however. The language of the definition neither prohibits nor recommends use of SMS text messages. Indeed, SMS text messages are not addressed at all. In some cases, use of SMS text messages as a factor may be the best solution because of its low cost and easy use, if its risks do not outweigh those benefits under the circumstances.^[63] In other instances, however, the use of SMS text messages may not be a reasonable solution, such as when extremely sensitive information can be obtained through the access method being controlled, or when a more secure method can be used for a comparable price. A financial institution will need to evaluate the balance of risks for its situation. If, however, the Commission were to explicitly allow use of SMS text messages, this could be considered a safe harbor that would not require the company to consider risks associated with use of SMS text as a factor in a particular use case. Accordingly, the Final Rule does not include SMS text Start Printed Page 70278 messages in the examples of possession factors.

The final Rule adopts the proposed definition of “multi-factor authentication” without change as paragraph (k) of this section.

Penetration Testing

Proposed paragraph (j) defined penetration testing as a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems. This term was used in proposed § 314.4(d)(2), which required financial institutions to continually monitor the effectiveness of their safeguards or to engage in annual penetration testing. The Commission received no comments concerning this definition. The Final Rule adopts the definition from the Proposed Rule as paragraph (m) of this section.

Personally Identifiable Financial Information

To minimize cross-referencing to the Privacy Rule, as noted above, the Commission is adding several definitions to the Final Rule. One of these definitions is “personally identifiable financial information,” which is identical to the definition currently contained in the Privacy Rule. This term is included within the ambit of “customer information,” in both the existing Rule and the Final Rule.

The Princeton Center suggested expanding the definition of “personally identifiable financial information” from the Privacy Rule to include “aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.” ^[64] The Princeton Center further suggested clarifying that, for information to not be considered “personally identifiable financial information,” the financial institution must be required to demonstrate the information is not “reasonably linkable” to individuals.

The Commission does not believe this amendment is necessary. The definition of “personally identifiable financial information” is already a broad one.^[65] It includes not just information associated with types of personal information such as a name or address or account number, but also information linked to a persistent identifier (“any information you collect through an Internet `cookie' (an information collecting device from a web server”)).^[66] While there may be some merit to limiting the exception for aggregate information or blind data to data that cannot be reasonably linkable to an individual, for purposes of a rule that can be periodically updated to keep up with changing technology, the current approach is more concrete and enforceable, and less subject to differences in interpretation.

Service Provider

Proposed paragraph (k) adopted the existing Rule's definition and does not alter the definition of “service provider.” The Commission received no comments on this definition and adopts it as paragraph (q) of the Final Rule.

Sec. 314.3: Standards for Safeguarding Customer Information

Proposed § 314.3, which required financial institutions to develop an information security program (paragraph (a)) and set forth the objectives of the Rule (paragraph (b)), was largely identical to the existing Rule. It changed only the requirement that “safeguards” be based on the elements set forth in § 314.4, by replacing “safeguards” with “information security program.” The Commission received no comments on this proposal and adopts it without change in the Final Rule.

Sec. 314.4: Elements

Proposed § 314.4 altered the current Rule's required elements of an information security program and added several new elements.

General Comments

The Commission received many comments addressing the new elements, both in favor of the changes and opposed to them. The comments in favor of the changes generally argued these changes would protect consumers by improving the data security of institutions that hold their information.^[67] Most of the comments opposed to the proposed elements fell into several categories, objecting: (1) The proposed changes were too prescriptive and did not allow financial institutions sufficient flexibility in managing their information security; (2) the proposed amendments would be too expensive for financial institutions, particularly smaller institutions, to adopt; and (3) some of the requirements should not apply to all customer information but should be limited to some subset of especially “sensitive” customer information. The Commission does not agree with these comments for the reasons discussed below, and accordingly, retains the general approach of the Proposed Rule in the Final Rule.

Flexibility

Many industry groups argued the new proposed elements were too prescriptive, lacked flexibility, would quickly become outdated, and would force financial institutions to engage in activities that would not enhance security.^[68] For example, the Electronics Transactions Association argued the Proposed Rule would “limit the ability of industry to develop new and innovative approaches to information security.” ^[69] Similarly, CTIA commented the Proposed Rule would create a “prescriptive core of requirements that covered businesses must follow, irrespective of whether risk assessments show they are necessary.” ^[70]

The Commission, however, believes the elements provide sufficient flexibility for financial institutions to adopt information security programs suited to the size, nature, and complexity of their organization and information systems. The elements for the information security programs set forth in this section are high-level principles that set forth basic issues the Start Printed Page 70279 programs must address, and do not prescribe how they will be addressed. For example, the requirement that the information security program be based on a risk assessment sets forth only three general items the assessment must address: (1) Criteria for evaluating risks faced by the financial institution; (2) criteria for assessing the security of its information systems; and (3) how the identified risks will be addressed. Other than meeting these basic requirements, financial institutions are free to perform their risk assessments in whatever way they choose, using whatever method or approach works best for them, as long as the method identifies reasonably foreseeable risks. The other elements are similarly flexible. The two elements that are more prescriptive, encryption and multi-factor authentication, allow financial institutions to adopt alternative solutions when necessary. Comments concerning individual elements are addressed separately in the more detailed analysis below.

Cost

Another common theme among the comments from industry groups was the proposed information security program elements would be prohibitively expensive, especially for smaller businesses.^[71] Commenters argued the Proposed Rule would have required financial institutions to implement expensive changes to their systems and hire highly-compensated professionals to do so.^[72] Industry groups were particularly concerned about the requirement that financial institutions designate a single qualified individual to coordinate their information security programs, arguing this would require hiring professionals that were both expensive, with salaries of more than $100,000 suggested by some, and in limited supply.^[73] Overall, several commenters argued some financial institutions would be unable to afford to bring themselves into compliance with the Proposed Rule.^[74]

The Commission recognizes properly securing information systems can be an expensive and technically difficult task. However, the Commission believes the additional costs imposed by the Proposed Rule are mitigated for several reasons and, ultimately, those costs are justified in order to protect customer information as required by the GLBA.^[75] First, for almost 20 years, financial institutions have been required under the current Safeguards Rule to have information security programs in place. The current Safeguards Rule requires financial institutions to “develop, implement, and maintain a comprehensive [written] information security program . . . appropriate to [the financial institutions'] size and complexity, the nature and scope of [their] activities, and the sensitivity of any customer information at issue.” ^[76] This comprehensive program must be coordinated by one or more individuals and based on a risk assessment.^[77] As such, financial institutions complying with the current Rule will not be required to establish an information security program from scratch. Instead, they can compare their existing programs to the revised Rule, and address any gaps. The Commission believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.

Second, a number of commenters who raised concerns about the costs imposed by the Rule believed the Proposed Rule would have required the hiring of a highly-compensated expert to serve as a Chief Information Security Officer (CISO).^[78] It is correct the Proposed Rule would have modified the current requirement of designating an “employee or employees to coordinate your information security program” by requiring the designation of a single qualified individual responsible for Start Printed Page 70280 overseeing and implementing the security program. This individual was referred to in the Proposed Rule as a Chief Information Security Officer or “CISO.” As discussed in detail below, the Final Rule does not use this term, though the concept is the same: The person designated to coordinate the information security program need only be “qualified.” No particular level of education, experience, or certification is prescribed by the Rule. Accordingly, financial institutions may designate any qualified individual who is appropriate for their business. Only if the complexity or size of their information systems require the services of an expert will the financial institution need to hire such an individual.^[79]

Finally, the Commission believes while large financial institutions may well incur substantial costs to implement complex information security programs, there are much more affordable solutions available for financial institutions with smaller and simpler information systems. For example, there are very low-cost or even free vulnerability assessment programs available: “virtual CISO” services enable a third party to provide security support for many companies, splitting the cost of information security professionals among them; many applications and hardware have built-in encryption requirements; ^[80] and there are affordable multi-factor authentication solutions aimed at businesses of various sizes.

Considering these points, although there will undoubtedly be expenses involved for some, or even many, financial institutions to update their programs, the Commission believes these expenses are justified because of the vital importance of protecting customer information collected, maintained, and processed by financial institutions. Congress recognized the importance of securing consumers' sensitive financial information when it passed the GLBA, which required the FTC to promulgate the Safeguards Rule. The importance, as well as the difficulty, of protecting customer information has only increased in the more than twenty years since the passage of the GLBA. The Commission believes the amendments to the Safeguards Rule are necessary to ensure the purposes of the GLBA are satisfied, and so consumers can have confidence financial institutions are providing reasonable safeguards to protect their information.

“Sensitive” Customer Information

Several industry groups also suggested significant portions of the Proposed Rule should not apply to all customer information, but rather only to some subset of particularly “sensitive” customer information, such as account numbers or social security numbers.^[81] These commenters generally argued the definition of “customer information” is too broad, as it will include information the commenters felt is not particularly sensitive, such as name and address, and does not justify extensive safeguards.^[82]

The Commission does not agree that some portion of customer information is not entitled to the protections required by the Final Rule. The Safeguards Rule defines “customer information” as “any record containing nonpublic personal information” about a customer handled or maintained by or on behalf of a financial institution.^[83] The Final Rule defines “nonpublic personal information” as “personally identifiable financial information,” but does not include information that is “publicly available.” Although this definition is broad, the Commission believes information covered by it is rightfully considered sensitive and should be protected accordingly. The businesses regulated by the Safeguards Rule are not just any businesses, but are financial institutions and are responsible for handling and maintaining financial information that is both important to consumers and valuable to attackers who try to obtain the information for financial gain. Even the fact that a consumer is a customer of a particular financial institution is generally nonpublic and can be sensitive. For example, the revelation of a customer relationship between a consumer and a particular type of financial institution, such as debt collectors or payday lenders, may make those customers' information more vulnerable to compromise by facilitating social engineering or similar attacks. The nature of the relationship between customers and their financial institutions makes all nonpublic information held by the financial institution inherently sensitive and worthy of the level of protection set forth in the Rule.

Although the Commission believes all customer information should be safeguarded by financial institutions and declines to exclude any portion of that information from protection under any of the provisions of the Rule, it notes the Rule does contemplate financial institutions will consider the sensitivity of particular information in designing their information security programs and safeguards. The elements required by this section are generally flexible enough to allow financial institutions to treat various pieces of information differently. For example, paragraph (c)(1) requires information security programs to include safeguards that address access control of customer information. The paragraph requires financial institutions to develop measures to ensure only authorized users access customer information, but does not prescribe any particular measures that must be adopted. When designing these measures, a financial institution may design a system in which more sensitive information is protected by more stringent access controls. Even in the more specific provisions of the Rule, there is flexibility to address the relative sensitivity of information. For example, in § 313.4(c)(5)'s requirement that customer information be protected by multi-factor authentication, financial institutions have flexibility to implement the multi-factor authentication depending on the sensitivity of the information. The financial institution may select factors such as SMS text messages to access less sensitive information, but determine more sensitive information should be protected by other, more secure, factors for authentication.

Third-Party Standards and Frameworks

In addition, in the NPRM, the Commission asked whether the Safeguards Rule should incorporate outside standards, such as the National Institute of Standards and Technology (“NIST”) framework, either as required elements of an information security program or as a safe harbor that would Start Printed Page 70281 treat compliance with such a standard as compliance with the Safeguards Rule. Some commenters advocated for the adoption of an outside standard into the Safeguards Rule.^[84] Cisco Systems, Inc. suggested the Safeguards Rule should be connected to NIST guidance, arguing this would allow the Rule to evolve as NIST's guidance evolves.^[85] An anonymous commenter suggested the Rule should comply with “international standard ISO/IEC 27001.” ^[86] The National Consumer Law Center argued certain financial institutions with particularly sensitive customer information should be required to comply with guidelines issued by NIST and the Federal Financial Institutions Examination Council (FFIEC).^[87] Other commenters acknowledged the value of outside standards but were opposed to the Rule requiring compliance with them.^[88]

Some commenters suggested while compliance with outside standards should not be required, compliance should serve as a “safe harbor” for compliance with the Rule.^[89] On the other hand, Consumer Reports noted while such standards can be helpful guidance, they should not be a safe harbor for compliance with the Rule because financial institutions must take steps to ensure they are responding to changing information security threats regardless of the requirements of an outside framework.^[90]

The Commission declines to change the Rule to incorporate or reference a particular security standard or framework for a variety of reasons. First, it is not clear the more detailed frameworks would apply well to financial institutions of various sizes and industries. In addition, mandating companies follow a particular security standard or framework would reduce the flexibility built into the Rule. Similarly, the Commission declines to make compliance with an outside standard a safe harbor for the Rule. In such a scenario, the use of safe harbors would not greatly enhance regulatory stability or predictability for financial institutions because the Commission would be required to actively monitor whether those standards continued to provide equivalent protections for Safeguards compliance and modify the Rule if a standard became inadequate. In addition, in investigating possible violations of the Rule, the Commission would be required to independently verify whether the financial institution had in fact complied with the outside framework, which would require substantial effort and expense on the part of the Commission and the target of the investigation.

Specific Elements

In addition to these generally applicable comments, commenters addressed many of the individual elements set forth by this section. These elements are discussed in more detail below.

Paragraph (a)—Designation of a Single Qualified Individual

Proposed paragraph (a) changed the current requirement that institutions designate an “employee or employees to coordinate your information security program” to instead require the financial institution to designate “a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.” ^[91] This individual was referenced in the Proposed Rule as a Chief Information Security Officer or “CISO.”

The notice of proposed rulemaking for the Proposed Rule emphasized the use of the term “CISO” was for clarity in the Proposed Rule.^[92] Despite the use of the term “CISO,” the Proposed Rule did not require financial institutions to actually grant that title to the designated individual. Commenters that responded to this proposal, however, generally assumed the person designated to coordinate and oversee a financial institution's information security program would be required to have the qualifications, duties, responsibilities, and accompanying pay of a CISO as that position is generally understood in the information security field.^[93] The position of CISO is generally limited to large companies with fairly complex information security systems, so the salary of this position is often very high.^[94] Accordingly, many commenters argued hiring a CISO would be prohibitively expensive for many financial institutions.^[95] Additionally, commenters argued the hiring of such an in-demand professional would be difficult because of a general shortage of such professionals available for hiring.^[96]

By using the term “CISO,” the Commission did not intend to require all financial institutions hire a highly qualified professional with an extremely high salary, regardless of the financial institutions' size or complexity. The Proposed Rule required only that financial institutions designate a “qualified individual” to oversee and enforce their information security program, without specifying any particular level of experience, education, or compensation, or requiring any particular duties outside of overseeing the financial institution's information security program and other requirements specifically set forth in the Rule.^[97] The use of the term “CISO” in the Proposed Rule, however, caused confusion about the requirements of this section. Accordingly, the Final Rule replaces the term “CISO” with “Qualified Individual” to refer to the individual designated under this section of the Rule.

