Standards for Safeguarding Customer Information, 70272-70314 [2021-25736]

Download as PDF 70272 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations FEDERAL TRADE COMMISSION 16 CFR Part 314 RIN 3084–AB35 Standards for Safeguarding Customer Information Federal Trade Commission. Final rule. AGENCY: ACTION: The Federal Trade Commission (‘‘FTC’’ or ‘‘Commission’’) is issuing a final rule (‘‘Final Rule’’) to amend the Standards for Safeguarding Customer Information (‘‘Safeguards Rule’’ or ‘‘Rule’’). The Final Rule contains five main modifications to the existing Rule. First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption. Second, it adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies. Third, it exempts financial institutions that collect less customer information from certain requirements. Fourth, it expands the definition of ‘‘financial institution’’ to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds ‘‘finders’’—companies that bring together buyers and sellers of a product or service—within the scope of the Rule. Finally, the Final Rule defines several terms and provides related examples in the Rule itself rather than incorporates them from the Privacy of Consumer Financial Information Rule (‘‘Privacy Rule’’). DATES: Effective date: This rule is effective January 10, 2022. Applicability date: The provisions set forth in § 314.5 are applicable beginning December 9, 2022. FOR FURTHER INFORMATION CONTACT: David Lincicum (202–326–2773), Katherine McCarron (202–326–2333), or Robin Wetherill (202–326–2220), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. SUPPLEMENTARY INFORMATION: khammond on DSKJM1Z7X2PROD with RULES3 SUMMARY: I. Background Congress enacted the Gramm Leach Bliley Act (‘‘GLB’’ or ‘‘GLBA’’) in 1999.1 1 Pubic Law 106–102, 113 Stat. 1338 (1999). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. Among other things, the GLBA requires financial institutions to provide customers with information about the institutions’ privacy practices and about their opt-out rights, and to implement security safeguards for customer information. Subtitle A of Title V of the GLBA required the Commission and other Federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information.2 Pursuant to the Act’s directive, the Commission promulgated the Safeguards Rule (16 CFR part 314) in 2002. The Safeguards Rule became effective on May 23, 2003. The current Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program that consists of the administrative, technical, and physical safeguards the financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.3 The information security program must be written in one or more readily accessible parts.4 The safeguards set forth in the program must be appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.5 The safeguards must also be reasonably designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.6 In order to develop, implement, and maintain its information security program, a financial institution must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information.7 The financial institution must then design and implement safeguards to control the risks identified through the risk 2 See 15 U.S.C. 6801(b), 15 U.S.C. 6805(b)(2). CFR 314.2(c). 4 16 CFR 314.3(a). 5 16 CFR 314.3(a), (b). 6 16 CFR 314.3(a), (b). 7 16 CFR 314.4(b). 3 16 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 assessment, and must regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.8 The Rule also requires the financial institution to evaluate and adjust its information security program in light of the results of this testing and monitoring, any material changes in its operations or business arrangements, or any other circumstances it knows or has reason to know may have a material impact on its information security program.9 The financial institution must also designate an employee or employees to coordinate the information security program.10 Finally, the current Safeguards Rule requires financial institutions to take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information and require those service providers by contract to implement and maintain such safeguards.11 II. Regulatory Review of the Safeguards Rule On September 7, 2016, the Commission solicited comments on the Safeguards Rule as part of its periodic review of its rules and guides.12 The Commission sought comment on a number of general issues, including the economic impact and benefits of the Rule; possible conflicts between the Rule and state, local, or other Federal laws or regulations; and the effect on the Rule of any technological, economic, or other industry changes. The Commission received 28 comments from individuals and entities representing a wide range of viewpoints.13 Most commenters agreed there is a continuing need for the Rule and it benefits consumers and competition.14 On April 4, 2019, the Commission issued a notice of proposed rulemaking (NPRM) setting forth proposed amendments to the Safeguards Rule (the ‘‘Proposed Rule’’).15 In response, the Commission received 49 comments from various interested parties 8 16 CFR 314.4(c). CFR 314.4(e). 10 16 CFR 314.4(a). 11 16 CFR 314.4(d). 12 Safeguards Rule, Request for Comment, 81 FR 61632 (Sept. 7, 2016). 13 The 28 public comments received prior to March 15, 2019, are posted at: https://www.ftc.gov/ policy/public-comments/initiative-674. 14 See, e.g., Mortgage Bankers Association (comment 39, NPRM); National Automobile Dealers Association (Comment 40, NPRM); Data & Marketing Association (comment 38, NPRM); Electronic Transactions Association (comment 24, NPRM); State Privacy & Security Coalition (comment 26, NPRM). 15 FTC Notice of Proposed Rulemaking, 84 FR 13158 (April 4, 2019). 9 16 E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations including industry groups, consumer groups, and individual consumers.16 On July 13, 2020, the Commission held a workshop concerning the proposed changes and conducted panels with information security experts discussing subjects related to the Proposed Rule.17 The Commission received 11 comments following the workshop.18 After reviewing the initial comments to the Proposed Rule, conducting the workshop, and then reviewing the comments received following the workshop, the Commission now issues final amendments to the Safeguards Rule. khammond on DSKJM1Z7X2PROD with RULES3 III. Overview of Final Rule As noted above, the Final Rule modifies the current Rule in five primary ways. First, the Final Rule amends the current Rule to include more detailed requirements for the development and establishment of the information security program required under the Rule. For example, while the current Rule requires financial institutions to undertake a risk assessment and develop and implement safeguards to address the identified risks, the Final Rule sets forth specific criteria for what the risk assessment must include, and requires the risk assessment be set forth in writing. As to particular safeguards, the Final Rule requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. And while the Final Rule retains the requirement from the current Rule that financial institutions provide employee training and appropriate oversight of service providers, it adds mechanisms designed to ensure such training and oversight are effective. Although the Final Rule has more specific requirements than the current Rule, it still provides financial 16 The 49 relevant public comments received on or after March 15, 2019, can be found at Regulations.gov. See FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules, 16 CFR part 314, Project No. P145407, https://www.regulations.gov/docket/FTC-20190019/document. 17 See FTC, Information Security and Financial Institutions: An FTC Workshop to Examine Safeguards Rule Tr. (July 13, 2020), https:// www.ftc.gov/system/files/documents/public_events/ 1567141/transcript-glb-safeguards-workshopfull.pdf [hereinafter Safeguards Workshop Tr.]. 18 The 11 relevant public comments relating to the subject matter of the July 13, 2020, workshop can be found at https://www.regulations.gov/ document/FTC-2020-0038-0001. This document cites comments using the last name of the individual submitter or the name of the organization, followed by the number based on the last two digits of the comment ID number. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 institutions the flexibility to design an information security program appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue. Second, the Final Rule adds requirements designed to improve accountability of financial institutions’ information security programs. For example, while the current Rule allows a financial institution to designate one or more employees to be responsible for the information security program, the Final Rule requires the designation of a single Qualified Individual. The Final Rule also requires periodic reports to boards of directors or governing bodies, which will provide senior management with better awareness of their financial institutions’ information security programs, making it more likely the programs will receive the required resources and be able to protect consumer information. Third, recognizing the impact of the additional requirements on small businesses, the Final Rule exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors. Fourth, the Final Rule expands the definition of ‘‘financial institution’’ to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change brings ‘‘finders’’—companies that bring together buyers and sellers of a product or service—within the scope of the Rule. Finders often collect and maintain very sensitive consumer financial information, and this change will require them to comply with the Safeguards Rule’s requirements to protect that information. This change will also bring the Rule into harmony with other Federal agencies’ Safeguards Rules, which include activities