The use of the term “Qualified Individual” is meant to clarify the only requirement for this designated individual is that he or she be qualified to oversee and enforce the financial institution's information security program. What qualifications are necessary will depend upon the size and complexity of a financial institution's information system and the volume and sensitivity of the customer information the financial institution Start Printed Page 70282 possesses or processes. The Qualified Individual of a financial institution with a very small and simple information system will need less training and expertise than a Qualified Individual for a financial institution with a large, complex information system. The exact qualifications will depend on the nature of the financial institution's information system. Each financial institution will need to evaluate its own information security needs and designate an individual with appropriate qualifications to meet those needs.

The Commission believes, in many cases, financial institutions' current coordinators, whether their own employees or third-party contractors, may be qualified for this role.^[98] Because the current Safeguards Rule requires financial institutions to designate an “employee or employees to coordinate your information security program,” financial institutions in compliance with that Rule will already have one or more information security coordinators. Although the current Rule does not expressly require that these coordinators be qualified for that position, the current Rule requires a financial institution to maintain “appropriate” safeguards, regularly test those safeguards, and evaluate and adjust the information security program in light of that testing.^[99] In order to effectively comply with these ongoing requirements, a financial institution's coordinator must have some level of information security training and knowledge and, therefore, will likely be an appropriate Qualified Individual under the Final Rule. Accordingly, in many cases this amendment to the Rule will not require any additional hiring expenses.

In addition to explicitly requiring that the information security program coordinator be qualified for the role, the Commission proposed to require the designation of a single employee, as opposed to the multiple coordinators allowed by the existing Rule. Some commenters objected to this proposal on the grounds that it would interfere with financial institutions' flexibility in organizing their information security personnel.^[100] For example, the Consumer Data Industry Association (“CDIA”) commented the designation of a single coordinator would interfere with financial institutions' ability to organize their program “to share responsibilities among different personnel with different strengths.” ^[101] Similarly, ACA International argued this requirement would prevent financial institutions from having multiple staff members share responsibilities for information security programs.^[102]

Other commenters argued the designation of a single individual as the coordinator of the information security program provides no proven benefits over the use of multiple coordinators.^[103] Similarly, NADA argued that, while the appointment of a single qualified individual might improve accountability, improving accountability does not improve security.^[104] On the other hand, a group of consumer and advocacy groups including the National Consumer Law Center (“NCLC”) argued appointing a single individual as the coordinator of the information security program can increase security and prevent security events based on lack of accountability and poor coordination.^[105]

The Commission retains the requirement to designate a single qualified individual, because it believes there are clear benefits to the designation of a single coordinator. Designating a single coordinator to oversee an information security program clarifies lines of reporting in enforcing the program, can avoid gaps in responsibility in managing data security, and improve communication.^[106]

The Commission disagrees with the commenter who stated improved accountability does not lead to improved security. The goal of improving accountability is to ensure information security staff and financial institution management give the necessary attention and resources to information security. In addition, an individual that has clear responsibility for the strength of a financial institution's information security program will be accountable to improve the program and ensure it protects customer information.^[107]

The major breach that occurred at national consumer reporting agency Equifax in 2017 demonstrates the importance of clear lines of reporting and accountability in management of information security programs. The U.S. House Committee on Oversight and Government Reform issued a report on the breach that identified Equifax's organization as one of the major causes of the breach.^[108] The report indicated Equifax's division of responsibility for information security between two individuals that reported to two different company officers contributed to failures of communication, oversight, and enforcement that led to millions of consumers' data being compromised.^[109] Increasing accountability for individuals and organizations can directly lead to improved security for customer information.

Finally, the Commission does not believe the requirement to designate a single Qualified Individual would Start Printed Page 70283 prevent the approach of having multiple people responsible for different aspects of the program, as some commenters asserted. While the Qualified Individual appointed as the coordinator of the information security program would have ultimate responsibility for overseeing and managing the information security program, financial institutions may still assign particular duties and responsibilities to other staff members.^[110] A financial institution may organize its personnel in teams or share decision making between individuals. Moreover, the Rule does not require this be the Qualified Individual's sole job—he or she may have other duties. The Rule requires only that one individual assume the ultimate responsibility for overseeing and enforcing the program.

Accordingly, the Final Rule requires designation of a single Qualified Individual, as proposed, but no longer uses the term “CISO.”

Third-Party Coordinators

The Proposed Rule stated that the Qualified Individual would not need to be an employee of the financial institution, but could be an employee of an affiliate or a service provider. This change was intended to accommodate financial institutions that may prefer to retain an outside expert, lack the resources to employ a qualified person to oversee a program, or decide to pool resources with affiliates to share staff to manage information security. The Proposed Rule required, however, that to the extent a financial institution used a service provider or affiliate, the financial institution must still: (1) Retain responsibility for compliance with the Rule; (2) designate a senior member of its personnel to be responsible for direction and oversight of the Qualified Individual; and (3) require the service provider or affiliate to maintain an information security program that protects the financial institution in accordance with the Rule.

The Commission received one comment on this aspect of the provision. NADA argued that, because a senior member of a financial institution's personnel must be responsible for the oversight of a third-party Qualified Individual, the supervising individual would need to be an expert in information security, and the financial institution would still be required to hire an expensive employee to supervise the third-party Qualified Individual.^[111] The Rule, however, does not require individuals responsible for overseeing third-party Qualified Individuals to be information security experts themselves. The senior personnel that oversees the third-party Qualified Individual is charged with supervising and monitoring the third-party so the financial institution is aware of its data security needs and the safeguards being used to protect its information systems. This person does not need to be qualified to coordinate the information security program him or herself. Technical staff are frequently supervised by employees or officers with limited technical expertise.^[112] The Rule requires only the same responsibilities a supervisor would have in overseeing an in-house information security coordinator of a financial institution. Accordingly, the Commission adopts the proposed paragraph without modification.

Proposed Paragraph (b)

The NPRM proposed amending paragraph (b) to clarify a financial institution must base its information security program on the findings of its risk assessment by adding an explicit statement that financial institutions' “information security program [shall be based] on a risk assessment.” ^[113] In addition, the Proposed Rule removed existing § 314.4(b)'s requirement that the risk assessment must include consideration of specific risks ^[114] because these specific risks are set forth elsewhere in the Proposed Rule.^[115] The Commission received no comments on this paragraph and adopts paragraph (b) as proposed.

Written Risk Assessment

Paragraph (b)(1) of the Proposed Rule required the risk assessment be written and include: (1) Criteria for the evaluation and categorization of identified security risks or threats the financial institution faces; (2) criteria for the assessment of the confidentiality, integrity, and availability of the financial institution's information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats to the financial institution; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the financial institution's risks. Commenters raised several concerns about the Proposed Rule's provisions on risk assessment, none of which merit changes to the Proposed Rule.

First, some commenters objected to the level of specificity of the Proposed Rule, with some arguing the requirements were too specific, and others arguing the requirements were not specific enough. With respect to the Proposed Rule being too specific, commenters such as ACA and U.S. Chamber of Commerce argued it removed financial institutions' flexibility in performing risk assessments.^[116] The U.S. Chamber of Commerce contended, because the criteria are too specific, a risk assessment performed using them would not be “sufficiently risk based.” ^[117] CDIA expressed concern it was unclear “what level of specificity is required” in the written risk assessment and if detailed risk assessments are required, they “could themselves become a roadmap for a security breach.” ^[118]

In contrast, several other commenters recommended the Rule set forth more specific criteria for risk assessments. Inpher suggested the Commission add a requirement that risk assessments require financial institutions to examine “technologies that are deployed by [financial institutions'] information security systems, and evaluate the feasibility” of adopting “privacy enhancing technologies” that would better address vulnerabilities and thwart threats.^[119] Inpher also recommended the Rule require financial institutions to conduct privacy impact assessments with “specific guidelines to review internal data protection standards and adherence to fair information Start Printed Page 70284 principles.” ^[120] The Princeton Center suggested the Rule require risk assessments to include threat modeling and adopt the concept of defense in depth.^[121] HALOCK Security Labs recommended the Rule specifically require “a) That risk assessments should evaluate the likelihood of magnitudes of harm that result from threats and errors, b) That risk assessments should explicitly estimate foreseeable harm to consumers as well as to the covered financial institutions, c) That risk mitigating controls are commensurate with the risks they address, [and] d) That risk assessments estimate likelihoods and impacts using available data.” ^[122]

The Commission believes the Proposed Rule's provisions on risk assessment strike the right balance between specificity and flexibility. The amendments provide only a high-level list of criteria the risk assessment must address. They essentially require that the financial institution identify and evaluate risks to its systems, evaluate the adequacy of its existing controls for addressing these risks, and identify how these risks can be mitigated. These are core requirements of any risk-assessment.^[123] The Rule does not require any specific methodology or approach for performing the assessment. Financial institutions are free to perform the risk assessment using the method most suitable for their organization as long as that method meets the general requirements set forth in the Rule.^[124] And while the Commission agrees the additional requirements suggested by some commenters may be beneficial in many, or even most, risk assessments, it believes a more flexible requirement will better allow financial institutions to find the risk assessment method that best fits their organization and will better accommodate changes in recommended approaches in the future.

In response to CDIA's concern about the risk assessment providing a roadmap for bad actors, certainly, the written risk assessment will include details about a financial institution's systems that could assist an attacker if obtained by the attacker. Accordingly, the risk assessment should be protected as any other sensitive information would be. The Commission does not view this concern as a reason not to create such a document. Indeed, the concern would apply to any written document that provides information regarding a financial institution's information security procedures, from a network diagram to written security code.

Second, some commenters argued implementing the risk-assessment provision as proposed would be too expensive and difficult for financial institutions.^[125] For example, NADA argued the contemplated risk assessment would be very costly because the criteria set out in paragraph (b)(1) are “well outside the scope of expertise of anyone but the most sophisticated IT professionals.” ^[126] In response, although the Commission declines to modify the provision, it addresses NADA's concern in § 314.6 by exempting financial institutions that maintain information concerning fewer than 5,000 consumers from the specific requirements of paragraph (b)(1), and from the requirement to memorialize the risk assessment in writing. For those financial institutions that do not qualify for this exemption, the Commission believes they will be able to perform the required risk assessment in a manner that is practical and affordable for their institution. There are many resources available to financial institutions to aid in risk assessment, including service providers that can assist institutions of various sizes.^[127]

While acknowledging there will be some cost to conducting a risk assessment, the Commission believes a properly conducted risk assessment is an essential part of a financial institution's information security program. The entire Safeguards Rule, both as it currently exists and as amended, requires that the information security program be based on a risk assessment. An information security program cannot properly guard against risks to customer information if those risks have not been identified and assessed.^[128] The Commission believes this requirement properly emphasizes the importance of robust risk assessments, while providing financial institutions sufficient flexibility in performing these assessments. Finally, the Commission notes, because the current Rule also requires that a risk assessment be performed, financial institutions that have complied with the current Rule have already conducted a risk assessment. And, even if that risk assessment was not memorialized in writing, the work conducted for that risk assessment should be useful in performing future risk assessments.

Third, NADA objected to the requirement that the risk assessment describe how each identified risk will be “mitigated or accepted,” arguing it is not clear when it is appropriate to “accept a risk.” ^[129] NADA argued that documenting a decision to accept a risk would “create a record that can be distorted and second guessed after the fact,” and “context is lost when it is written and reviewed after an incident has occurred.” ^[130] The Rule does not require a financial institution to mitigate every risk identified, no matter how remote or insignificant. Instead, the Rule allows a financial institution to accept a risk, if its assessment of the risk reveals that the chance it will produce a security event is very small, if the consequences of the risk are minimal, or the cost of mitigating the risk far outweighs the benefit. In those cases, the financial institution may choose to accept the risk. A financial institution concerned that its decision to accept a risk will later be questioned may choose to set forth whatever context or Start Printed Page 70285 explanation it sees fit in the written assessment.

Finally, while several commenters supported the idea of conducting “periodic” risk assessments as required by the Proposed Rule,^[131] NADA objected it is unclear how often financial institutions need to conduct risk assessments under this section.^[132] In order to be effective, a risk assessment must be subject to periodic reevaluation to adapt to changes in both financial institutions' information systems and changes in threats to the security of those systems. The Commission declines, however, to set forth a specific schedule for risk assessments. The Commission believes it would not be appropriate to set forth an inflexible schedule for periodic risk assessments because each financial institution must set its own schedule based on the needs and resources of its institution.

The Final Rule adopts § 314.4(b) as proposed.

Paragraph (c)

Proposed paragraph (c) retained the existing Rule's requirement for financial institutions to design and implement safeguards to control the risks identified in the risk assessment. In addition, it added more detailed requirements for what the safeguards must address ( e.g., access controls, data inventory, disposal, change management, monitoring). These specific requirements represent elements of an information security program that the Commission views as essential and should be addressed by all financial institutions.^[133]

As a preliminary matter, Global Privacy Alliance (GPA) argued all of these elements should be made optional and financial institutions should be required only to take these elements “into consideration” when designing their information security programs.^[134] While the Commission agrees it is important that the Rule allow financial institutions flexibility in designing their information security programs, these elements are such important parts of information security that each program must address them. For example, an information security program that has no access controls or does not contain any measures to monitor the activities of users on the systems cannot be said to be protecting the financial institution's systems. The Final Rule, therefore, continues to require each information security program to contain safeguards that address these elements, with modifications described below.

Access Controls

Proposed paragraph (c)(1) required financial institutions to “place access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of customer information and to periodically review such access controls.”