incidental to financial activities in their definition of financial institution. Finally, the Final Rule includes several definitions and related examples, including of ‘‘financial institution,’’ in the Rule itself rather than incorporate them from a related FTC rule, the Privacy of Consumer Financial Information Rule, 16 CFR part 313. This will make the rule more selfcontained and will allow readers to understand its requirements without referencing the Privacy Rule. PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 70273 IV. Section-by-Section Analysis General Comments The Commission received 49 comments in response to the NPRM for the Proposed Rule, from a diverse set of stakeholders, including industry groups, individual businesses, consumer advocacy groups, academics, information security experts, government agencies, and individual consumers. It also hosted a workshop on the Proposed Rule, which included approximately 20 security experts. Some of the comments simply expressed general support 19 or general disapproval 20 of the Proposed Rule. Many, however, offered detailed responses to specific proposals in the NPRM. In general, industry groups were opposed to most or all of the Proposed Rule, and consumer advocacy groups, academics, and security experts were generally in favor of the amendments. The comments and workshop record are discussed in the following Section-bySection analysis. Sec. 314.1: Purpose and Scope The Purpose and Scope section of the current Rule generally states the Rule implements the Gramm-Leach-Bliley Act and applies to the handling of customer information by financial institutions over which the FTC has jurisdiction. In its NPRM, the Commission proposed adding a definition of ‘‘financial institution’’ modeled on the definition included in the Commission’s Privacy Rule (16 CFR part 313) and a series of examples providing guidance on what constitutes a financial institution under the Commission’s jurisdiction. Other than expanding the definition of ‘‘financial institution’’ as discussed below, the new language was not meant to reflect a substantive change to the Safeguards Rule; rather, it was meant to allow the Rule to be read on its own, without reference to the Privacy Rule.21 The Commission received no comments that addressed this section specifically, and 19 See Encore Capital Group (comment 25, NPRM); Justine Bykowski (comment 12, NPRM); ‘‘Peggy from Bloomington, MN’’ (comment 13, NPRM); ‘‘Anonymous’’ (comment 20, NPRM). 20 ‘‘Jane Q. Citizen’’ (comment 14, NPRM). 21 In a separate final rule, published elsewhere in this issue of the Federal Register, the Commission is amending the Privacy Rule to reflect changes made by the Dodd-Frank Act, limiting that rule to certain auto dealers. Through that proceeding, the Commission is also removing examples of financial institutions from the Privacy Rule that are no longer covered under the rule in the wake of these changes. E:\FR\FM\09DER3.SGM 09DER3 70274 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations the Commission adopts the language of the Proposed Rule in the Final Rule.22 Sec. 314.2: Definitions The Proposed Rule added a number of definitions to § 314.2. The Proposed Rule also retained paragraph (a), which states terms used in the Safeguards Rule have the same meaning as set forth in the Privacy Rule. The American Council on Education (ACE) suggested all terms from the Privacy Rule, such as ‘‘consumer,’’ ‘‘customer,’’ and ‘‘customer information,’’ be included in the Final Rule in order to make the Final Rule easier for regulated entities to understand.23 On the other hand, HITRUST recommended no definitions from the Privacy Rule be duplicated in the Safeguards Rule, reasoning that in the event of a need to amend the terms, it would require the amendment of two rules rather than one.24 The Commission is persuaded including all terms from the Privacy Rule within the Safeguards Rule will improve clarity and ease of use. Accordingly, the Commission has determined to delete paragraph (a), since it is no longer necessary to state all terms in the Safeguards Rule have the same meaning as in the Privacy Rule. It also adds the Privacy Rule definitions of ‘‘consumer,’’ ‘‘customer,’’ ‘‘customer relationship,’’ ‘‘financial product or service,’’ ‘‘nonpublic personal information,’’ ‘‘personally identifiable financial information,’’ ‘‘publicly available information,’’ and ‘‘you’’ to the definitions in the Final Rule. No substantive change to these definitions is intended. khammond on DSKJM1Z7X2PROD with RULES3 Authorized User The Proposed Rule added a definition for the term ‘‘authorized user’’ as paragraph (b). Proposed paragraph (b) defined an authorized user of an information system as any employee, contractor, agent or other person that participates in your business operations and is authorized to access and use any of your information systems and data. This term was used in § 314.4(c)(10) of the Proposed Rule, which required financial institutions to implement policies to monitor the activity of ‘‘authorized users’’ and detect unauthorized access to customer information. 22 Several commenters addressed the change to the definition of ‘‘financial institution.’’ Those comments are addressed in the discussion of the definition of ‘‘financial institution’’ below. 23 American Council on Education (comment 24, NPRM), at 7. 24 HITRUST, (comment 18, NPRM), at 2. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 definition of authorized user should include users who can access both ‘‘information systems and data’’ and users authorized to access either information systems or data. Accordingly, for clarification purposes, the Commission modifies the definition of authorized user in the Final Rule as any employee, contractor, agent, customer or other person that is authorized to access any of your information systems or data. The Commission received one comment on this proposed definition from the National Automobile Dealers Association (NADA), which suggested the term ‘‘authorized user’’ was used inconsistently and was too vague.25 NADA pointed out while ‘‘authorized user’’ is a defined term, the term ‘‘authorized individual’’ was used in proposed § 313.4(c)(1) (addressing access controls for information systems) and (c)(3) (addressing access controls for physical data). NADA also argued the inclusion of ‘‘other person that participates in the business operations of an entity’’ within the definition of ‘‘authorized user’’ was unclear and created ambiguity in its application.26 The Commission agrees with NADA’s points, and, in response, modifies the Final Rule in two ways. First, the Final Rule replaces the term ‘‘authorized individual’’ with ‘‘authorized user’’ in § 313.4(c)(1). As described further below, because the Final Rule combines § 313.4(c)(3) with § 313.4(c)(1), there is no need to make a corresponding change to that section. Second, because the Commission agrees the ambiguities in the definition of ‘‘authorized user’’ from the Proposed Rule could create confusion, it makes several changes to the definition. It deletes the phrase ‘‘other person that participates in the business operations of an entity.’’ The Commission agrees this phrase was vague. The Commission had intended it to cover any person the financial institution allows to access information systems or data, including, for example, ‘‘customers’’ of the financial institutions. For the purpose of controlling authorized access and detecting unauthorized access (which is where the definition of ‘‘authorized user’’ appears), financial institutions should monitor anomalous patterns of usage of their systems, not only by employees and agents, but also by customers and other persons authorized to access systems or data. To clarify this point, the Commission adds ‘‘customer or other person’’ to the definition of ‘‘authorized users.’’ The Commission intends that the definition of ‘‘authorized users’’ should include anyone who the financial institution authorizes to access an information system or data, regardless of whether that user actually uses the data. Thus, for clarity, the Commission has deleted the requirement that the authorized user be authorized to use the information system or data. Finally, the In proposed paragraph (c), the Commission defined security event as an event resulting in unauthorized access to, or disruption or misuse of, an information system or information stored on such information system. This term was used in provisions requiring financial institutions to establish a written incident response plan designed to respond to security events. It also appeared in the provision requiring the coordinator of a financial institution’s information security program to provide an annual report to the financial institution’s governing body; the required report must identify all security events that took place that year. Commenters expressed three main concerns with this definition. The first relates to whether the term ‘‘security event’’ should be expanded to instances in which there is unauthorized access to, or disruption or misuse of, information in physical form, as opposed to electronic form. The Proposed Rule used the term ‘‘security event’’ instead of ‘‘cybersecurity event’’ to clarify that an information security program encompasses information in both digital and physical forms and that unauthorized access to paper files, for example, would also be a security event under the Rule. The Money Services Round Table (MSRT), however, noted despite the use of the more general ‘‘security’’ in the defined term, the definition itself is limited to events involving information systems.27 The Commission agrees this creates a contradiction. Accordingly, the Final Rule includes the compromise of customer information in physical form in the definition of ‘‘security event.’’ Second, some industry groups argued a ‘‘security event’’ should occur only when there is ‘‘unauthorized access’’ to an information system, not in cases in which there has been a ‘‘disruption or misuse’’ of such systems (e.g., a ransomware attack).28 These 25 National Automobile Dealers Association (comment 46, NPRM), at 11–12. 26 National Automobile Dealers Association (comment 46, NPRM), at 11–12. 27 Money Services Round Table (comment 53, NPRM), at 5 n.14. 28 National Independent Automobile Dealers Association (comment 48, NPRM), at 4; National PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 Security Event E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 commenters argued the disruption or misuse of information systems is not directly related to the protection of customer information and is, therefore, outside the Commission’s statutory authority.29 The Commission disagrees. Requiring a financial institution to protect against disruption and misuse of its information system is within the Commission’s authority under the GLBA, which directed the Commission to promulgate a rule that required financial institutions to ‘‘to protect against any anticipated threats or hazards to the security or integrity’’ of customer information. A disruption or misuse of an information system will be, in many cases, a threat to the ‘‘integrity’’ of customer information. In addition, disruption or misuse may also indicate the existence of a security weakness that could be exploited to gain unauthorized access to customer information. For example, an event in which ransomware placed on a system is used to encrypt customer information, rendering it useless, raises the possibility similar software could have been used to exfiltrate customer information. Accordingly, the Final Rule retains the inclusion of ‘‘misuse or disruption’’ within the definition of ‘‘security event.’’ Third, several commenters suggested the definition of ‘‘security event’’ be limited to events in which there is a risk of consumer harm or some other negative effect.30 Similarly, some commenters argued the definition should exclude events that involve encrypted information in which the encryption key was not compromised or when there is evidence the information accessed has not been misused.31 The Commission declines to narrow the provision in this manner. It believes a financial institution should still engage in its incident response procedures to determine whether the event indicates a weakness that could endanger customer Automobile Dealers Association (comment 46, NPRM), at 12–13; Consumer Data Industry Association (comment 36, NPRM), at 3–4. 29 National Independent Automobile Dealers Association (comment 48, NPRM), at 4; National Automobile Dealers Association (comment 46, NPRM), at 12–13. 30 HITRUST (comment 18, NPRM), at 3; American Council on Education (comment 24, NPRM), at 7; Mortgage Bankers Association (comment 26, NPRM), at 4–5; Consumer Data Industry Association (comment 36, NPRM), at 3–4; National Automobile Dealers Association (comment 46, NPRM), at 12–13; National Independent Automobile Dealers Association (comment 48, NPRM), at 4. 31 Mortgage Bankers Association (comment 48, NPRM), at 4–5; National Automobile Dealers Association (comment 46, NPRM), at 12–13; National Independent Automobile Dealers Association (comment 48, NPRM) at 4; American Council on Education (comment 24, NPRM), at 7. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 information and to respond accordingly. The financial institution can then take the appropriate steps in response. Further, § 314.4(h) of the Final Rule, which sets forth the requirement for an incident response plan, requires the incident response plan be designed to respond only to security events ‘‘materially affecting the confidentiality, integrity, or availability of customer information,’’ limiting the impact of the definition of ‘‘security event.’’ Accordingly, the Final Rule defines security event as an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form. The Proposed Rule placed this definition as paragraph (c), out of alphabetical order. The Final Rule adopts it as paragraph (p), placing it in alphabetical order with the other definitions in § 314.2. Encryption Proposed paragraph (e) defined encryption as the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key. This term was used in proposed § 314.4(c)(4), which generally required financial institutions to encrypt customer information. This definition was intended to define the process of encryption while not requiring any particular technology or technique for achieving the protection provided by encryption. NADA argued this definition should be made more flexible by adding an alternative so it would read ‘‘the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key or securing information by another method that renders the data elements unreadable or unusable’’ (emphasis added).32 On the other hand, others argued the Proposed Rule’s definition did not sufficiently protect customer information.33 For example, the Princeton University Center for Information Technology Policy (‘‘Princeton Center’’) suggested the Rule should be changed ‘‘to clarify that encryption must be consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.’’ 34 32 National Automobile Dealers Association (comment 46, NPRM), at 13. 33 American Council on Education (comment 24, NPRM), at 7; Princeton University Center for Information Technology Policy (comment 54, NPRM), at 4. 34 Princeton University Center for Information Technology Policy (comment 54, NPRM), at 4. PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 70275 Similarly, ACE argued the definition should include ‘‘the transformation of data in accordance with industry standards.’’ 35 The Commission agrees the proposed definition should be tethered to some technical standard, without being too prescriptive about what that standard is. Under the proposed definition, as well as NADA’s proposed definition, financial institutions could have claimed they were ‘‘encrypting’’ data if they were aggregating it, scrambling it, or redacting it in a way that made it possible to re-identify the data through, for example, the application of common algorithms or programs. The Commission does not believe this would have provided consumers with sufficient protection. The Commission also agrees with the commenters who stated the definition should signal that encryption should be cryptographically based. Accordingly, the Final Rule defines encryption as the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material. This definition does not require any specific process or technology to perform the encryption but does require that whatever process is used be sufficiently robust to prevent the deciphering of the information in most circumstances. Financial Institution Incidental Activity The Proposed Rule made one substantive change to the definition of ‘‘financial institution’’ it incorporated from the Privacy Rule. The change was designed to include entities ‘‘significantly engaged in activities that are incidental to [] financial activity’’ as defined by the Bank Holding Company Act. This proposed change brought only one activity into the definition that was not covered before: the act of ‘‘finding’’ as defined in 12 CFR 225.86(d)(1). The proposed revision to paragraph (f) added an example of a financial institution acting as a finder by ‘‘bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.’’ This example used the language set forth in 12 CFR 225.86(d)(1), which defines ‘‘finding’’ as an activity incidental to a financial activity under the Bank Holding Company Act. The Commission 35 American Council on Education (comment 24, NPRM), at 7. E:\FR\FM\09DER3.SGM 09DER3 70276 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 adopts this proposal without modification. The change to the definition of ‘‘financial institution’’ brings it into harmony with other agencies’ GLB rules.36 The change is supported by the language of the Gramm-Leach-Bliley Act.37 The Act defines a ‘‘financial institution’’ as any institution ‘‘the business of which is engaging in financial activities as described in section 1843(k) of title 12.’’ 38 That section, in turn, describes activities that are financial in nature as those the Board has determined ‘‘to be financial in nature or incidental to such financial activity.’’ 39 The Final Rule’s definition mirrors this language. The change will not lead to a significant expansion of the Rule coverage as it expands the definition only to include entities engaged in activity incidental to financial activity, as determined by the Federal Reserve Board. The Board has determined only one activity to be incidental to financial activity—‘‘acting as a finder.’’ 40 Several commenters who addressed this issue supported the inclusion of activities incidental to financial activities.41 Other commenters expressed concern the proposed change in the definition would expand the Rule’s coverage to businesses that should not be considered financial institutions.42 They argued the definition of the term ‘‘finder’’ is too broad and companies that connect buyers and sellers in non-financial contexts would be swept inappropriately into the definition of ‘‘financial institution.’’ The Association of National Advertisers argued advertising agencies could be considered ‘‘finders’’ because they play 36 See 12 CFR 1016.3(l) (defining ‘‘financial institution’’ for entities regulated by agencies other than the FTC). See also 17 CFR 248.3(n) (defining ‘‘financial institution’’ to include ‘‘any institution the business of which is . . . incidental to . . . financial activities’’ for Security and Exchange Commission’s rule implementing GLBA’s safeguard provisions.). 37 15 U.S.C. 6801 et seq. 38 15 U.S.C. 6809(3). 39 12 U.S.C. 1843(k). 40 12 CFR 225.86. 41 Electronic Privacy Information Center (comment 55, NPRM), at 9; Independent Community Bankers of America (comment 35, NPRM), at 3; National Automobile Dealers Association (comment 46, NPRM), at 13–16. 42 Association of National Advertisers (comment, Workshop), at 4–5; internet Association (comment, Workshop), at 4–5; see also Anonymous (comment 15, NPRM) (questioning whether any governing body would oversee any future determinations by the Federal Reserve Board that activities are incidental to financial activity). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 a role in connecting buyers and sellers.43 In response, the Commission notes the Federal Reserve Board describes acting as a finder as ‘‘bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.’’ 44 The Board sets forth several activities within the scope of acting as a finder, such as ‘‘[i]dentifying potential parties, making inquiries as to interest, introducing and referring potential parties to each other, [] arranging contacts between and meetings of interested parties’’ and ‘‘[c]onveying between interested parties expressions of interest, bids, offers, orders and confirmations relating to a transaction.’’ 45 Although this language is somewhat broad, its scope is significantly limited in the context of the Safeguards Rule. First, the Safeguards Rule applies only to transactions ‘‘for personal, family, or household purposes.’’ 46 Therefore, only finding services involving consumer transactions will be covered. Second, the Safeguards Rule applies only to the information of customers, which are consumers with which a financial institution has a continuing relationship.47 Therefore, it will not apply to finders that have only isolated interactions with consumers and do not receive information from other financial institutions about those institutions’ customers. This significantly narrows the types of finders that will have obligations under the Rule, excluding, the Commission believes, most advertising agencies and similar businesses that generally do not have continuing relationships with consumers who are using their services for personal or household purposes. The Commission believes entities that perform finding services for consumers with whom they have an ongoing relationship are properly considered ‘‘financial institutions’’ for purposes of the Rule. Accordingly, the Commission adopts the changes to the definition of ‘‘financial institution’’ as proposed. Other Changes to Definition of ‘‘Financial Institutions’’ Other commenters suggested modifying the definition of ‘‘financial institution’’ 48 in different ways. The 43 Association of National Advertisers (comment 5, Workshop), at 5. 44 12 CFR 225.86 (d). 45 12 CFR 225.86 (d)(1)(i). 46 See Final Rule 16 CFR 314.2(b)(1). 47 16 CFR 314.1; Final Rule 16 CFR 314.2(c). 48 National Pawnbrokers Association (comment 32, NPRM), at 5–6 (arguing that transactionreporting vendors be included in definition); PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 Electronic Privacy Information Center (EPIC) argued the definition should be expanded by treating more activities as financial activities.49 EPIC pointed out information shared with social media companies, retailers, apps, and devices generally is not covered under the Safeguards Rule. The Commission understands the concern that many businesses fall outside the coverage of the Safeguards Rule, despite handling sensitive consumer information, but the Commission’s authority to regulate activity under the Safeguards and Privacy Rules is established by the GLBA. The Rule’s application is limited to financial institutions as defined by that statute and cannot be extended beyond that definition.50 The institutions discussed by EPIC, however, are still covered by the FTC Act’s prohibition against deceptive or unfair conduct, including with respect to their use and protection of consumer information.51 The National Federation of Independent Business (NFIB) argued individuals and sole proprietors should be excluded from the definition of ‘‘financial institution’’ because an individual cannot be an ‘‘institution.’’ 52 When the Privacy Rule was promulgated in 2000, commenters also suggested the definition should exclude sole proprietors.53 The Commission noted there was no basis to exclude sole proprietors and ‘‘[w]hether or not a National Consumer Law Center and others (comment 58, NPRM), at 5 (arguing that consumer reporting agencies be included explicitly in the definition); see also American Escrow Association (comment, Workshop), at 2–3 (requesting that the Rule specifically set out the duties of real estate settlement operations and other businesses that handle but do not maintain sensitive information); Beverly Enterprises, LLC (comment 3, NPRM), at 3– 4 (requesting that the Rule specifically set out duties related to online notarizations); Yangxue Li (comment 5, NPRM) (asking whether Rule would set forth specific guidelines for different industries); Slobadon Raybolka (comment 17, NPRM) (suggesting that companies that perform online background checks be covered by the rule); The Clearing House (comment 49, NPRM) (suggesting a separate set of more stringent rules for fintech companies). 49 Electronic Privacy Information Center (comment 55, NPRM), at 9. 50 See 15 U.S.C. 6801 (requiring agencies to promulgate Rule establishing standards for financial institutions); 15 U.S.C. 6809(3) (defining ‘‘financial institutions’’ as an ‘‘institution the business of which is engaging in financial activities as described’’ in the Bank Holding Company Act). 51 In the Matter of Facebook, Inc., Docket No. C– 4365 (Apr. 28, 2020); FTC v. Wyndham Worldwide Corporation, 799 F.3d 236 (3d Cir. 2015); FTC v. DLink Systems, Inc., Case No. 3:17–cv–00039–JD (N.D. Cal. July 2, 2019); In the Matter of Twitter, Inc., Docket No. C–4316 (Mar. 11, 2011). 52 National Federation of Independent Business (comment 16, NPRM), at 2–3. 53 Privacy Rule, Final Rule, 65 FR 33645 (May 24, 2000) at 33656. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations commercial enterprise is operated by a single individual is not determinative’’ of whether the enterprise is a financial institution. The Commission has not changed its position on this matter and declines to make this change to the definition of ‘‘financial institution.’’ The Final Rule adopts this definition as proposed without change. Information Security Program Paragraph (i) of the Final Rule adopts the existing Rule’s paragraph (c) and does not alter the definition of ‘‘information security program.’’ The Commission received no comments on this definition, and accordingly, adopts the current definition in the Final Rule. khammond on DSKJM1Z7X2PROD with RULES3 Information System Proposed paragraph (h) defined information system as a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/ process controls systems, telephone switching and private branch exchange systems, and environmental control systems. The term ‘‘information system’’ was used throughout the proposed amendments to designate the systems that must be covered by the information security program. The MSRT suggested this definition was too narrow in some respects and too broad in others.54 It argued the definition of ‘‘information system’’ was too narrow because it did not include physical systems or employees and would exclude them from some of the provisions of the Rule. Specifically, the MSRT argued that based on this definition, the penetration tests required by § 314.4(d)(2) would not be required to test ‘‘potential human vulnerabilities’’ such as social engineering or phishing.55 The Commission does not agree. Penetration testing, as defined by the Final Rule, is a process through which testers ‘‘attempt to circumvent or defeat the security features of an information system.’’ 56 One way such security features are tested is through social engineering and phishing.57 The fact that the testing involves employees with access to the information system, rather 54 Money Services Round Table (comment 53, NPRM), at 5–6. 55 Id. at 5. 56 Final Rule § 314.2(j). 57 Indeed, Workshop participant Scott Wallace noted, in conducting penetration testing, ‘‘the first thing [he does]’’ is generally to ‘‘prepare for the phishing campaign.’’ Remarks of Scott Wallace, Safeguards Workshop Tr., supra note 17, at 131–32. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 than just the system itself, does not exclude such tests from the definition of ‘‘penetration testing.’’ Attempted social engineering and phishing are important parts of testing the security of information systems and would not be excluded by this definition. The MSRT also argued the definition was too broad, and was joined by other commenters in this concern.58 These commenters shared a concern the proposed definition would include systems that are in no way connected to customer information and would require financial institutions to include all systems in their possession, regardless of their involvement with customer information. The Commission agrees the definition should be limited to those systems that either contain customer information or are connected to systems that contain customer information, and adds that limitation to the Final Rule. The Rule does not limit the definition to only those systems that contain customer information, because a common source of data breaches is a vulnerability in a connected system that an attacker exploits to gain access to the company’s network and move within the network to obtain access to the system containing sensitive information.59 Accordingly, the definition of information system in the Final Rule is modified to a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information or any such system connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems, that contains customer information or that is connected to a system that contains customer information. 58 Money Services Round Table (comment 53, NPRM), at 5; Consumer Data Industry Association (comment 36, NPRM), at 4; American Council on Education (comment 24, NPRM), at 7–8. 