Commenters suggested a number of modifications to this provision. First, GPA argued this provision should require controls on access to information, rather than on information systems.^[135] Second, several commenters suggested adding further safeguards to the “access control” requirement. For example, the Princeton Center argued the Rule should adopt the “Principle of Least Privilege,” a principle that no user should have access greater than is necessary for legitimate business purposes.^[136] Reynolds and Reynolds Company (Reynolds) suggested the Rule clarify that financial institutions must “vet, control, and monitor user access to sensitive information.” ^[137] Consumer Reports argued paragraph (c)(1) should be amended to control access not just to authorized users, but to further limit access to when such access is reasonably necessary.^[138] ACE argued that any requirement for physical access control allow financial institutions to determine which locations should have restricted access, rather than limiting physical access to every building and office within, say, a college campus.^[139] Finally, some commenters argued the proposed language was too vague,^[140] particularly as it applied to vendor-supplied services.^[141]

In response to the comments, the Commission makes a number of changes to this provision in the Final Rule. First, the Commission clarifies that the Rule requires access controls, not just for information systems, but for all customer information, whether it is housed in information systems or in physical locations. To streamline the Rule, the Final Rule combines the separate physical access controls requirement found in proposed paragraph (c)(3) with this paragraph. Physical access controls will generally be most important in situations in which sensitive customer information is kept in physical form (such as hard-copy loan applications, or printed consumer reports). It may also require physical restrictions to access machines that contain customer information ( e.g., locked doors and/or key card access to a computer lab).^[142] The Commission declines to make any changes in response to ACE's concern that every physical location will need to be protected—as the Rule states, physical controls must be implemented to protect unauthorized access to customer information. Where no customer information exists, the Rule would not require physical controls.

Second, the Commission agrees with the commenters who advocated that the Rule implement the principle of least privilege. The Commission does not believe it is appropriate, for example, for larger companies to give all Start Printed Page 70286 employees and service providers access to all customer information. Such overbroad access could create additional harm in the event of an intruder gaining access to a system by impersonating an employee or service provider. Accordingly, the Commission clarifies this in the Final Rule by adding a requirement that not only must a financial institution implement access controls, but it should also restrict access only to customer information needed to perform a specific function.

As to the suggestion the Commission impose monitoring requirements for access, that requirement exists in paragraph (c)(8). And as to the suggestion the requirement is too vague as to service providers, the Commission believes the Final Rule is clear: When a vendor accesses the financial institution's data or information systems, the financial institution must ensure appropriate access controls are in place. Separately, under paragraph (f), the financial institution must reasonably oversee the vendor's safeguards, which would necessarily include access controls for the vendor's system.

Finally, as to the suggestion the provision is vague generally, as discussed above, the Final Rule seeks to preserve flexibility in its provisions, both so that financial institutions can design programs appropriate for their systems and so that changes in technology or security practices will not render the Rule obsolete. The Commission believes maintaining less prescriptive requirements is the best way to achieve the goal of flexibility and protecting customer information.^[143]

Accordingly, the Commission combines paragraphs (c)(1) and (3) from the Proposed Rule into revised paragraph (c)(1) of the Final Rule, which requires implementing and periodically reviewing access controls on customer information, including technical and, as appropriate, physical controls to (1) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information and (2) limit authorized users' access only to customer information that they need to perform their duties and functions, or, in the case of customers, to access their own information.^[144]

System Inventory

In the NPRM, the Commission proposed to require the financial institution to “[i]dentify and manage the data, personnel, devices, systems, and facilities that enable [the financial institution] to achieve business purposes in accordance with their relative importance to business objectives and [the financial institution's] risk strategy.” ^[145] This requirement was designed to ensure the financial institution inventoried the data in its possession, inventoried the systems on which that data is collected, stored, or transmitted, and had a full understanding of the relevant portions of its information systems and their relative importance.^[146] The Commission retains this provision in the Final Rule without modification.

Commenters raised two general objections to this provision. First, some commenters argued it was too vague and that it was not clear how such an inventory should be conducted or what systems should be included.^[147] The Commission believes the language provides effective guidance while still allowing a variety of approaches by financial institutions in identifying systems involved in their businesses. This provision requires a financial institution to identify all “data, personnel, devices, systems, and facilities” that are a part of its business and to determine their importance to the financial institution. This inventory of systems must include all systems that are a part of the business so the financial institution can locate all customer information it controls, the systems connected to that information, and how they are connected. This inventory forms the basis of an information security program because a system cannot be protected if the financial institution does not understand its structure or know what data is stored in its systems.

Second, ACE suggested the scope of this provision should be limited to systems “directly related to the privacy and security of `customer information.' ” ^[148] The Commission declines to make this change because the purpose of this provision is to allow financial institutions to obtain a clear picture of their systems and to identify where customer information is kept and how it can be accessed. An inventory must examine all systems in order to identify all systems that contain customer information or are connected to systems that do. If a financial institution does not first examine all systems and instead limits the inventory to systems it considers to be directly related to security, it could give an incomplete picture of the financial institution's systems and could result in some customer information or ways to connect to that information being overlooked.^[149]

The Commission adopts paragraph (c)(2) of the Proposed Rule as final, without modifications.

Access to Physical Location

Proposed paragraph (c)(3) would have required that financial institutions restrict access to physical locations containing customer information only to authorized individuals. The Final Rule combines this section with proposed paragraph (c)(1) in order to eliminate redundancy and clarify that access controls must consider both electronic and physical access.

Encryption

Proposed paragraph (c)(4) required financial institutions to encrypt all customer information, both in transit over external networks and at rest. The Proposed Rule allowed financial institutions to use alternative means to protect customer information, subject to review and approval by the financial institution's Qualified Individual.

Several commenters supported the inclusion of an encryption requirement.^[150] In fact, some suggested Start Printed Page 70287 the Proposed Rule did not go far enough in requiring encryption. Inpher suggested the Rule should require encryption of customer information when in use, in addition to when in transit or at rest.^[151] The Princeton Center suggested requiring encryption of data while in transit over internal networks, in addition to requiring it for external networks, noting the blurring of the distinction between internal and external networks.^[152]

In contrast, others argued encryption could be too expensive and technically challenging for some financial institutions and should not be required in all cases.^[153] Indeed, GPA argued the Rule should not require encryption at all, financial institutions should be free to adopt other protective measures for customer information, and the Rule should allow financial institutions to “determine the controls that are most appropriate for protecting the sensitive information that they handle.” ^[154] Similarly, some commenters argued financial institutions should be required to encrypt customer information only when the risk to the customer information justifies it.^[155] Others suggested encryption in more limited circumstances, such as on systems “to which unauthorized individuals may have access,” ^[156] for sensitive data,^[157] or for data in transit.^[158] The Mortgage Bankers Association argued encryption at rest is unnecessary because customer information at rest in a financial institution's system is sufficiently protected by controlling access to the system.^[159] Two commenters stated guidelines issued by the Federal Financial Institutions Examination Council (FFIEC) do not require most banks to encrypt data at rest, unless the institution's risk assessment indicates such encryption is necessary.^[160]

The Commission declines to modify the encryption requirement from the Proposed Rule. As to the comments that suggest the requirement should be relaxed, the Commission notes there are numerous free or low cost encryption solutions available to financial institutions, particularly for data in transit,^[161] that make encryption a feasible solution in most situations. For data at rest, encryption is now cheaper, more flexible, and easier than ever before.^[162] In many cases, widely used software and hardware have built-in encryption capabilities.^[163]

In response to the argument that the Rule should not require encryption at rest because FFIEC guidelines do not require it, the Commission notes the Safeguards Rule is very different from the guidelines issued by the FFIEC. The depository financial institutions regulated by the banking agencies are subject to regular examinations by their regulator. The guidelines created by the FFIEC are designed to be used by the examiner, as part of those examinations, to evaluate the security of the financial institution; the examiner thus has a direct role in regularly verifying the financial institution has taken appropriate steps to protect its customer information. In contrast, the Safeguards Rule regulates covered financial institutions directly and must be usable by those entities to determine appropriate information security without any interaction between the financial institution and the Commission. The Commission does not have the ability to examine each financial institution and work with that institution to ensure their information security is appropriate. Therefore, a requirement that institutions encrypt information by default is appropriate for the Safeguards Rule, as the Commission believes encryption of customer information at rest is appropriate in most cases.

Finally, while some commenters suggested eliminating the encryption requirement for certain types of data ( e.g., non-sensitive) or certain categories of data ( e.g., data at rest), the Commission notes, as discussed in more detail above, the fact that an individual is a customer of a financial institution alone may be sensitive. In any event, the Rule provides financial institutions with flexibility to adopt alternatives to encryption with the approval of the Qualified Individual.

Similarly, the Commission declines to extend the encryption requirement to data in use or to data transmitted over internal networks, as some commenters suggested. The Commission does not believe the technology that would encrypt data while in use (as opposed to in transit or at rest) has been adopted widely enough at this time to justify mandating its use by all financial institutions under the FTC's jurisdiction. As to encryption of data transmitted over internal networks, the Commission acknowledges, due to changes in network design and the growth of cloud and mobile computing, the distinction between internal and external networks is less clear than it once was. However, the Commission believes requiring all financial institutions to encrypt all communications over internal networks would be unduly burdensome at this Start Printed Page 70288 time. There remain significant costs and technical hurdles to encrypting transmissions on internal networks that would not be reasonable to impose on all financial institutions, especially smaller institutions with simpler systems that might realize less benefit from this approach. While the Commission encourages financial institutions to consider whether it would be appropriate for them to encrypt the transmission of customer information over internal networks, it declines to require this for all financial institutions.^[164]

Commenters pointed to three additional concerns about encryption, none of which the Commission finds persuasive. First, the Bank Policy Institute commented the encryption requirement would in fact weaken security by blocking surveillance of the information by the financial institution and requiring the “broad distribution” of encryption keys.^[165] The Commission does not believe an encryption requirement would weaken security. Encryption is almost universally recommended by security experts and included in most security standards.^[166] Further, new tools have been developed to address the issue the Bank Policy Institute has raised. Many financial institutions have monitoring tools on the edge of their networks to monitor data leaving the network. It used to be the case these network monitoring tools could not see the content of encrypted data as it left the corporate network and was transmitted to the internet. However, there are now tools available that can see the data as it departs the network, even if the data is encrypted.^[167] Any marginal security costs of encryption are far outweighed by the benefits of rendering customer information unreadable.

Second, some commenters argued financial institutions should be able to implement alternatives to encryption without obtaining approval from the Qualified Individual.^[168] The New York Insurance Association expressed concern financial institutions might feel they need to encrypt all customer information because of the risk that the alternative controls approved by the Qualified Individual would be “second guessed” in the event unencrypted data is compromised.^[169] The Commission, however, believes this concern is a core element of information security based on risk assessment. Every aspect of an information security program is based on the judgment of the financial institution and its staff. The Qualified Individual's decision concerning alternate controls, like other decisions by the financial institution and its staff, will be subject to review in any enforcement action to determine whether the decision was appropriate. If the Qualified Individual is not required to make a formal decision, it is much more likely a decision not to encrypt information will be made even if there is no compensating control, or even made without the Qualified Individual's knowledge.

Third, the National Pawnbrokers Association (“NPA”) expressed concern that if pawnbrokers are required to encrypt customer information they may fall out of compliance with state and local regulations concerning transaction reporting.^[170] NPA stated pawnbrokers are often required by state or local law to report every pawn transaction, along with nonpublic personally identifiable consumer information, to law enforcement, and the agencies that receive this information “prefer to take this information electronically and in unencrypted forms.” ^[171] The Commission believes if transmitting the information in unencrypted form is a preference of the agencies and not a requirement, then pawnbrokers can comply with both the Safeguards Rule and these laws by encrypting any transmissions that include customer information. If there are cases where a required transmission of customer information cannot be encrypted for technical reasons, then the pawnbroker's Qualified Individual will need to work with the law enforcement agency to implement alternative compensating controls to ensure the customer information remains secure during these transmissions.^[172]

The Final Rule adopts this paragraph as paragraph (c)(3) without revision.

Secure Development Practices

Proposed paragraph (c)(5) required financial institutions to “[a]dopt secure development practices for in-house developed applications utilized” for “transmitting, accessing, or storing customer information.” In this paragraph, the Commission proposed requiring financial institutions to address the security of software they develop to handle customer information, as distinct from the security of their networks that contain customer information.^[173] In addition, the Proposed Rule required “procedures for evaluating, assessing, or testing the security of externally developed applications [financial institutions] utilize to transmit, access, or store customer information.” This provision required financial institutions to take steps to verify that applications they use to handle customer information are secure.^[174]

Some commenters argued evaluating the security of externally developed software would be too expensive or impractical for some financial institutions,^[175] while others raised different concerns. The American Council on Education suggested, in cases in which a financial institution cannot obtain access to a software provider's code or technical Start Printed Page 70289 infrastructure, then evaluating the security of its software is infeasible.^[176] NADA further suggested in order to evaluate the security of software, financial institutions would need to hire an expensive IT professional.^[177]

The Commission does not agree with these assertions. Evaluating the security of software does not require access to the source code of that software or access to the provider's infrastructure. For example, a provider can supply the steps it took to ensure the software was secure, whether it uses encryption to transmit information, and the results of any testing it conducted. In addition, there are third party services that assess software. An institution can also set up automated searches regarding vulnerabilities, patches, and updates to software listed on the financial institution's inventory. The exact nature of the evaluation required will depend on the size of the financial institution and the amount and sensitivity of customer information associated with the software. If the software will be used to handle large amounts of extremely sensitive information, then a more thorough evaluation will be warranted. Likewise, the nature of the software used will also affect the evaluation. Software that has been thoroughly tested by third parties may need little more than a review of the test results, while software that has not been widely used and tested will require closer examination.

The Commission adopts proposed paragraph (c)(5) as paragraph (c)(4) of the Final Rule.

Multi-Factor Authentication

Proposed paragraph (c)(6) required financial institutions to “implement multi-factor authentication for any individual accessing customer information” or “internal networks that contain customer information.” ^[178] The Proposed Rule would have allowed financial institutions to adopt a method other than multi-factor authentication that offers reasonably equivalent or more secure access controls with the written permission of its Qualified Individual. In the Final Rule, the Commission retains the general requirements of proposed paragraph (c)(6) as paragraph (c)(5), with some modifications described below.

Although several commenters expressed support for including a multi-factor authentication requirement in the Final Rule,^[179] others opposed such a requirement. For example, ACE argued a blanket requirement mandating multi-factor authentication for all institutions of all sizes and complexities is not the best solution.^[180] The National Independent Automobile Dealers Association (NIADA) commented the costs of multi-factor authentication would be too high for some financial institutions because it would need to be built into their information systems from scratch.^[181] NIADA also argued adopting multi-factor authentication would disrupt a financial institution's activities as employees had to “jump through multiple hoops to log in.” ^[182] Cisco Systems, Inc. argued that while multi-factor authentication is an effective safeguard, it should not be specifically required by the Rule because, while it is currently good security practice, in the future multi-factor authentication may become outdated, and that allowing financial institutions to satisfy the Rule in this way could result in inadequate protection.^[183]

Other commenters did not dispute the benefits of multi-factor authentication generally, but argued the Rule should limit the multi-factor authentication requirement. Some of these commenters stated the Rule should only require multi-factor authentication when the financial institution's risk assessment justifies it.^[184] Others argued there should be a distinction between internal access and external access. For example, some commenters argued the Rule should not require multi-factor authentication when a user accesses customer information from an internal network,^[185] because there are other controls on internal access that make multi-factor authentication unnecessary.^[186] Another commenter stated requiring multi-factor authentication when a customer accesses their information from an external network could create problems for some institutions.^[187] Finally, the Princeton Center argued the Rule should be amended to clarify that multi-factor authentication should be required for internal and external networks.^[188]

Finally, CTIA took issue with the proposed requirement that the Qualified Individual be permitted to approve “reasonably equivalent or more secure” controls if multi-factor authentication is not feasible, suggesting instead that Qualified Individuals be permitted to approve “effective alternative compensating controls.” ^[189]

The Commission disagrees with the commenters who stated the Rule should not include a multi-factor authentication requirement. As to costs, many affordable multi-factor authentication solutions are available in the marketplace.^[190] Most financial institutions will be able to find a solution that is both affordable and workable for their organization. In the cases when that it is not possible, the Start Printed Page 70290 Rule allows financial institutions to adopt reasonably equivalent controls.^[191]

As to potential disruptions requiring multi-factor authentication may cause, the Commission notes that many organizations, both financial institutions and otherwise, currently require employees to use multi-factor authentication without major disruption.^[192] Many multi-factor authentication systems are available that do not materially increase the time it takes to log into a system as compared to the use of only a password.^[193] In short, multi-factor authentication is an extremely effective way to prevent unauthorized access to a financial institution's information system,^[194] and its benefits generally outweigh any increased time it takes to log into a system. In those situations when the need for quick access outweighs the security benefits of multi-factor authentication, the Rule allows the use of reasonably equivalent controls.

Finally, although the Commission agrees the Rule should not lock financial institutions into using outmoded or obsolete technologies, the basic structure of using multiple factors to identify a user is unlikely to be rendered obsolete in the near future. The Rule's definition of multi-factor authentication addresses only this principle and does not require any particular technology or technique to achieve it. This should allow it to accommodate most changes in information security practices. In the event of an unforeseen change to the information security environment that would discount the value of multi-factor authentication, the Commission will adjust the Rule accordingly.^[195]

The Commission agrees with the commenter who stated multi-factor authentication is justified both when external users, such as customers, and internal users, such as employees, access an information system. Multi-factor authentication can prevent many attacks focused on using stolen passwords from both employees and customers to access customer information. Other common attacks on information systems, such as social engineering or brute force password attacks, target employee credentials and use those credentials to get access to an information system.^[196] These attacks can usually be stopped through the use of multi-factor authentication. Accordingly, the Final Rule requires multi-factor authentication whenever any individual—employee, customer or otherwise—accesses an information system. If a financial institution determines it is not the best solution for its information system, it may adopt reasonably equivalent controls with the approval of the Qualified Individual.

The Commission recognizes the language of the Proposed Rule may have created some confusion by its use of the term “internal networks” to define the systems affected by the multi-factor authentication requirement, instead of the term “information systems” as used other places in the Rule.^[197] In addition, the Commission agrees with commenters that argued separating the multi-factor authentication into two sentences created confusion.^[198] Accordingly, the Commission modifies paragraph (c)(5) of the Final Rule, which was proposed as paragraph (c)(6), to require financial institutions to “[i]mplement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.”

Finally, the Commission declines to adopt CTIA's proposed alternative that would allow Qualified Individuals to approve “effective alternative compensating controls,” even if they are not “reasonably equivalent or more secure” than multi-factor authentication. Given the important role multi-factor authentication has in access control, any alternative measure should provide at least as much protection as multi-factor authentication.^[199]

Audit Trails

Proposed paragraph (c)(7) required information security programs to include audit trails designed to detect and respond to security events.^[200] Audit trails are chronological logs that show who has accessed an information system and what activities the user engaged in during a given period.^[201]

Some commenters supported this requirement.^[202] The Princeton Center noted audit trails are “crucial to designing effective security measures Start Printed Page 70291 that allow institutions to detect and respond to security incidents.” ^[203] It also stated audit trails “help understand who has accessed the system and what activities the user has engaged in.” ^[204]

Other commenters argued this requirement imposed unclear obligations or would not improve security.^[205] For example, GPA commented the Proposed Rule conflated the use of logs to reconstruct past events and the active use of logs to monitor user activity.^[206] The American Financial Services Association argued adding logging capabilities to some legacy systems would be expensive and difficult.^[207] Another commenter argued the increased use of cloud storage would mean that financial institutions might not have access to any audit trails.^[208] In addition, NADA argued it did not believe maintenance of logs would increase security but would instead create records that could be sought by parties “seeking to place blame” for breaches.^[209]

The Commission believes logging user activity is a crucial component of information security because in the event of a security event it allows financial institutions to understand what was accessed and when. However, the term “audit trails” may have been unclear in this context. In order to clarify that logging user activity is a part of the user monitoring process, the Final Rule does not include paragraph (c)(7) of the Proposed Rule and instead modifies the user monitoring provision to include a requirement to log user activity.^[210] By putting the “monitoring” and “logging” requirements together, the Final Rule provides greater clarity on the comment raised by the GPA: Financial institutions are expected to use logging to “monitor” active users and reconstruct past events.

Disposal Procedures

Proposed paragraph (c)(8) required financial institutions to develop procedures for the secure disposal of customer information that is no longer necessary for their business operations or other legitimate business purposes.^[211] The Proposed Rule allowed the retention of information when retaining the information is required by law or where targeted disposal is not feasible.

Some commenters supported the inclusion of a disposal requirement as proposed or suggested that the disposal requirements should be strengthened.^[212] Consumer Reports argued financial institutions should be required to dispose of customer information when it is no longer needed for the business purpose for which it was gathered.^[213] The Princeton Center suggested the Rule require disposal after a set period unless the company can demonstrate a current need for the data and that financial institutions periodically review their data practices to minimize their data retention.^[214]

Several other commenters opposed the disposal requirement as set forth in the Proposed Rule. Some argued the requirement to dispose of information goes beyond the Commission's authority under the GLB Act.^[215] NADA argued the GLB Act does not “contain[ ] any authority to require financial institutions to delete any information” and a requirement to have procedures to delete information for which a company has no legitimate business purpose would constitute a “new privacy regime.” ^[216] The American Financial Services Association (AFSA) stated the requirement was too prescriptive and the Rule should allow financial institutions to retain information as long as that retention complies with the retention policy created by the financial institution.^[217] AFSA further argued the proposed requirement exceeds the Federal banking standards, pointing to the FFIEC Cybersecurity Assessment Tool, which sets disposal of records “according to documented requirements and within expected time frames” as a baseline requirement for access and data management.^[218]

Yet other commenters suggested modifying the requirement. NADA argued that if there was to be a disposal requirement, then it should be modeled after the Disposal Rule, which requires businesses to properly dispose of consumer reports, but does not have an explicit requirement to dispose of information on any particular schedule.^[219] ACE suggested modifying the Proposed Rule to require disposal of information only where there is no longer any “legitimate purpose” rather than any “legitimate business purpose.” ^[220] It argued in some cases a financial institution may have legitimate purposes for retaining information that are not readily defined as “business” purposes, such as the retention of data by educational institutions for institutional research or student analytics.^[221]

The Commission believes requiring the disposal of customer information for which the financial information has no legitimate business purpose is within the authority granted by the GLB Act to protect the security of customer information. The disposal of records, both physical and digital, can result in exposure of customer information if not performed properly.^[222] Similarly, if records are retained when they are no longer necessary, there is a risk those records will be subject to unauthorized access. The risk of unauthorized access may be reasonable where the retention of data provides some benefit. In situations where the information is no longer needed for a legitimate business purpose, though, the risk to the customer information becomes unreasonable because the retention is no longer benefiting the customer or financial institution. Disposing of unneeded customer information, therefore, is a vital part of protecting customer information and serves the purpose of the GLB Act.^[223]

The Commission disagrees with commenters who suggested narrowing the disposal requirement or doing away with it altogether. As noted above, although no disposal requirement appears in FFIEC guidelines, those guidelines represent a different regulatory approach and are not an appropriate model for the Safeguards Rule.

Finally, as to setting retention periods or narrowing the legitimate business purposes for which financial institutions may retain customer information, the Commission recognizes financial institutions need some flexibility. Whereas customers may want to, for example, access and transfer older data in some circumstances, in other circumstances, retaining such data would not be consistent with any legitimate business purpose. The Commission believes the Princeton Center's recommendation that companies be required to delete information after a set period unless the information is still needed for a legitimate business purpose properly balances the needs of financial institutions with the need to protect customer information. Thus, the Commission modifies proposed paragraph (c)(6) to require the deletion of customer information two years after the last time the information is used in connection with providing a product or service to the customer unless the information is required for a legitimate business purpose as paragraph (c)(6)(i) of the Final Rule. In addition, paragraph (c)(6)(ii) of the Final Rule requires financial institutions to periodically review their policies to minimize the unnecessary retention of information.

Change Management

Proposed paragraph (c)(9) required financial institutions to adopt procedures for change management.^[224] Change management procedures govern the addition, removal, or modification of elements of an information system.^[225] This paragraph required financial institutions to develop procedures to assess the security of devices, networks, and other items to be added to their information system, or the effect of removing such items or otherwise modifying the information system. For example, a financial institution that adds additional servers or other machines to its information system would need to evaluate the security of the new devices and the effect of adding them to the existing network.

Some commenters supported this requirement,^[226] while others stated it was too broad and would impose unnecessary burdens on financial institutions.^[227] In particular, NADA argued financial institutions that have not made changes in their systems “for some time” should not be required to create procedures for change management.^[228] ACE argued including a change management requirement is unnecessary because such a requirement is “generally incorporated into an organization's IT operations” for non-security purposes and the security considerations of those changes will be considered as part of those procedures.^[229]

Alterations to an information system or network introduce heightened risk of cybersecurity incidents; ^[230] thus, it is important to expressly require change management to be a part of an information security program. The Commission agrees with ACE that many financial institutions will already have change management procedures in place. If those procedures adequately consider security issues involved in the change, then they may satisfy this requirement.

As to the comment a financial institution that has not made changes to its environment in some time should not be required to have change management processes, the Commission disagrees. Few information systems can remain unchanged for a significant period of time, given the changing technical requirements for business and security. Indeed, NADA acknowledges financial institutions will need to “adapt[] their programs to keep up with changes in data security.” ^[231] For this reason, all financial institutions must have procedures for when the changes occur. As with all of the requirements of the Rule, though, the exact nature of these procedures will vary depending on the size, complexity and nature of the information system. A simple system may have equally simple change management procedures.

The Commission adopts this proposed paragraph as paragraph (c)(7) of the Final Rule without change.

System Monitoring

Proposed paragraph (c)(10) required financial institutions to implement policies and procedures designed “to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.” ^[232] The Proposed Rule required financial institutions to take steps to monitor those users and their activities related to customer information in a manner adapted to the financial institution's particular operations and needs.

NADA stated this requirement would create unnecessary expense because it would require financial institutions to “continually monitor all authorized use” and would mean “yet more new employees or third-party IT consultants.” ^[233] The Commission disagrees, however, noting that monitoring of system use can be automated.^[234] There is no requirement a separate staff member would be required to exclusively monitor system use.

In addition, one commenter stated monitoring the use of paper files is impossible and should be excluded from this provision.^[235] The Commission acknowledges monitoring of paper records is qualitatively different than the monitoring of electronic records. This requirement goes hand in hand with limiting access to documents, whether electronic or paper. For example, if an institution has a file room and access to the room is limited to particular employees ( e.g., the payroll office), the institution should have measures in place to ensure those access controls are in fact being utilized ( e.g., sign in with front desk, logging of key card access, security camera).

As discussed above, this paragraph is amended to also require the logging of user activity, but is otherwise adopted as proposed as paragraph (c)(8). Start Printed Page 70293

Proposed Paragraph (d)

Proposed paragraph (d)(1) retained the current Rule's requirement that financial institutions “[r]egularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.”

Proposed paragraph (d)(2) provided further detail to this requirement by stating the monitoring must take the form of either “continuous monitoring” or “periodic penetration testing and vulnerability assessments.” The proposal explained continuous monitoring is any system that allows real-time, ongoing monitoring of an information system's security, including monitoring for security threats, misconfigured systems, and other vulnerabilities.^[236] For those who elected to engage in periodic penetration testing and vulnerability assessment, the proposal required penetration testing at least once annually (or more frequently if called for in the financial institution's risk assessment) and vulnerability assessments at least twice a year.^[237]

Some commenters thought the proposal went too far in requiring continuous monitoring or penetration and vulnerability testing, while others thought the proposal did not go far enough. On one hand, ACE argued continuous monitoring is too burdensome and difficult for some financial institutions,^[238] particularly those with “highly decentralized systems,” such as colleges and universities, which could be required to monitor their entire system.^[239] ACE further suggested the Rule should not prescribe any particular testing methodology or schedule and should allow financial institutions to develop a testing approach appropriate for the financial institution.^[240] The NPA commented penetration and vulnerability testing would be too expensive for small pawnbrokers with small staffs and a small customer base, where their members would be “likely to notice a penetration of our records.” ^[241] One commenter stated the requirements for monitoring and testing were “overlapping and confusing” and suggested the Commission avoid confusion by including continuous monitoring, penetration testing, vulnerability scanning, periodic risk assessment reviews, and logging as optional components of an information security program to be included on an as-needed basis.^[242] Some commenters recommended the testing requirement be limited to electronic data and exclude monitoring of physical data.^[243] The American Financial Services Association argued the testing of physical safeguards required by paragraph (d)(1) “would be impossible.” ^[244] Finally, CTIA argued, for entities that choose the approach of penetration and vulnerability testing, these tests should be required less regularly.^[245]

On the other hand, the Princeton Center suggested, rather than requiring either continuous monitoring or penetration testing, the Rule should require both. It noted continuous monitoring is very effective at detecting problems with, and threats to, “off-the-shelf systems” but penetration testing is better at “for checking the interaction between systems, proprietary systems, or subtle security issues.” ^[246] Similarly, the MSRT was concerned that the Proposed Rule suggested annual penetration testing alone could protect financial institutions, rather than serve as a supplement to proper monitoring.^[247]

The Commission agrees with commenters who pointed out the difficulty of applying certain testing requirements to physical safeguards. Although the general testing requirement set forth in paragraph (d)(1) should apply to physical safeguards ( e.g., testing effectiveness of physical locks), the continuous monitoring, vulnerability assessment, and penetration testing in paragraph (d)(2) is not relevant to information in physical form. Accordingly, the final version of paragraph (d)(2) is limited to safeguards on information systems.