59 See Remarks of Serge Jorgensen, Safeguards Workshop Tr., supra note 17, at 58–59 (noting cybersecurity attacks can take advantage of systems that are connected to the systems in which sensitive information is stored); Remarks of Tom Dugas, Safeguards Workshop Tr., supra note 17, at 138 (noting a vulnerability in one system can result in the exposure of information maintained in another system); see also Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 106–07 (noting the heightened importance of encryption in a context where numerous systems are connected); Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at 107–08 (same). PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 70277 Multi-Factor Authentication Proposed paragraph (i) defined multifactor authentication as authentication through verification of at least two of the following types of authentication factors: Knowledge factors, such as a password; possession factors, such as a token; or inherence factors, such as biometric characteristics. This term was used in proposed § 314.4(c)(6),60 which required financial institutions to implement multi-factor authentication for individuals accessing networks that contain customer information. Several commenters argued the definition should explicitly include SMS text messages as an acceptable example of a possession factor or otherwise to be explicitly allowed.61 The Proposed Rule did not include SMS text messages as an example of a possession factor.62 Most commenters who addressed this issue interpreted this exclusion from the examples as forbidding financial institutions from using SMS text messages as a possession factor for multi-factor authentication. That is not the effect of this exclusion, however. The language of the definition neither prohibits nor recommends use of SMS text messages. Indeed, SMS text messages are not addressed at all. In some cases, use of SMS text messages as a factor may be the best solution because of its low cost and easy use, if its risks do not outweigh those benefits under the circumstances.63 In other instances, however, the use of SMS text messages may not be a reasonable solution, such as when extremely sensitive information can be obtained through the access method being controlled, or when a more secure method can be used for a comparable price. A financial institution will need to evaluate the balance of risks for its situation. If, however, the Commission were to explicitly allow use of SMS text messages, this could be considered a safe harbor that would not require the company to consider risks associated with use of SMS text as a factor in a particular use case. Accordingly, the Final Rule does not include SMS text 60 Section 314.4(c)(5) in the Final Rule. Transactions Association (comment 27, NPRM), at 4; U.S. Chamber of Commerce (comment 33, NPRM), at 9; CTIA (comment 34, NPRM), at 7–9; Global Privacy Alliance (comment 38, NPRM), at 9; National Automobile Dealers Association (comment 46, NPRM), at 29; National Independent Automobile Dealers Association (comment 48, NPRM), at 6. 62 See, e.g., NIST Special Publication 800–63B, Digital Identity Guidelines, 5.1.3.3 (restricting use of verification using the Public Switched Telephone Network (SMS or voice) as an ‘‘out-of-band’’ factor for multi-factor authentication). 63 See, e.g., Remarks of Wendy Nather, Safeguards Workshop Tr., supra note 17, at 231–32. 61 Electronic E:\FR\FM\09DER3.SGM 09DER3 70278 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations messages in the examples of possession factors. The final Rule adopts the proposed definition of ‘‘multi-factor authentication’’ without change as paragraph (k) of this section. khammond on DSKJM1Z7X2PROD with RULES3 Penetration Testing Proposed paragraph (j) defined penetration testing as a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems. This term was used in proposed § 314.4(d)(2), which required financial institutions to continually monitor the effectiveness of their safeguards or to engage in annual penetration testing. The Commission received no comments concerning this definition. The Final Rule adopts the definition from the Proposed Rule as paragraph (m) of this section. Personally Identifiable Financial Information To minimize cross-referencing to the Privacy Rule, as noted above, the Commission is adding several definitions to the Final Rule. One of these definitions is ‘‘personally identifiable financial information,’’ which is identical to the definition currently contained in the Privacy Rule. This term is included within the ambit of ‘‘customer information,’’ in both the existing Rule and the Final Rule. The Princeton Center suggested expanding the definition of ‘‘personally identifiable financial information’’ from the Privacy Rule to include ‘‘aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.’’ 64 The Princeton Center further suggested clarifying that, for information to not be considered ‘‘personally identifiable financial information,’’ the financial institution must be required to demonstrate the information is not ‘‘reasonably linkable’’ to individuals. The Commission does not believe this amendment is necessary. The definition of ‘‘personally identifiable financial information’’ is already a broad one.65 It includes not just information associated with types of personal information such as a name or address or account number, but also information linked to a persistent identifier (‘‘any information you collect through an Internet ‘cookie’ (an information collecting device from a 64 Princeton University Center for Information Technology Policy (comment 54, NPRM) at 9–10. 65 See 16 CFR 313.3(o)(1). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 web server’’)).66 While there may be some merit to limiting the exception for aggregate information or blind data to data that cannot be reasonably linkable to an individual, for purposes of a rule that can be periodically updated to keep up with changing technology, the current approach is more concrete and enforceable, and less subject to differences in interpretation. Service Provider Proposed paragraph (k) adopted the existing Rule’s definition and does not alter the definition of ‘‘service provider.’’ The Commission received no comments on this definition and adopts it as paragraph (q) of the Final Rule. Sec. 314.3: Standards for Safeguarding Customer Information Proposed § 314.3, which required financial institutions to develop an information security program (paragraph (a)) and set forth the objectives of the Rule (paragraph (b)), was largely identical to the existing Rule. It changed only the requirement that ‘‘safeguards’’ be based on the elements set forth in § 314.4, by replacing ‘‘safeguards’’ with ‘‘information security program.’’ The Commission received no comments on this proposal and adopts it without change in the Final Rule. Sec. 314.4: Elements Proposed § 314.4 altered the current Rule’s required elements of an information security program and added several new elements. General Comments The Commission received many comments addressing the new elements, both in favor of the changes and opposed to them. The comments in favor of the changes generally argued these changes would protect consumers by improving the data security of institutions that hold their information.67 Most of the comments opposed to the proposed elements fell into several categories, objecting: (1) The proposed changes were too prescriptive and did not allow financial 66 16 CFR 313.3(o)(2)(i)(F). e.g., New York Department of Financial Service (comment 40, NPRM), at 1 (arguing the Proposed Rule would ‘‘further advance efforts to protect financial institutions and consumers from cybercriminals.’’); Princeton University Center for Information Technology Policy (comment 54, NPRM), at 1 (stating the Proposed Rule ‘‘would significantly reduce data security risks for the customers of financial institutions.’’); National Consumer Law Center and others (comment 58, NPRM), at 2 (stating requirements of Proposed Rule are ‘‘reasonable and common-sense measures that any company dealing with large amounts of consumer personal information should take.’’). 67 See, PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 institutions sufficient flexibility in managing their information security; (2) the proposed amendments would be too expensive for financial institutions, particularly smaller institutions, to adopt; and (3) some of the requirements should not apply to all customer information but should be limited to some subset of especially ‘‘sensitive’’ customer information. The Commission does not agree with these comments for the reasons discussed below, and accordingly, retains the general approach of the Proposed Rule in the Final Rule. Flexibility Many industry groups argued the new proposed elements were too prescriptive, lacked flexibility, would quickly become outdated, and would force financial institutions to engage in activities that would not enhance security.68 For example, the Electronics Transactions Association argued the Proposed Rule would ‘‘limit the ability of industry to develop new and innovative approaches to information security.’’ 69 Similarly, CTIA commented the Proposed Rule would create a ‘‘prescriptive core of requirements that covered businesses must follow, irrespective of whether risk assessments show they are necessary.’’ 