The Commission also agrees biannual vulnerability testing may not be sufficient to detect new threats. Thus, given the relative ease with which vulnerability assessments can be performed, it modifies the Final Rule to require financial institutions to perform assessments when there is an elevated risk of new vulnerabilities having been introduced into their information systems, in addition to the required biannual assessments.

Beyond these modifications, the Commission believes the proposal struck the right balance between flexibility and protection of customer information, and adopts the proposed provision as final. For commenters concerned about costs of testing and continuous monitoring, the Commission notes the Rule requires one, not both. Although many financial institutions may choose to use both, the Commission agrees the costs of requiring both for all financial institutions may not be justified.^[248] As to arguments that the testing required by the Rule is too frequent and will therefore be too costly, the Commission does not agree vulnerability assessments will be costly. Indeed, there are resources for free and automated vulnerability assessments.^[249] And although the Commission acknowledges penetration testing can be a somewhat lengthy and costly process for large or complex systems,^[250] a longer period between penetration tests will leave information systems vulnerable to attacks that exploit weaknesses normally revealed by penetration testing.

Two other portions of the Final Rule should help financial institutions concerned about the costs of monitoring and testing. First, because the Commission is limiting the definition of “information system” in the Final Rule, financial institutions will be able to limit this provision's application by segmenting their network and conducting monitoring or testing only of systems that contain customer information or that are connected to such systems. Second, this requirement does not apply to those institutions that Start Printed Page 70294 maintain records on fewer than 5,000 individuals. Accordingly, for example, it should not apply to businesses small enough for staff to personally know a majority of customers.

Finally, the Commission does not believe the testing requirements are duplicative of other provisions of the Final Rule. The provision relating to additional risk assessments, § 314.4(b)(2), requires a financial institution to reevaluate its risks and to determine if safeguards should be modified or added—it does not require testing to detect threats and technical vulnerabilities in the existing system. Section 313.4(c)(8)'s requirement that financial institutions monitor users' activity in an information system is focused on one aspect of information security—detecting and preventing unauthorized access and use of the system. The requirement of this paragraph, on the other hand, is focused on testing the overall effectiveness of a financial institution's safeguards. It is broader than paragraph (c)(8)'s requirement and is necessary to ensure financial institutions test the strength of their safeguards as a whole.

Accordingly, the Final Rule requires financial institutions to perform vulnerability assessments at least once every six months and, additionally, whenever there are material changes to their operations or business arrangements and whenever there are circumstances they know or have reason to know may have a material impact on their information security program.

Proposed Paragraph (e)

Proposed paragraph (e) set forth a requirement that financial institutions implement policies and procedures “to ensure that personnel are able to enact [the financial institution's] information security program.” This requirement included four components: (1) General employee training; (2) use of qualified information security personnel; (3) specific training for information security personnel; and (4) verification that security personnel are taking steps to maintain current knowledge on security issues.

General Employee Training

Proposed paragraph (e)(1) required financial institutions to provide their personnel with “security awareness training that is updated to reflect risks identified by the risk assessment.” ^[251]

While one commenter specifically supported the inclusion of this training requirement,^[252] the U.S. Chamber of Commerce argued the Rule should not have any specific training requirements at all.^[253] NADA stated the requirement that the training be “updated to reflect risks identified by the risk assessment” will require companies to develop individualized training programs to suit their financial institution and that such a process would be expensive and unnecessary because “general security awareness” is generally enough for most financial institutions.^[254]

Given the current Rule includes a similar training requirement and training remains a vital part of effective information security, the Commission declines to eliminate it. The Commission believes the Final Rule's training requirement retains the same flexibility as the existing Rule and allows financial institutions to adopt a training program appropriate to their organization.

The Commission disagrees with NADA's concern the requirement to update training programs would be too expensive. Without a requirement that the training program be updated based on an assessment of risks, employees may be subject to the same training year after year, which might reflect obsolete threats, as opposed to addressing current ones. The Commission interprets this provision to require only that the training program be updated as necessary based on changes in the financial institution's risk assessment. The provision also gives financial institutions the flexibility to use programs provided by a third party, if that program is appropriate for the financial institution. In order to clarify updates are required only when needed by changes in the financial institution or new security threats, though, the Final Rule states training programs need to be updated only “as necessary.”

Information Security Personnel

Proposed paragraph (e)(2) required financial institutions to “[u]tiliz[e] qualified information security personnel,” employed either by them or by affiliates or service providers, “sufficient to manage [their] information security risks and to perform or oversee the information security program.” ^[255] This proposed provision was designed to ensure information security personnel used by financial institutions are qualified for their positions and information security programs are sufficiently staffed.

Some commenters argued this provision was too vague because it does not define what personnel are necessary and what “qualified” means.^[256] NADA argued hiring additional staff to meet this requirement could be prohibitively expensive.^[257]

As discussed in relation to the appointment of a “Qualified Individual,” the Commission believes a more specific definition of “qualified” would not be appropriate because each financial institution has different needs and different levels of training, experience, and expertise will be appropriate for the information security staff of each institution. The term “qualified” conveys only that staff must have the abilities and expertise to perform the duties required by the information security program.^[258] The Commission declines to include a more prescriptive set of qualification requirements in the Final Rule.^[259]

As to the concern about expense, the Commission acknowledges hiring employees or retaining third parties to maintain financial institutions' information security programs can be a substantial expense. But the expense is necessary to effectuate Congressional intent that financial institutions implement reasonable safeguards to protect customer information. The Rule requires only that a financial institution have personnel “sufficient” to manage its risk and to maintain its information security program. A financial institution is required only to have the staff necessary to maintain its information security. An information security program that is not properly maintained cannot offer the protection it is designed to provide. A financial institution that Start Printed Page 70295 does not comply with this requirement, by definition, has insufficient staffing, and thus, cannot reasonably protect customer information.

Although the expense is necessary, the level of expense is mitigated by several factors. First, existing financial institutions should already have information security personnel (either in the form of employees or third-party service providers) qualified to perform the duties necessary to maintain reasonable security in order to comply with the requirements of the current Rule. Depending on the skills of those employees, additional staffing may not be necessary to meet the demands of the Final Rule. Second, the required staffing will vary greatly based on the size and complexity of the information system. A financial institution with an extremely simple system may not require even a single full time employee. Finally, the Rule allows the use of service providers to meet this requirement. This can significantly reduce costs as services exist to share the expense of qualified personnel and offer information security support at significantly less than the cost of employing a single qualified employee.^[260] The Commission continues to believe utilizing qualified and sufficient information security personnel is a vital part of any information security program and accordingly, adopts proposed paragraph (e)(2) in the Final Rule without modification.

Training of Security Personnel

The Proposed Rule also required financial institutions to “[p]rovid[e] information security personnel with security updates and training sufficient to address relevant security risks.” ^[261] This is separate from paragraph (e)(1)'s requirement to train all personnel generally.

Some commenters argued providing ongoing training could be too costly for some financial institutions.^[262] The Commission disagrees. Maintaining awareness of emerging threats and vulnerabilities is a critical aspect of information security. In order to perform their duties, security personnel must be educated on the changing nature of threats to the information systems they maintain. There are resources that will allow smaller institutions to meet this requirement at little or no cost, such as published security updates, online courses, and educational publications.^[263] For financial institutions that utilize service providers to meet information security needs, the service provider is likely to include assurances that provided personnel will be trained in current security practices. The Commission views the use of such a service provider as meeting this requirement, as the financial institution is “providing” the service as part of the price it pays to the service provider. Thus, the Final Rule adopts paragraph (e)(3) as proposed.^[264]

Verification of Current Knowledge

Proposed paragraph (e)(4) required financial institutions to “[v]erify[ ] that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.” ^[265] This requirement was intended to complement the proposed requirement regarding ongoing training of data security personnel, by requiring verification such training has taken place.

NADA argued this requirement should not apply to smaller financial institutions, stating the examples set forth in the Proposed Rule would be difficult for some smaller financial institutions to perform.^[266] The examples provided with the Proposed Rule were that a financial institution could: (1) Offer incentives or funds for key personnel to undertake continuing education that addresses recent developments, (2) include a requirement to stay abreast of security research as part of their performance metrics, or (3) conduct an annual assessment of key personnel's knowledge of threats related to their information system. The Commission believes smaller financial institutions can take advantage of any of these methods, particularly “requiring key personnel to undertake continuing education” as part of that personnel's duties. If they outsource responsibility for data security to service providers, they can simply include these requirements in their contracts.

The Commission believes the rapidly changing nature of information security mandates this requirement, in order that information security leadership can properly supervise the information security program. Accordingly, the Final Rule adopts proposed paragraph (e)(4) without change.

Proposed Paragraph (f)

Proposed paragraphs (f)(1) and (2) retained the current Rule's requirement, found in existing paragraphs (d)(1) and (2), to oversee service providers, and added a paragraph (f)(3), requiring financial institutions also periodically assess service providers “based on the risk they present and the continued adequacy of their safeguards.” ^[267] The current Rule expressly requires an assessment of service providers' safeguards only at the onboarding stage; proposed paragraph (f)(3) required financial institutions to monitor their service providers on an ongoing basis to ensure they are maintaining adequate safeguards to protect customer information they possess or access.^[268]

Several commenters argued it would be costly and difficult for some financial institutions to periodically assess their service providers.^[269] These commenters were particularly concerned with smaller financial institutions' ability to “monitor” larger service providers.^[270] The Internet Association commented the requirement to periodically assess service providers would be too onerous for the service providers themselves, arguing the requirement would place “service providers under constant surveillance by their financial institution clients.” ^[271] HITRUST suggested the Rule should state the periodic assessment requirement may be satisfied by requiring service providers to obtain and maintain information Start Printed Page 70296 security certifications provided by third parties and based on proper information security frameworks.^[272] In contrast, Consumer Reports took issue with the Rule requiring only “assessment” of service providers, and argued financial institutions should be required to monitor their service providers for compliance.^[273] Yet other commenters expressed confusion over the term “service provider,” asking whether it would cover national consumer reporting agencies that smaller financial institutions would be hard-pressed to assess.^[274]

The Commission retains the service provider oversight requirement from proposed paragraph (f) without modification. Some high profile breaches have been caused by service providers' security failures,^[275] and the Commission views the regular assessment of the security risks of service providers as an important part of maintaining the strength of a financial institution's safeguards.

The Commission disagrees with the commenters who expressed concerns this provision, and particularly the assessment requirement, would impose undue costs on financial institutions. The Rule would require financial institutions only to assess the risks service providers present and evaluate whether they continue to provide the safeguards required by contract, which need not include extensive investigation of a service provider's systems. In the case of large service providers, this oversight may consist of reviewing public reports of insecure practices, changes in the services provided, or security failures in the services provided. In other circumstances, such as where a large company hires a vendor to secure sensitive customer information, certifications, reports, or even third-party audits may be appropriate. The exact steps required depend both on the size and complexity of the financial institution and the nature of the services provided by the service provider. For this reason, the Commission declines to adopt the suggestion to allow a financial institution to accept an information security certification from the service provider to satisfy the service provider oversight requirement. The fact that a company maintains an information security certification may be a significant part of assessing the adequacy of a service provider's safeguards, but the Commission declines to prescribe a one-size-fits all approach, given the variation in size and complexity of financial institutions and their service providers.

To avoid imposing undue costs on financial institutions, the Commission declines to require ongoing monitoring, rather than periodic assessment, as recommended by Consumer Reports. The Commission believes periodic assessment strikes the right balance between protecting consumers and imposing undue costs on financial institutions. The Commission acknowledges financial institutions may have limited bargaining power in obtaining services from large service providers and limited ability to demand access to a service provider's systems. In those cases, any sort of hands-on assessment of the provider's systems may not be possible.

As to the concern the assessment requirement will impose undue burdens on the service providers themselves, the Commission does not believe this concern justifies a modification to the proposed requirement. First, the Rule does not require “constant surveillance” by financial institutions—they are required only to “periodically assess” the risks presented by service providers. Second, as discussed above, the supervision of service providers is a vitally important aspect of information security, and while there may be some burdens on the service providers associated with being supervised, these are necessary burdens. A financial institution must be sure a service provider is protecting the information of its customers, and any expenses this involves are a necessary part of fulfilling this duty.

Finally, as to concerns about potential ambiguities in the definition of service provider, the amendments preserve the definition in the current Rule. Thus, entities subject to this requirement under the Final Rule will remain the same as under the existing Rule and may include consumer reporting agencies. As discussed above, even larger service providers such as national CRAs can be subjected to some form of review by financial institutions.^[276]

The Commission adopts proposed paragraph (f) in the Final Rule without modification.

Proposed Paragraph (g)

Paragraph (g) of the Proposed Rule retained the language of existing paragraph (e) in the current Rule, which requires financial institutions to evaluate and adjust their information security programs in light of the result of testing required by this section, material changes to their operations or business arrangements, or any other circumstances they know or have reason to know may have a material impact on their information security program. The Commission received no comments on this paragraph and adopts the language of the Proposed Rule.

Proposed Paragraph (h)

Proposed paragraph (h) required financial institutions to establish written incident response plans that addressed (1) the goals of the plan; (2) the internal processes for responding to a security event; (3) the definition of clear roles, responsibilities and levels of decision-making authority; (4) external and internal communications and information sharing; (5) identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; (6) documentation and reporting regarding security events and related incident response activities; and (7) the evaluation and revision as necessary of the incident response plan following a security event.

Several commenters supported the proposal to require an incident response plan.^[277] The Credit Union National Association observed an incident response plan “helps ensure that an entity is prepared in case of an incident by planning how it will respond and what is required for the response.” ^[278] Consumer Reports noted a rapid response to a security event can limit damage caused by the event.^[279] The Start Printed Page 70297 Princeton Center commented “a written incident response plan is an essential component of a good security system.” ^[280] HITRUST commented incident response plans can help organizations “to better allocate limited resources.” ^[281] The South Carolina Department of Consumer Affairs suggested the provision go further by requiring the incident response plan include a process for notifying senior information security personnel of the event.^[282]

Other commenters opposed requiring an incident response plan or objected to particular aspects of the requirement. Some commenters suggested requiring financial institutions to have incident response plans is outside the Commission's authority under the GLB Act.^[283] NADA argued the requirement for an incident response plan was overbroad in light of the broad definition of security event,^[284] and the requirement was vague as to what the plan should include.^[285]

Other commenters argued the requirement was too burdensome. ACE argued “the range of security events that might occur and their potential impacts on institutional capacity to recover” make establishing an incident response plan that will allow an institution to “respond to, and recover from, any security event materially affecting . . . customer information” impossible.^[286] The Mortgage Bankers Association (“MBA”) suggested “institutions of smaller sizes may not necessarily be capable of addressing all seven of the proposed goals.” ^[287] Further, the MBA argued an incident response plan requirement had “the potential to cripple small businesses under the pressure of repeatedly checking the boxes for potentially harmless events.” ^[288]

Finally, some commenters raised questions about what it means for customer information to be in a financial institution's “possession” for purposes of the incident response plan requirement. ACE argued the requirement does not adequately account for customer information held in cloud storage operated by third parties, asserting such information is not technically within the financial institution's possession.^[289] ACE suggested the provision should apply to customer information for which the financial institution is responsible, instead.^[290] Relatedly, the NPA expressed concern pawnbrokers might be subject to liability under the Proposed Rule when law enforcement agencies or their third-party vendors make public disclosures of customer information pawnbrokers are obligated to report.^[291]

The Commission retains the requirement for financial institution to develop and implement an incident response plan, with one modification described below. The Commission believes the creation of an incident response plan is directly related to safeguarding customer information and is within its authority under the GLBA. The requirement to create an incident response plan focuses on preparing financial institutions to respond promptly and appropriately to security events, and mitigating any weaknesses in their information systems in the process. By responding quickly and promptly mitigating weaknesses, financial institutions can stop ongoing or future compromise of customer information.^[292] A well-organized response to a security event can limit the number of consumers affected by an outside attacker by promptly identifying the attack and taking steps to stop the attack.

The Commission disagrees with the commenters who stated this requirement was too burdensome. The Final Rule requires incident response plans address “security event[s] materially affecting the confidentiality, integrity, or availability of customer information in [a financial institution's] control.” Significantly, the plan must address events that “materially” affect customer information. Thus, the required incident response plan does not require a plan to address every security event that may occur. The plan need not include minute details or all possible scenarios. Instead, the Rule requires the plan to establish a system—for example, by laying out clear lines of responsibility, systems for information sharing, and methods for evaluating possible solutions—that will facilitate a financial institution's response to security events regardless of the nature of the event. A detailed approach may be appropriate for some financial institutions, such as those with especially complicated systems or personnel hierarchies, but the Rule is designed to give financial institutions the flexibility needed to develop plans that best suit their needs.^[293]

Moreover, the Commission believes the requirement is clear as to what an incident response plan should include. The seven listed requirements for the incident response plans provide sufficient guidance to financial institutions designing incident response plans while giving them flexibility to design a plan suited to their organization. In addition, there are many resources for designing incident response plans available for financial institutions, as well as service providers that can assist with the design process.^[294] Individual institutions can determine the exact details of the plans.

To address questions about whether information is in the financial institution's “possession,” the Commission is revising paragraph (h) of the Final Rule to require financial institutions develop incident response plans “designed to promptly respond to, and recover from, any security event materially affecting . . . customer information in your control. ” (emphasis added) Replacing the term “possession” with “control” resolves the questions raised by ACE and the NPA regarding Start Printed Page 70298 whether financial institutions must plan for security events affecting data that has been transferred to various kinds of third parties. Where a financial institution has voluntarily opted to store its customer information in the cloud, to whatever extent the information is no longer in the “possession” of the financial institution, it is certainly within the institution's “control.” By contrast, customer information that has been obtained by a third party such as a law enforcement agency, over whom a financial institution has no authority and of whose actions the financial institution has no knowledge, cannot fairly be said to be in the financial institution's control. Consequently, the financial institution need not account for possible disclosures of that information by the third party.^[295]

Notification of Security Events to the Commission

The Commission also requested comment on whether the Rule should require financial institutions to report security events to the Commission. Several commenters supported this requirement.^[296] The Princeton University Center for Information Technology Policy noted such a reporting requirement would “provide the Commission with valuable information about the scope of the problem and the effectiveness of security measures across different entities” and “help the Commission coordinate responses to shared threats.” ^[297] The National Association of Federally-Insured Credit Unions argued requiring financial institutions to report security events to the Commission would provide an “appropriate incentive for covered financial companies to disclose information to consumers and relevant regulatory bodies.” ^[298] NAFCU also suggested notification requirements are important because they “ensure independent assessment of whether a security incident represents a threat to consumer privacy.” ^[299]

Other commenters opposed the inclusion of a reporting requirement.^[300] ACE argued such a requirement “would simply add another layer on top of an already crowded list of federal and state law enforcement contacts and state breach reporting requirements.” ^[301] ACE also suggested any notification requirement should be limited to a more restricted definition of “security event” than the definition in the Proposed Rule, so financial institutions would only be required to report incidents that could lead to consumer harm.^[302]

The Commission agrees with commenters that stated a requirement financial institutions report security events to the Commission would have many benefits, including allowing the Commission to identify emerging threats and assisting the Commission's enforcement of the Rule. In addition, such a requirement would be unlikely to create a significant burden on financial institutions because a security event that leads to notification to the Commission is very likely to create breach notification obligations under various state laws, and the financial institution will thus already be engaged in notifying consumers and state regulators. The addition of a notification to the FTC would not require any significant additional preparation or effort. However, because the notice of proposed rulemaking did not set forth a detailed proposal for a notification requirement, the Final Rule does not include such a requirement. Instead, the Commission is issuing a supplemental notice of proposed rulemaking (SNPRM) that proposes adding a requirement financial institutions notify the Commission of detected security events under certain circumstances.^[303]

Proposed Paragraph (i)

Proposed paragraph (i) required a financial institution's CISO to “report in writing, at least annually, to [the financial institution's] board of directors or equivalent governing body” regarding the following information: (1) The overall status of the information security program and financial institution's compliance with the Safeguards Rule; and (2) material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program.^[304] For financial institutions that did not have a board of directors or equivalent, the proposal required the CISO to make the report to a senior officer responsible for the financial institution's information security program.

One commenter supported this requirement.^[305] Additionally, several workshop participants emphasized the value of communication between information security leaders and corporate boards or their equivalent. For example, workshop participant Michele Norin stated it is “important” for the topic of information security to be discussed at the level of the board or senior leadership regularly, and at least once per year.^[306] Participant Adrienne Allen agreed annual reporting made sense as a requirement, but noted for some financial institutions, particularly those with an online presence, even more frequent communication could be beneficial.^[307]

ACE argued the Proposed Rule created too much emphasis on a single annual report and should instead focus on regular reporting to the Board or equivalent.^[308] It also expressed concern the report required by the Proposed Rule would be too detailed and would not allow the Board to see “the forest for the trees,” ^[309] the requirements for the report were too prescriptive, and the requirements focused too much on compliance rather than security.^[310] Similarly, NADA argued the report would not improve security but would instead create “unnecessary liability exposure for the board/leadership of the entity.” ^[311] HITRUST suggested Start Printed Page 70299 Qualified Individuals should be able to meet this reporting requirement by submitting a report from an information security certification program to the Board or equivalent body.^[312]

The Commission adopts the proposal as final, with one modification discussed below. This provision is intended to ensure the governing body of the financial institution is engaged with and informed about the state of the financial institution's information security program. Likewise, this will create accountability for the Qualified Individual by requiring him or her to set forth the status of the information security program for the governing body.^[313] This will help financial institutions to ensure their information security programs are being maintained appropriately and given the necessary resources. Written reports will create a record of decisions made and the information upon which they were based, which may aid future decision-making.^[314] Management involvement in information security programs can improve the strength of those programs and help to reduce breaches.^[315]

The Commission disagrees with the commenters who stated the reporting requirement would be too prescriptive. In fact, the language only requires reporting of (1) the overall status of the information security program and its compliance with this Rule; and (2) material matters related to the information security program. The language includes examples of what material matters might include, such as risk assessments and security events, but does not require all of them be included. The financial institution and the Qualified Individual will be responsible for determining what is material for their organization. The Commission does not believe these requirements call for overly detailed reports.^[316]

Although the Commission agrees a certification report from a Qualified Individual could be a part of the annual report and may cover many material matters, it may not suffice in all cases; thus, the Commission declines to include such a one-size-fits-all requirement.

As to the suggestion to require “regular” reporting, the Commission agrees more regular reporting may be the best approach for many financial institutions. To this end, the Commission modifies the requirement in the final rule to say “regularly, and at least annually.” ^[317] Beyond this modification, the Final Rule adopts proposed paragraph (i) as proposed.

Board Certification

The Commission specifically sought comment on whether the Board or equivalent should be required to certify the contents of the report. The two commenters who addressed this question stated they should not.^[318] ACE noted “governing boards generally will not have the knowledge and expertise to independently certify” the technical aspects of the report and certification might require the employment of outside auditors.^[319] The Commission agrees senior management of financial institutions will often lack the technical expertise to personally attest to its validity. In addition, the primary purpose of the required report is to encourage communication between information security personnel and senior management, not to show compliance with the Rule. Requiring the governing board to certify the contents of the report would likely transform the report into a compliance document and might reduce its efficacy as a communication between the Qualified Individual and the Board. Accordingly, the Commission declines to adopt this requirement in the Final Rule.

§ 314.5: Effective Date

The Proposed Rule set a new effective date for some portions of the Rule. Proposed § 314.5 provided certain elements of the information security program would not be required until six months after the publication of a final rule, rather than immediately upon publication. The paragraphs that would have a delayed effective date were: § 314.4(a), related to the appointment of a Qualified Individual; § 314.4(b)(1), relating to conducting a written risk assessment; § 314.4(c)(1) through (8), setting forth the new elements of the information security program; § 314.4(d)(2), requiring continuous monitoring or annual penetration testing and biannual vulnerability assessment; § 314.4(e), requiring training for personnel; § 314.4(f)(3), requiring periodic assessment of service providers; § 314.4(h), requiring a written incident response plan; and § 314.4(i), requiring annual written reports from the Qualified Individual. All other requirements under the Safeguards Rule would remain in effect during this six-month period. These remaining requirements largely mirrored the requirements of the existing Rule.

All commenters that addressed this provision noted the difficulty of complying with some of the provisions of the Proposed Rule, and argued financial institutions should be given more time to comply with them. ACE suggested financial institutions be given one year to create a plan for compliance and two years to come into actual compliance.^[320] AFSA suggested compliance not be required for two Start Printed Page 70300 years.^[321] ACA International requested the effective date be one year after publication of the Rule.^[322]

The Commission agrees some financial institutions may need longer to modify their information security programs to comply with the new requirements in the Final Rule, especially given the current pandemic and the strains it is placing on businesses. Accordingly, the Final Rule extends the effective date for these enumerated provisions to one year after the publication of this document.

Proposed § 314.6: Exceptions

Proposed § 314.6 exempted financial institutions that maintain customer information concerning fewer than five thousand consumers from certain requirements of the Proposed Rule, namely § 314.4(b)(1), requiring a written risk assessment; § 314.4(d)(2), requiring continuous monitoring or annual penetration testing and biannual vulnerability assessment; § 314.4(h), requiring a written incident response plan; and § 314.4(i), requiring an annual written report by the CISO (as revised, the Qualified Individual).^[323] This proposed section was designed to reduce the burden on smaller financial institutions.

The Commission sought comment on whether it was appropriate to include such an exemption, whether the specific exemptions were appropriate, whether the use of the number of customers concerning whom the financial institution retains customer information is the most effective way to determine which financial institutions should be exempted and, if so, whether five thousand customers was an appropriate number. After reviewing the comments received, the Commission retains the exemption for financial institutions with fewer than 5,000 customers as proposed.

Several commenters supported the inclusion of an exemption for small financial institutions. Consumer Reports supported the exemption as proposed.^[324] NPA supported the decision to base this exemption on the number of customers whose information the financial institution maintains, but questioned how the number of customers would be determined.^[325] NPA asked whether the number of customers would be counted on an annual basis or include all records the financial institution maintains. It also asked if each transaction with a customer would be counted separately.^[326]

Some commenters argued the number of customers whose records a financial institution maintains was the wrong measure by which to assess whether the exemption should apply. For example, commenters suggested the Rule should take into account businesses with revenue beneath a certain threshold,^[327] the number of students enrolled at covered educational institutions,^[328] or the number of individuals employed by the financial institution.^[329]

Additionally, some commenters argued the threshold for application of the exemption should be higher. ACA International suggested the exemption should apply to all financial institutions maintaining records concerning fewer than 10,000 customers.^[330] AFSA suggested a 50,000 customer threshold.^[331] NADA ^[332] and NIADA ^[333] argued the threshold should be raised to 100,000 customers. Without proposing a specific alternative, NPA expressed concern the 5,000-customer threshold may be too low, noting pawnbrokers who accept firearms as collateral are required to keep customer records related to certain transactions for twenty years.^[334]

As to the substance of the exemption, some commenters felt it did not go far enough to relieve the burden of the rule for small financial institutions. ACA International proposed eligible financial institutions should also be exempt from the requirement to designate a single qualified individual to oversee their information security programs.^[335] The National Federation of Independent Business argued businesses with 15 or fewer employees should be exempted from the Rule entirely and instead held only to a requirement to take “commercially reasonable steps” to safeguard customer information.^[336] The Small Business Administration Office of Advocacy suggested, in the absence of additional information regarding the impact of the proposed changes on small businesses, the Rule should “maintain the status quo” for small entities as defined by the Small Business Administration's size standards.^[337]

On the other hand, other commenters opposed the inclusion of any exemption. The Independent Community Bankers of America noted the Federal Financial Institutions Examination Council Interagency Guidelines Establishing Standards for Safeguarding Customer Information (“FFIEC Guidelines”), which detail how depository institutions are required to protect customer information, include no exemption for smaller institutions and suggested the Rule should also have no exemption and apply equally to all financial institutions.^[338]