70 The Commission, however, believes the elements provide sufficient flexibility for financial institutions to adopt information security programs suited to the size, nature, and complexity of their organization and information systems. The elements for the information security programs set forth in this section are high-level principles that set forth basic issues the 68 See, e.g., HITRUST (comment 18, NPRM), at 1– 2; American Council on Education (comment 24, NPRM), at 2–4; Cristian Munarriz (comment 21, NPRM); Electronic Transactions Association (comment 27, NPRM), at 1–2; National Pawnbrokers Association (comment 32, NPRM), at 3; CTIA (comment 34, NPRM), at 5; Consumer Data Industry Association (comment 36, NPRM), at 2; Wisconsin Bankers Association (comment 37, NPRM), at 1–2; Global Privacy Alliance (comment 38, NPRM), at 5– 6; Bank Policy Institute (comment 39, NPRM), at 2; American Financial Services Association (comment 41, NPRM), at 4; National Association of Dealer Counsel (comment 44, NPRM), at 1; ACA International, (comment 45, NPRM), at 4; National Automobile Dealers Association (comment 46, NPRM), at 11; National Independent Automobile Dealers Association (comment 48, NPRM), at 2–3; Money Services Round Table (comment 53, NPRM), at 1–4; Software & Information Industry Association (comment 56, NPRM), at 1–3; Gusto and others (comment 11, Workshop), at 2; Association of National Advertisers (comment 5, Workshop), at 1– 3; internet Association (comment 9, Workshop), at 2–3. 69 Electronic Transactions Association (comment 27, NPRM), at 1–2. 70 CTIA (comment 34, NPRM), at 5. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations programs must address, and do not prescribe how they will be addressed. For example, the requirement that the information security program be based on a risk assessment sets forth only three general items the assessment must address: (1) Criteria for evaluating risks faced by the financial institution; (2) criteria for assessing the security of its information systems; and (3) how the identified risks will be addressed. Other than meeting these basic requirements, financial institutions are free to perform their risk assessments in whatever way they choose, using whatever method or approach works best for them, as long as the method identifies reasonably foreseeable risks. The other elements are similarly flexible. The two elements that are more prescriptive, encryption and multi-factor authentication, allow financial institutions to adopt alternative solutions when necessary. Comments concerning individual elements are addressed separately in the more detailed analysis below. khammond on DSKJM1Z7X2PROD with RULES3 Cost Another common theme among the comments from industry groups was the proposed information security program elements would be prohibitively expensive, especially for smaller businesses.71 Commenters argued the Proposed Rule would have required financial institutions to implement expensive changes to their systems and hire highly-compensated professionals to do so.72 Industry groups were 71 American Council on Education (comment 24, NPRM), at 13–14; Wisconsin Bankers Association (comment 37, NPRM), at 1–2; American Financial Services Association (comment 41, NPRM), at 4; National Association of Dealer Counsel (comment 44, NPRM), at 1; National Automobile Dealers Association (comment 46, NPRM), at 11; National Independent Automobile Dealers Association, (comment 48, NPRM), at 3; Gusto and others (comment 11, Workshop), at 2–4; National Pawnbrokers Association (comment 3, NPRM), at 2; see also Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at 72–74 (describing study that found compliance would be expensive for automobile dealers). 72 See, e.g., Slides Accompanying Remarks of James Crifasi, FTC, ‘‘NADA Cost Study: Average Cost Per U.S. Franchised Dealership,’’ Event Materials, Information Security and Financial Institutions: An FTC Workshop to Examine Safeguards Rule (July 13, 2020) https://www.ftc.gov/ system/files/documents/public_events/1567141/ slides-glb-workshop.pdf (hereinafter Safeguards Workshop Slides), at 25 (estimating an upfront cost of $293,975 per dealership, and an recurring annual cost of $276,925); see also Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at 72–75; Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 78 (estimating the average annual salary of a CISO can range from $180,000 to upwards of $400,000); Slides Accompanying Remarks of Lee Waters, ‘‘Estimated Costs of Proposed Changes,’’ Safeguards Workshop Slides, at 26 (estimating the annual costs of a security program to include: Multi-factor authentication, $50 for smart card readers, and $10 VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 particularly concerned about the requirement that financial institutions designate a single qualified individual to coordinate their information security programs, arguing this would require hiring professionals that were both expensive, with salaries of more than $100,000 suggested by some, and in limited supply.73 Overall, several commenters argued some financial institutions would be unable to afford to bring themselves into compliance with the Proposed Rule.74 The Commission recognizes properly securing information systems can be an expensive and technically difficult task. However, the Commission believes the additional costs imposed by the Proposed Rule are mitigated for several reasons and, ultimately, those costs are justified in order to protect customer information as required by the GLBA.75 each for smart cards; a CISO, either an in-house CISO, $180,000, an in-house cybersecurity analyst, $76,000, or an outsourced cybersecurity contractor, between $120,000 and $240,000; penetration testing, average cost $4,800; and physical security, $215,000 for construction, and $10,000 to $20,000 for new or upgraded locks); see also Remarks of Lee Waters, Safeguards Workshop Tr., supra note 17, at 75–76. 73 See, e.g., Slides Accompanying Remarks of Lee Waters, ‘‘Estimated Costs of Proposed Changes,’’ Safeguards Workshop Slides, supra note 72, at 26 (estimating costs of an in-house CISO to be $180,000 annually, and an in-house cybersecurity analyst to be $76,000 annually; and estimating an outsourced cybersecurity contractor would cost between $120,000 to $240,000 annually); see also Remarks of Lee Waters, Safeguards Workshop Tr., supra note 17, at 75–76; Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 78 (estimating that the average annual salary of a CISO can range from $180,000 to upwards of $400,000). 74 See Remarks of Lee Waters, Safeguards Workshop Tr., supra note 17, at 119–20 (noting when small businesses have to spend money to hire third-party vendors and security experts to comply with regulations, that affects consumer prices and small business profit margins); Slides Accompanying Remarks of James Crifasi, ‘‘NADA Cost Study: Average Cost Per U.S. Franchised Dealership,’’ Safeguards Workshop Slides, supra note 72, at 25; see also Remarks of James Crifasi, supra note 17, at 73 (noting the requirements ‘‘start becoming a little bit unaffordable here.’’). 75 The Small Business Administration’s Office of Advocacy commented it was concerned the FTC had not gathered sufficient data as to either the costs or benefits of the proposed changes for small financial institutions. Office of Advocacy, U.S. Small Business Administration (comment 28, NPRM), at 3–4. The FTC shares the Office of Advocacy’s interest in ensuring that regulatory changes have an evidentiary basis. Many of the questions on which the FTC sought public comment, both in the regulatory review and in the proposed Rule context, specifically related to the costs and benefits of existing and proposed Rule requirements. Following the initial round of commenting, the Commission conducted the FTC Safeguards Workshop and solicited additional public comments with the explicit goal of gathering additional data relating to the costs and benefits of the proposed changes. See Public Workshop Examining Information Security for Financial Institutions and Information Related to Changes to PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 70279 First, for almost 20 years, financial institutions have been required under the current Safeguards Rule to have information security programs in place. The current Safeguards Rule requires financial institutions to ‘‘develop, implement, and maintain a comprehensive [written] information security program . . . appropriate to [the financial institutions’] size and complexity, the nature and scope of [their] activities, and the sensitivity of any customer information at issue.’’ 76 This comprehensive program must be coordinated by one or more individuals and based on a risk assessment.77 As such, financial institutions complying with the current Rule will not be required to establish an information security program from scratch. Instead, they can compare their existing programs to the revised Rule, and address any gaps. The Commission believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule. Second, a number of commenters who raised concerns about the costs imposed by the Rule believed the Proposed Rule would have required the hiring of a highly-compensated expert to serve as a Chief Information Security Officer (CISO).78 It is correct the Proposed Rule would have modified the current requirement of designating an ‘‘employee or employees to coordinate your information security program’’ by requiring the designation of a single qualified individual responsible for the Safeguards Rule, 85 FR 13082 (Mar. 6, 2020). As detailed throughout this document, the Commission believes there is a strong evidentiary basis for the issuance of the final Rule. 76 16 CFR 314.3. 77 16 CFR 314.4. 