Under the existing Rule, there is no exception for smaller entities. Still, the Commission continues to believe it is appropriate to exempt small businesses from some of the revised Rule's requirements. Although the FFIEC Guidelines do not exempt small businesses from its requirements, the FFIEC Guidelines regulate only depository financial institutions subject to an entirely different regulatory regime, including supervision by their regulatory agencies. While the provisions from which eligible financial institutions are exempt have significant benefits for the security of customer information and other sensitive data, ^[339] Start Printed Page 70301 those provisions may be less necessary in situations where the overall volume of retained data is low. This is true in part because the potential for cumulative consumer harm is less where fewer consumers' information may be exposed as the result of a security incident.^[340]

For similar reasons, the Commission finds the number of individuals concerning whom a financial institution maintains customer information is the appropriate measure of whether the exemption should apply to a particular financial institution. The application of the exemption should take into account both the potential burden of compliance to financial institutions and the risk to consumers when standards are relaxed—in other words, the purpose of the exemption is to avoid imposing undue burden while assuring customer information is subject to necessary protections. Even a very small financial institution, depending on its business model, may retain very large quantities of sensitive customer information.^[341] Adequate security is necessary to protect such information, which may constitute an attractive target for bad actors such as identity thieves; the value of the target is correlated with the volume of information maintained.^[342] While a business's revenue or number of employees may provide a measure of the burden of compliance for that business, these figures do not capture consumer risk. By contrast, the number of individuals about whom a financial institution maintains customer information is a proxy for the level of security necessary in light of both the risk of attack and the potential consumer harm should a security incident occur.^[343] In addition, basing the exemption on the number of individuals concerning whom a financial institution maintains customer information provides an incentive to financial institutions to reduce the amount of information they retain. A financial institution may choose to dispose of information so it holds information on few enough consumers to qualify for exemption.^[344]

The Final Rule adopts this section as proposed. The Commission continues to believe the cutoff for financial institutions maintaining information concerning 5,000 consumers appropriately balances the need for security with the burdens on smaller businesses. The requirements to which exempted financial institutions would still be required to adhere are tailored to balance the importance of adequately securing customer information against the need to limit financial burdens for small businesses. Many of these requirements were already in force as part of the existing Rule—for example, covered financial institutions were already required to design and implement a written information security program, conduct risk assessments, perform an initial assessment of their service providers, and designate one or more employees to oversee information security. For reasons discussed elsewhere in this document, the new requirements that apply to exempted financial institutions, such as the requirement to designate a single qualified individual to oversee information security rather than one or more individuals, will ensure financial institutions of all sizes continue to adequately protect customer information in an environment of increasing cybersecurity risk, while avoiding the imposition of undue burden.

IV. Paperwork Reduction Act

The Paperwork Reduction Act (“PRA”), 44 U.S.C. 35, requires Federal agencies to seek and obtain Office of Management and Budget (OMB) approval before undertaking a collection of information directed to ten or more persons.^[345] A “collection of information” occurs when ten or more persons are asked to report, provide, disclose, or record information in response to “identical questions.” ^[346] Applying these standards, neither the Safeguards Rule nor the amendments constitute a “collection of information.” ^[347] The Rule calls upon affected financial institutions to develop or strengthen their information security programs in order to provide reasonable safeguards. Under the Rule, each financial institution's safeguards will vary according to its size and complexity, the nature and scope of its activities, and the sensitivity of the information involved. For example, a financial institution with numerous employees would develop and implement employee training and management procedures beyond those that would be appropriate or reasonable for a sole proprietorship, such as an individual tax preparer or mortgage broker. Similarly, a financial institution that shares customer information with numerous service providers would need to take steps to ensure such information remains protected, while a financial institution with no service providers would not need to address this issue. Thus, although each financial institution must summarize its compliance efforts in one or more written documents, the discretionary balancing of factors and circumstances the Rule allows—including the myriad operational differences among businesses it contemplated—does not require entities to answer “identical questions” and therefore does not trigger the PRA's requirements.

The amendments to the Rule do not change this analysis because they retain the existing Rule's process-based approach, allowing financial institutions to tailor their programs to reflect the financial institutions' size, complexity, and operations, and to the Start Printed Page 70302 sensitivity and amount of customer information they collect. For example, amended § 314.4(b) would require a written risk assessment, but each risk assessment will reflect the particular structure and operation of the financial institution and, though each assessment must include certain criteria, these are only general guidelines and do not consist of “identical questions.” Similarly, amended § 314.4(h), which requires a written incident response plan, is only an extension of the preexisting requirement of a written information security plan and would necessarily vary significantly based on factors such as the financial institution's internal procedures, which officials within the financial institution have decision-making authority, how the financial institution communicates internally and externally, and the structure of the financial institution's information systems. Likewise, the proposed requirement for Qualified Individuals to produce annual reports under proposed § 314.4(i) does not consist of answers to identical questions, as the content of these reports would vary considerably between financial institutions and Qualified Individuals are given flexibility in deciding what to include in the reports. Finally, the modification of the definition of “financial institution” to include “activities incidental to financial activities” and therefore bring finders under the scope of the Rule do not constitute a “collection of information,” and therefore do not trigger the PRA's requirements.

V. Regulatory Flexibility Act

The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Flexibility Analysis (IRFA) with a proposed Rule, or certify that the proposed Rule will not have a significant impact on a substantial number of small entities.^[348] The Commission published an Initial Regulatory Flexibility Analysis in order to inquire into the impact of the Proposed Rule on small entities. In response, the Commission received comments that argued the revision to the Safeguards Rule would be unduly burdensome for smaller financial institutions. The discussion below summarizes these comments and the Commission's response to them.

1. Description of the Reason for Agency Action

The Commission issues these amendments to clarify the Safeguards Rule by including a definition of “financial institution” and related examples in the Safeguards Rule rather than incorporating them from the Privacy Rule by reference. The amendments also expand the definition of “financial institution” in the Rule to include entities engaged in activities incidental to financial activities. This change would bring “finders” within the scope of the Rule. This change harmonizes the Rule with other agencies' rules and requires finders that collect consumers' sensitive financial information to comply with the Safeguards Rule's process-based approach to protect that data.

In addition, the amendments modify the Safeguards Rule to include more detailed requirements for the information security program required by the Rule.

2. Issues Raised by Comments in Response to the IRFA

As stated above, the Commission received several comments that argued the revised Safeguards Rule would impose unduly heavy burdens on smaller businesses. The Small Business Administration's Office of Advocacy commented it was concerned the FTC had not gathered sufficient data as to either the costs or benefits of the proposed changes for small financial institutions. The FTC shares the Office of Advocacy's interest in ensuring regulatory changes have an evidentiary basis. Many of the questions on which the FTC sought public comment, both in the regulatory review and in the proposed rule context, specifically related to the costs and benefits of existing and proposed Rule requirements. Following the initial round of commenting, the Commission conducted the FTC Safeguards Workshop and solicited additional public comments with the explicit goal of gathering additional data relating to the costs and benefits of the proposed changes.^[349] As detailed throughout this document, the Commission believes there is a strong evidentiary basis for the issuance of the Final Rule.

The Office of Advocacy also argued the Proposed Rule's requirements were unduly prescriptive and should not be enacted as they apply to small businesses until the Commission can “ascertain the quantitative impact on small entities.” ^[350] The Office of Advocacy, along with other commenters, argued the amendments taken together would create a large burden on smaller financial institutions. In particular, commenters pointed to the requirements that financial institutions appoint a chief information security officer, customer information be encrypted, financial institutions utilize multi-factor authentication, and financial institutions regularly update training programs. These comments and the Commission's response are discussed at length above. Most commenters did not provide any specific estimates of these expenses, but two commenters did provide a summary of their expected expenses.

As discussed in the document, the Commission believes any burden imposed by the revised Rule is substantially mitigated by the fact the Rule continues to be process-based, flexible, and based on the financial institution's size and complexity. In addition, the amendments exempt institutions that maintain information on fewer than 5,000 consumers from certain requirements that require additional written product and might pose a greater burden on smaller entities. The Commission believes most of the entities covered by the exemption will be small businesses. Finally, the Commission believes all financial institutions, including small businesses, that comply with the current Safeguards Rule will already be in compliance with most of the new provisions of the revised Rule as part of their current information security program.

In addition, in response to the comments concerned about the burden of the amendments, the Commission extended the effective date from six months after the publication of the Final Rule to one year after the publication to allow financial institutions additional time to come into compliance with the revised Rule. In addition, in response to comments that argued hiring a chief information security officer would be prohibitively expensive for small financial institutions, the Commission amended the rule to clarify such an employee was not required for all financial institutions. The Final Rule is modified to clarify a financial institution need only appoint an individual who is qualified to coordinate its information security program, and those qualifications will vary based on the complexity of the program and size and nature of the Start Printed Page 70303 financial institution. The Commission also clarified employee training programs need to be updated only as necessary, to respond to a comment regular updating would be difficult for smaller financial institutions.

3. Estimate of Number of Small Entities to Which the Amendments Will Apply

As previously discussed in the IRFA, determining a precise estimate of the number of small entities ^[351] —including newly covered entities under the modified definition of financial institution—is not readily feasible. Financial institutions already covered by the Rule as originally promulgated include lenders, financial advisors, loan brokers and servicers, collection agencies, financial advisors, tax preparers, and real estate settlement services, to the extent they have “customer information” within the meaning of the Rule. Finders are also covered under the Final Rule. However, it is not known whether any finders are small entities, and if so, how many there are. The Commission requested comment and information on the number of “finders” that would be covered by the Rule's modified definition of “financial institution,” and how many of those finders, if any, are small entities. The Commission received no comments that addressed this question.

4. Projected Reporting, Recordkeeping, and Other Compliance Requirements

The Rule does not impose any reporting or any specific recordkeeping requirements as discussed earlier. See supra Section IV (Paperwork Reduction Act). With regard to other compliance requirements, the addition of definitions and examples from the Privacy Rule is not expected to have an impact on covered financial institutions, including those that may be small entities. (The preceding section of this analysis discusses classes of covered financial institutions that may qualify as small entities.) The addition of “finders” to the definition of financial institutions imposes the obligations of the Rule on entities that engage in “finding” activity and also collect customer information.

The addition of more detailed requirements may require some financial institutions to perform additional risk assessments or monitoring, or to create additional safeguards as set forth in the Proposed Rule. These obligations may require institutions to retain employees or third-party service providers with skills in information security, but, as discussed above, the Commission believes most financial institutions will have already complied with many parts of the Rule as part of their information security programs required under the existing Rule. There may be additional related compliance costs ( e.g., legal, new equipment or systems, modifications to policies or procedures), but, as discussed above, the Commission believes these are limited by several factors, including the flexibility of the Rule, the existing safeguards in place to comply with the existing Rule, and the exemption for financial institutions that maintain less consumer information.

Although two commenters provided summaries of the expected expenses for some financial institutions to comply with the Rule, those estimates did not provide sufficient detail to fully evaluate whether they were accurate or representative of other financial institutions and appeared to be based, at least in part, on a misunderstanding of the requirement to appoint a Qualified Individual. The Commission believes, for most smaller financial institutions, there are very low-cost solutions for any additional duties imposed by the Final Rule. This view is supported by the comments of several experts at the Safeguards Rule Workshop.^[352]

The Commission believes the protection of consumers' financial information is of the utmost importance and the cost of the safeguards required to provide that protection is justified and necessary. The Commission carefully balanced the cost of these requirements with the need to protect consumer information and has made every effort to ensure the Final Rule retains flexibility so financial institutions can tailor information security programs to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.

5. Description of Steps Taken To Minimize Significant Economic Impact, if Any, on Small Entities, Including Alternatives

The standards in the Final Rule allow a small financial institution to develop an information security program appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue. The amendments include certain design standards ( e.g., a company must implement encryption, authentication, and incident response) in the Rule, in addition to the performance standards (reasonable security) the Rule currently uses. As discussed, while these design standards may introduce some additional burden, the Commission believes many financial institutions' existing information security programs already meet most of these requirements. In addition, the requirements in the Final Rule, like those in the existing Rule, are designed to allow financial institutions flexibility in how and whether they should be implemented. For example, the requirement encryption be used to protect customer information in transit and at rest may be met with effective alternative compensating controls if encryption is infeasible for a given financial institution.

In addition, the amendments exempt financial institutions that maintain relatively small amounts of customer information from certain requirements of the Final Rule. The exemptions would apply to financial institutions that maintain customer information Start Printed Page 70304 concerning fewer than ten thousand consumers. The Commission believes exempted financial institutions are generally, but not exclusively, small entities. Such financial institutions are not required to perform a written risk assessment, conduct continuous monitoring or annual penetration testing and biannual vulnerability assessment, prepare a written incident response plan, or prepare an annual written report by the Qualified Individual. These exemptions are intended to reduce the burden on smaller financial institutions. The Commission believes the obligations subject to these exemptions are the ones most likely to cause undue burden on smaller financial institutions.

Exempted financial institutions will still need to conduct risk assessments, design and implement a written information security program with the required elements, utilize qualified information security personnel and train employees, monitor activity of authorized users, oversee service providers, and evaluate and adjust their information security program. These are core obligations under the Rule any financial institution that collects customer information must meet, regardless of size.

The Commission considered allowing compliance with a third-party data security standard, such as the NIST framework, to act as a safe harbor for compliance with the Rule. The Commission, however, determined any reduction of burden created by allowing such safe harbors is offset by issues they would cause. For example, such safe harbors would require the Commission to monitor the third-party standard or standards to determine whether they continued to align with the Safeguards Rule. In addition, the Commission would still have to investigate a company's compliance with the outside standard in any enforcement action. The Commission also does not agree compliance with an outside standard is likely to be less burdensome than complying with the Safeguards Rule itself.

VI. Other Matters

Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq. ), the Office of Information and Regulatory Affairs designated this rule as not a “major rule,” as defined by 5 U.S.C. 804(2).

List of Subjects in 16 CFR Part 314

• Consumer protection
• Credit
• Data protection
• Privacy
• Trade practices

For the reasons stated above, the Federal Trade Commission amends 16 CFR part 314 as follows:

PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION

1. The authority citation for part 314 continues to read as follows:

Authority: 15 U.S.C. 6801(b), 6805(b)(2).

2. In § 314.1, revise paragraph (b) to read as follows:

3. Revise § 314.2 to read as follows:

4. In § 314.3, revise paragraph (a) to read as follows:

5. Revise § 314.4 to read as follows:

6. Revise § 314.5 to read as follows:

7. Add § 314.6 to read as follows:

Note:

The following appendix will not appear in the Code of Federal Regulations.

Appendix—Statements Issued on October 27, 2021

Statement of Chair Lina M. Khan Joined by Commissioner Rebecca Kelly Slaughter Regarding Regulatory Review of the Safeguards Rule

Today the FTC is significantly strengthening the Safeguards Rule,^[1] first promulgated by the FTC twenty years ago pursuant to a Congressional directive to protect personal information that is stored by financial institutions. This revamping—the first time in the Rule's history—is sorely needed. In the twenty years since the Rule was first issued, the complexity of information security has increased drastically, the use of computer networks in every aspect of life has expanded exponentially, and, most notably, an unending chain of damaging data breaches caused by inadequate security have cost Americans heavily.^[2] The amendments adopted today require financial institutions to develop information security programs that can meet the challenges of today's security environment.

For Americans, the harms stemming from the types of security vulnerabilities that this Rule addresses are all too real. Victims of breaches have their most sensitive information exposed, making them more vulnerable to identity theft, phishing attacks, and other forms of fraud.^[3] In 2018, almost 10 percent of Americans suffered some form of identity theft, costing many of them hundreds of dollars and dozens of hours of time, an experience that many describe as distressing.^[4] For some, the cost is much higher, with victims losing tens of thousands of dollars.^[5]

The Rule amendments the FTC is issuing today are strongly supported by the evidence in the record.^[6] The evidence gathered from information security experts, industry associations, and consumer groups—those with hands-on experience in the area and knowledge of the field—decisively show that the amendments are necessary. Of course, all of this information supplements the experience that Commission staff has obtained over twenty years of enforcing the Rule, and gained through investigations of companies' data security practices under the FTC's deception and unfairness authority.

The dissent's conclusion that these amendments are unnecessary is belied by both the reality of rampant data security breaches as well as the robust evidentiary record. The recent history of major data breaches affecting millions of consumers shows that more needs to be done to protect consumers' sensitive information. Despite the increasing sophistication of cyberattacks, many businesses continue to offer inadequate security.^[7] In particular, the massive Equifax breach, which the FTC alleged was caused by inadequate data security that could have been easily corrected by the company, is a glaring example of how a financial institution's lax security practices can have devastating consequences for Americans.^[8] The dissent's suggestion that our current framework is sufficient falls flat in the face of such a stark example of the harm that can arise from avoidable lax security practices by covered financial institutions. Moreover, the dissent's complaint that the rule is also informed by evidence arising from breaches and practices occurring in other types of industries misses the mark. Not only is there substantial evidence in the rulemaking record clearly illustrating security lapses of financial institutions that are covered by the Rule,^[9] but the implication that we shouldn't use our broader knowledge of common security pitfalls is unwise.

The record evidence also shows that the amendment's requirements track bedrock principles of data security and represent proven elements of effective data security programs that reduce the risk of breaches. ^[10] Start Printed Page 70310 The amended Rule requires that financial institutions' information security plans address such core concepts as controlling who is accessing their system,^[11] understanding their system,^[12] monitoring what users do in their system,^[13] and protecting the information contained in their system.^[14] More particularly, it also requires encryption of customer information and the use of multifactor authentication. Adopting these practices will reduce the chances of a breach occurring.

In fact, it is likely that the massive breach at Equifax could have been prevented or mitigated by adopting practices required by these amendments. For example, the Commission's complaint alleged that the vulnerability that led to the breach was not detected for four months because Equifax's automated vulnerability scanner was not configured to scan all of the networks in the system, something that could have been prevented if Equifax had performed an adequate inventory of its system as required by § 314.4(c)(2) of the amended Rule.^[15] Equifax allegedly did not encrypt the data of 145 million consumers as required by § 314.4(c)(3) of the amended Rule; such encryption might have prevented the intruders from misusing individuals' sensitive information, even if they were able to obtain it.^[16] In addition, the complaint charged that Equifax did not adequately monitor activity on its network, which allowed intruders to access and use their network undetected for months; such monitoring will be required by § 314.4(c)(8).^[17] Finally, and perhaps most importantly, Equifax split authority over its information security program between two people, which caused failures of communications and oversight.^[18] Indeed, the U.S. House Committee on Oversight and Government identified Equifax's organization as one of the major causes of the breach.^[19] Appointing a single Qualified Individual as the coordinator of Equifax's information security system, as required by § 314.4(a) of the amended Rule, could have helped prevent or limit the scope of one of the largest breaches in American history. By implementing the measures required in the amended Rule, financial institutions will prevent or mitigate many future breaches, protecting consumers and their information.

There is also no support for the dissent's notion that the amendments eliminate financial institutions' flexibility in a way that will hurt smaller businesses. The amendments require that information security programs address certain aspects of security, but do not prescribe any particular method for doing so. Specifically, the amended Rule requires that the information security program address areas such as access control, change management, information disposal, and monitoring user activity, but it does not require that financial institutions take any particular action in those areas. In fact, the Rule recognizes the concerns of small businesses and adopts appropriate flexibilities. Section 314.6 of the revised Rule exempts financial institutions that maintain information concerning fewer than 5,000 consumers from certain requirements. In addition, financial institutions with smaller and simpler systems may determine that minimal procedures are required in those areas, and they retain flexibility under these amendments to follow that route. Moreover, the record contains significant evidence that there are free and low-cost solutions for smaller businesses with more modest data security needs.^[20]

We believe that these amendments represent a much-needed step forward in protecting Americans' data security. Given growing recognition that the requirements captured in the Rule represent best practices, some financial institutions seem to have already taken appropriate steps to protect customers' data and meet the requirements set out in the amended Rule. It is important, though, to require those that lag behind to strengthen their security and prevent future breaches before they occur, rather than in the wake of a devastating breach after the damage has already been done.

Joint Statement of Commissioners Noah Joshua Phillips and Christine S. Wilson in the Matter of the Final Rule Amending the Gramm-Leach-Bliley Act's Safeguards Rule

In 1999, Congress passed the Gramm-Leach-Bliley Act, which charged the Federal Trade Commission (the “Commission”) with promulgating and enforcing a regulation to ensure that financial firms take care to safeguard the information they collect from consumers.^[1] The Safeguards Rule ^[2] has established more data security obligations for consumer financial data than for data collected by non-financial firms, a gap that underlies our view—shared by our colleagues—that congressional data security legislation is warranted.

One hallmark of the Safeguards Rule is its recognition that, in a world of continuously evolving threats and standards, a one-size-fits-all approach to data security may not work. Under Democratic and Republic leadership, the Commission has repeatedly emphasized this principle.^[3] We have traditionally eschewed an overly prescriptive approach, both to data security in general and to the Safeguards Rule itself.^[4] The FTC has never demanded “perfect” security because the Commission has recognized that data security is neither cost- nor consequence-free, and often requires tradeoffs.^[5] At the same time, during our tenure, the Commission has continued to enforce data security standards vigorously, including those embodied in the Safeguards Rule.^[6]

In March 2019, the Commission approved a Notice of Proposed Rulemaking (“NPRM”) proposing additional requirements to the Safeguards Rule. While we recognize the value in regularly reviewing our rules and updating them as needed, we dissented then because the proposal lacked data demonstrating the need for and efficacy of the proposed amendments.^[7]

We appreciate Staff's diligent work on this rule and many of the modifications made to the original proposal. The Federal Register Notice does a commendable job of presenting the full panoply of comments that the Commission received. The FTC is at its best when it seeks input from experts, industry, and consumer groups; this rulemaking process reflects a commitment to that approach. But the comment period did not produce data demonstrating that the previous iteration of the rule was inadequate, or that the costs and consequences of the new prescriptive obligations will translate into actual consumer safeguards. That was our concern, and the comments did not allay it.

In fact, as several commenters observed, the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions. It is ironic that the revisions mandate a risk assessment and then order firms to prioritize specified precautions ahead of the risks and needs counseled by that assessment. The revisions also impose intrusive corporate governance obligations wholly unsupported by record evidence of prevalent failures at the senior managerial level.

For these reasons, which we explain more fully below, we dissent.

The Record Fails To Provide a Basis for the New Requirements

We expressed concern in March 2019 that some of the proposals in the NPRM tracked issues that arose in cases involving firms not covered by the Safeguards Rule. That is, those failures occurred at companies to which the Safeguards Rule did not apply. And heightened obligations imposed in a settlement context, when a company has engaged in risky and allegedly illegal behavior, may not be appropriate for all market participants. We did not see evidence that covered firms had a systematic problem— i.e., that the Rule was not Start Printed Page 70312 working.^[8] The Commission can—and does— promote best practices and reasonable care requirements through speeches, guidance, reports, and the like, to help financial firms evaluate whether they are taking proper precautions.^[9] But new rules that set concrete standards for all companies, regardless of risk, require more justification. Such rules make companies liable for penalties, and could focus efforts on compliance to address penalty deterrence rather than risk.

Dozens of commenters have shared their views on the Safeguards proposal, and FTC Staff held a workshop to evaluate the need to change the Rule. While there is no shortage of opinions as to the need and benefits of the proposed changes (nor is there a shortage of opinions critiquing the new requirements), this process failed to provide evidence of market failure or other systemic problems ^[10] necessitating the proposed changes for firms already governed by the requirements of the Rule. In fact, one commenter that generally supported the rule changes noted that it was not clear that the new rules would have prevented the alleged lapses that led to the Equifax breach, the largest Safeguards case on record.^[11]

That these proposals may constitute best practices appropriate to certain firms or situations does not justify imposing them on every firm and in every situation.^[12] The FTC historically has been appropriately cautious in mandating specific security practices, and we see no sound basis in the rulemaking record to change that approach.^[13]

The Revised Safeguards Rule Is Premature

In our 2019 statement, we expressed concern that the proposals in the NPRM were premature. They are based in large part on the New York Department of Financial Service data security rules,^[14] adopted in 2016. At the same time, Congress and the Executive Branch were evaluating new privacy and data security legislation that may overlap with the proposed amendments.^[15]

Since our original statement, we have been provided with no additional information on the impact and efficacy of the NYDFS rules.^[16] Without this critical input, we do not believe adopting wholesale the NYDFS approach is the prudent course.^[17] We would have been better served by monitoring the efficacy, costs and unintended consequences of the NYDFS rules during this ramp-up period. Imposing similar rules on far more firms across a broader array of industries makes even less sense.

Congress, with the encouragement of the Commission, has continued to consider legislative initiatives in this area. Throughout 2019, 2020 and 2021, we saw the release of several draft bills addressing data security, as well as privacy.^[18] And other developments, such as data security requirements of the General Data Protection Regulation ^[19] and new cybersecurity incidents ^[20] ensure that Start Printed Page 70313 these issues will continue to draw congressional attention. The decisions about tradeoffs in this space are complex and significant for consumers, business, and government; intrusive mandates are best left to the people's representatives rather than to the vagaries of the administrative rulemaking process.^[21]

The Revised Rules Inhibit Flexibility and Impose Substantial Costs

The Safeguards Rule originally drafted and evaluated by the Commission embraced a flexible approach, emphasizing protections targeted to a company's size and risk profile.^[22] As we wrote in 2019, these new rules move us away from that approach; that loss of flexibility will impose costs without necessarily improving safeguards for consumer data, which should be the point of this exercise.

Commenters and the Commission itself have noted that there are financial impacts to these new requirements.^[23] The Small Business Administration's Office of Advocacy stated its belief that the Commission itself does not appear to understand fully the economic impact of the proposed changes to the Safeguards Rule.^[24]

The burden of these new rules may also reduce competition and innovation, as smaller firms less able to absorb the financial costs cede ground to larger firms better equipped to handle new regulatory mandates.^[25]

Security itself may also suffer. A series of specific rules can incentivize companies to move from a thoughtful assessment of risk and precautions to a check-the-box exercise to ensure that they are complying with regulatory mandates—in other words, from a focus on real security to an emphasis on rule compliance.^[26] One commenter cited data demonstrating that when security personnel are busy with compliance and regulatory response, they have less time to focus on a firm's actual security needs.^[27] Further, without the flexibility to prioritize, finite resources may be diverted to areas of lower risk but higher regulatory scrutiny;^[28] commenters noted the irony of mandating a risk assessment and then ordering firms to prioritize specified precautions ahead of the risks and needs counseled by that assessment.^[29] And potentially innovative security practices that address changing threats and needs may be discouraged.^[30] As Start Printed Page 70314 one commenter noted, “[e]ven today's best practices will be overtaken by future changes in both technology and the capabilities of threat actors,” ^[31] and these proscriptive rules lose the “self-modernizing” nature of flexible requirements,^[32] locking in place the primacy of current practices.^[33]

The reduction in flexibility and imposition of these costs must be justified by a significant reduction in risk or some other substantial consumer benefit. But the record provides scant support for these tradeoffs. Or as one commenter put it:

[A]s with many of these requirements, we do not take issue with the notion that there is merit to this step [requiring monitoring], and that many financial institutions will implement some version of this control. However, by making this an explicit, stand-alone requirement, the Commission is enshrining costs and efforts that will be extensive and will likely not be needed in all circumstances.^[34]

The Rules Involve the FTC in the Internal Governance Decisions of Covered Firms

The specifics of the proposals also raise issues, as we expressed in 2019, with regard to mandating the appropriate level of board engagement,^[35] hiring and training requirements,^[36] and program accountability structures.^[37] We wrote then, and remain concerned now, that the Commission is substituting its own judgement about governance decisions for those of private companies covered by this Rule.

In certain extraordinary cases involving clear evidence of management failure, we have imposed prescriptive governance obligations on respondents.^[38] Those rare and egregious instances cannot justify a similar approach in a broad rulemaking absent a real record of widespread corporate mismanagement or failure at the senior management level.

The Commission has elected to proceed with most of these governance requirements, forcing the hand of management and shifting their priorities to avoid the risk of regulatory action,^[39] without clear evidence of their need or efficacy.

Conclusion

Regularly reviewing our rules to ensure that they address the current environment is an important part of the FTC's regular process. But rules have far-reaching and frequently unintended impacts in the real world; when imposing additional legal obligations in the rulemaking context, we must do so with great care. The amended Safeguards Rule replaces a rule that has worked well for 20 years, a rule that took a principle-based approach in order to provide financial institutions flexibility to determine the appropriate and realistic security safeguards for their organizations. The record before us at best fails to convince that the changes are necessary and at worst raises concern about the substantial costs and risks in imposing these amendments. Accordingly, we dissent.

Footnotes