78 Several speakers at the Safeguards Workshop also raised this concern. See, e.g., Slides Accompanying Remarks of James Crifasi, ‘‘NADA Cost Study: Average Cost Per U.S. Franchised Dealership,’’ in Safeguards Workshop Slides, supra note 72, at 25 (estimating appointing a CISO to increase program accountability would be a onetime, up-front cost of $27,500, with a recurring annual cost of $51,000); Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at 72–75; Slides Accompanying Remarks of Lee Waters, ‘‘Estimated Costs of Proposed Changes,’’ in Safeguards Workshop Slides, supra note 72, at 26 (estimating costs of an in-house CISO to be $180,000 annually, and an in-house cybersecurity analyst to be $76,000 annually; and estimating that an outsourced cybersecurity contractor would cost between $120,000 to $240,000 annually); Remarks of Lee Waters, Safeguards Workshop Tr., supra note 17, at 75–76; Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 78 (estimating that the average annual salary of a CISO can range from $180,000 to upwards of $400,000). E:\FR\FM\09DER3.SGM 09DER3 70280 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 overseeing and implementing the security program. This individual was referred to in the Proposed Rule as a Chief Information Security Officer or ‘‘CISO.’’ As discussed in detail below, the Final Rule does not use this term, though the concept is the same: The person designated to coordinate the information security program need only be ‘‘qualified.’’ No particular level of education, experience, or certification is prescribed by the Rule. Accordingly, financial institutions may designate any qualified individual who is appropriate for their business. Only if the complexity or size of their information systems require the services of an expert will the financial institution need to hire such an individual.79 Finally, the Commission believes while large financial institutions may well incur substantial costs to implement complex information security programs, there are much more affordable solutions available for financial institutions with smaller and simpler information systems. For example, there are very low-cost or even free vulnerability assessment programs available: ‘‘virtual CISO’’ services enable a third party to provide security support for many companies, splitting the cost of information security professionals among them; many applications and hardware have built-in encryption requirements; 80 and there are affordable multi-factor authentication solutions aimed at businesses of various sizes. Considering these points, although there will undoubtedly be expenses involved for some, or even many, financial institutions to update their programs, the Commission believes these expenses are justified because of the vital importance of protecting customer information collected, maintained, and processed by financial institutions. Congress recognized the importance of securing consumers’ sensitive financial information when it passed the GLBA, which required the FTC to promulgate the Safeguards Rule. 79 See, e.g., Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 89–90 (noting the size of a financial institution and the amount and nature of the information it holds factor into an appropriate information security program); see also Slides Accompanying Remarks of Rocio Baeza, ‘‘Models for Complying to the Safeguards Rule Changes,’’ in Safeguards Workshop Slides, supra note 72, at 27–28 (describing three different compliance models: In-house, outsource, and hybrid, with costs ranging from $199 per month to more than $15,000 per month); Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 81–83 (describing three compliance models in more detail). 80 See Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 78 (describing virtual CISO services). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 The importance, as well as the difficulty, of protecting customer information has only increased in the more than twenty years since the passage of the GLBA. The Commission believes the amendments to the Safeguards Rule are necessary to ensure the purposes of the GLBA are satisfied, and so consumers can have confidence financial institutions are providing reasonable safeguards to protect their information. ‘‘Sensitive’’ Customer Information Several industry groups also suggested significant portions of the Proposed Rule should not apply to all customer information, but rather only to some subset of particularly ‘‘sensitive’’ customer information, such as account numbers or social security numbers.81 These commenters generally argued the definition of ‘‘customer information’’ is too broad, as it will include information the commenters felt is not particularly sensitive, such as name and address, and does not justify extensive safeguards.82 The Commission does not agree that some portion of customer information is not entitled to the protections required by the Final Rule. The Safeguards Rule defines ‘‘customer information’’ as ‘‘any record containing nonpublic personal information’’ about a customer handled or maintained by or on behalf of a financial institution.83 The Final Rule defines ‘‘nonpublic personal information’’ as ‘‘personally identifiable financial information,’’ but does not include information that is ‘‘publicly available.’’ Although this definition is broad, the Commission believes information covered by it is rightfully considered sensitive and should be protected accordingly. The businesses regulated by the Safeguards Rule are not just any businesses, but are financial institutions and are responsible for handling and maintaining financial information that is both important to consumers and valuable to attackers who try to obtain the information for financial gain. Even the fact that a consumer is a customer of a particular financial institution is generally nonpublic and can be sensitive. For example, the revelation of a customer 81 See, e.g., Electronic Transactions Association (comment 27, NPRM), at 2–4; CTIA (comment 34, NPRM), at 10; Global Privacy Alliance (comment 38, NPRM), at 7–8; American Financial Services Association (comment 41, NPRM), at 5; ACA International (comment 45, NPRM), at 13; Money Services Round Table (comment 53, NPRM), at 6– 7. 82 See, e.g., Electronic Transactions Association (comment 27, NPRM), at 2; Global Privacy Alliance (comment 38, NPRM), at 7. 83 16 CFR 314.2(b). PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 relationship between a consumer and a particular type of financial institution, such as debt collectors or payday lenders, may make those customers’ information more vulnerable to compromise by facilitating social engineering or similar attacks. The nature of the relationship between customers and their financial institutions makes all nonpublic information held by the financial institution inherently sensitive and worthy of the level of protection set forth in the Rule. Although the Commission believes all customer information should be safeguarded by financial institutions and declines to exclude any portion of that information from protection under any of the provisions of the Rule, it notes the Rule does contemplate financial institutions will consider the sensitivity of particular information in designing their information security programs and safeguards. The elements required by this section are generally flexible enough to allow financial institutions to treat various pieces of information differently. For example, paragraph (c)(1) requires information security programs to include safeguards that address access control of customer information. The paragraph requires financial institutions to develop measures to ensure only authorized users access customer information, but does not prescribe any particular measures that must be adopted. When designing these measures, a financial institution may design a system in which more sensitive information is protected by more stringent access controls. Even in the more specific provisions of the Rule, there is flexibility to address the relative sensitivity of information. For example, in § 313.4(c)(5)’s requirement that customer information be protected by multi-factor authentication, financial institutions have flexibility to implement the multi-factor authentication depending on the sensitivity of the information. The financial institution may select factors such as SMS text messages to access less sensitive information, but determine more sensitive information should be protected by other, more secure, factors for authentication. Third-Party Standards and Frameworks In addition, in the NPRM, the Commission asked whether the Safeguards Rule should incorporate outside standards, such as the National Institute of Standards and Technology (‘‘NIST’’) framework, either as required elements of an information security program or as a safe harbor that would E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 treat compliance with such a standard as compliance with the Safeguards Rule. Some commenters advocated for the adoption of an outside standard into the Safeguards Rule.84 Cisco Systems, Inc. suggested the Safeguards Rule should be connected to NIST guidance, arguing this would allow the Rule to evolve as NIST’s guidance evolves.85 An anonymous commenter suggested the Rule should comply with ‘‘international standard ISO/IEC 27001.’’ 86 The National Consumer Law Center argued certain financial institutions with particularly sensitive customer information should be required to comply with guidelines issued by NIST and the Federal Financial Institutions Examination Council (FFIEC).87 Other commenters acknowledged the value of outside standards but were opposed to the Rule requiring compliance with them.88 Some commenters suggested while compliance with outside standards should not be required, compliance should serve as a ‘‘safe harbor’’ for compliance with the Rule.89 On the other hand, Consumer Reports noted while such standards can be helpful guidance, they should not be a safe harbor for compliance with the Rule because financial institutions must take steps to ensure they are responding to changing information security threats regardless of the requirements of an outside framework.90 The Commission declines to change the Rule to incorporate or reference a particular security standard or framework for a variety of reasons. First, it is not clear the more detailed frameworks would apply well to financial institutions of various sizes 84 Cisco Systems, Inc. (comment 51, NPRM), at 4; National Consumer Law Center and others (comment 58), at 2; Anonymous (comment 2, Workshop). 85 Cisco Systems, Inc. (Comment 51, NPRM), at 4. 86 Anonymous (comment 2, Workshop). The ISO/ IEC 27001 standard is an information security standard issued by the International Organization for Standardization. See ISO/IEC 27001 Information Security Management, ISO, https://www.iso.org/ isoiec-27001-information-security.html (last accessed 15 Dec. 2020). 87 National Consumer Law Center and others (comment 58, NPRM), at 2. 88 HITRUST (comment 18, NPRM), at 2; see also Consumer Reports (comment 52, NPRM), at 6–7 (discouraging the adoption of outside standards as a safe harbor for companies). 89 Mortgage Bankers Association (comment 26, NPRM), at 2 (suggesting Rule be modified so financial institutions that use the NIST Cybersecurity Framework would be in de facto compliance with the Rule); see also National Pawnbrokers Association (comment 32, NPRM), at 6–7 (advocating for the adoption of safe harbors for small financial institutions without detailing what should be required to qualify for the safe harbor). 90 Consumer Reports (comment 52, NPRM), at 6– 7. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 and industries. In addition, mandating companies follow a particular security standard or framework would reduce the flexibility built into the Rule. Similarly, the Commission declines to make compliance with an outside standard a safe harbor for the Rule. In such a scenario, the use of safe harbors would not greatly enhance regulatory stability or predictability for financial institutions because the Commission would be required to actively monitor whether those standards continued to provide equivalent protections for Safeguards compliance and modify the Rule if a standard became inadequate. In addition, in investigating possible violations of the Rule, the Commission would be required to independently verify whether the financial institution had in fact complied with the outside framework, which would require substantial effort and expense on the part of the Commission and the target of the investigation. Specific Elements In addition to these generally applicable comments, commenters addressed many of the individual elements set forth by this section. These elements are discussed in more detail below. Paragraph (a)—Designation of a Single Qualified Individual Proposed paragraph (a) changed the current requirement that institutions designate an ‘‘employee or employees to coordinate your information security program’’ to instead require the financial institution to designate ‘‘a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.’’ 91 This individual was referenced in the Proposed Rule as a Chief Information Security Officer or ‘‘CISO.’’ The notice of proposed rulemaking for the Proposed Rule emphasized the use of the term ‘‘CISO’’ was for clarity in the Proposed Rule.92 Despite the use of the term ‘‘CISO,’’ the Proposed Rule did not require financial institutions to actually grant that title to the designated individual. Commenters that responded to this proposal, however, generally assumed the person designated to coordinate and oversee a financial institution’s information security program would be required to have the qualifications, duties, responsibilities, and accompanying pay of a CISO as that position is generally understood in the 91 Section 92 84 PO 00000 314.4(a). FR 13165. Frm 00011 Fmt 4701 Sfmt 4700 70281 information security field.93 The position of CISO is generally limited to large companies with fairly complex information security systems, so the salary of this position is often very high.94 Accordingly, many commenters argued hiring a CISO would be prohibitively expensive for many financial institutions.95 Additionally, commenters argued the hiring of such an in-demand professional would be difficult because of a general shortage of such professionals available for hiring.96 By using the term ‘‘CISO,’’ the Commission did not intend to require all financial institutions hire a highly qualified professional with an extremely high salary, regardless of the financial institutions’ size or complexity. The Proposed Rule required only that financial institutions designate a ‘‘qualified individual’’ to oversee and enforce their information security program, without specifying any particular level of experience, education, or compensation, or requiring any particular duties outside of overseeing the financial institution’s information security program and other requirements specifically set forth in the Rule.97 The use of the term ‘‘CISO’’ in the Proposed Rule, however, caused confusion about the requirements of this section. Accordingly, the Final Rule replaces the term ‘‘CISO’’ with ‘‘Qualified Individual’’ to refer to the individual designated under this section of the Rule. The use of the term ‘‘Qualified Individual’’ is meant to clarify the only requirement for this designated individual is that he or she be qualified to oversee and enforce the financial institution’s information security program. What qualifications are necessary will depend upon the size and complexity of a financial institution’s information system and the volume and sensitivity of the customer information the financial institution 93 U.S. Chamber of Commerce (comment 33, NPRM), at 10; National Automobile Dealers Association (comment 46), at 17–19; National Independent Automobile Dealers Association (comment 48, NPRM), at 5; ACA International (Comment 45, NPRM), at 8. 94 See. e.g., Brian McManamon, Safeguards Workshop Tr., supra note 17, at 78 (estimating the average annual salary of a CISO can range from $180,000 to upwards of $400,000). 95 National Automobile Dealers Association (comment 46, NPRM), at 17–19; National Independent Automobile Dealers Association (comment 48, NPRM), at 5; U.S. Chamber of Commerce (comment 33, NPRM), at 10; ACA International (comment 45, NPRM), at 8. 96 National Automobile Dealers Association (comment 46, NPRM), at 18–19; U.S. Chamber of Commerce (comment 33, NPRM), at 10; ACA International (comment 45, NPRM), at 8. 97 84 FR 13175. E:\FR\FM\09DER3.SGM 09DER3 70282 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 possesses or processes. The Qualified Individual of a financial institution with a very small and simple information system will need less training and expertise than a Qualified Individual for a financial institution with a large, complex information system. The exact qualifications will depend on the nature of the financial institution’s information system. Each financial institution will need to evaluate its own information security needs and designate an individual with appropriate qualifications to meet those needs. The Commission believes, in many cases, financial institutions’ current coordinators, whether their own employees or third-party contractors, may be qualified for this role.98 Because the current Safeguards Rule requires financial institutions to designate an ‘‘employee or employees to coordinate your information security program,’’ financial institutions in compliance with that Rule will already have one or more information security coordinators. Although the current Rule does not expressly require that these coordinators be qualified for that position, the current Rule requires a financial institution to maintain ‘‘appropriate’’ safeguards, regularly test those safeguards, and evaluate and adjust the information security program in light of that testing.99 In order to effectively comply with these ongoing requirements, a financial institution’s coordinator must have some level of information security training and knowledge and, therefore, will likely be an appropriate Qualified Individual under the Final Rule. Accordingly, in many cases this amendment to the Rule will not require any additional hiring expenses. In addition to explicitly requiring that the information security program coordinator be qualified for the role, the Commission proposed to require the designation of a single employee, as opposed to the multiple coordinators allowed by the existing Rule. Some commenters objected to this proposal on the grounds that it would interfere with financial institutions’ flexibility in 98 Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at 74 (stating car dealerships can rely on existing staff for this role); Remarks of Lee Waters, Safeguards Workshop Tr., supra note 17, at 78–79 (stating any dealership with any IT staff at all would have someone who could assume the role of ‘‘qualified individual,’’ perhaps requiring some additional research or outside help); Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 81–82 (stating companies may use an existing employee for the role and ‘‘for any areas where there may be skill gaps, that can be supplemented with either certifications or some type of education.’’). 99 16 CFR 314.4. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 organizing their information security personnel.100 For example, the Consumer Data Industry Association (‘‘CDIA’’) commented the designation of a single coordinator would interfere with financial institutions’ ability to organize their program ‘‘to share responsibilities among different personnel with different strengths.’’ 101 Similarly, ACA International argued this requirement would prevent financial institutions from having multiple staff members share responsibilities for information security programs.102 Other commenters argued the designation of a single individual as the coordinator of the information security program provides no proven benefits over the use of multiple coordinators.103 Similarly, NADA argued that, while the appointment of a single qualified individual might improve accountability, improving accountability does not improve security.104 On the other hand, a group of consumer and advocacy groups including the National Consumer Law Center (‘‘NCLC’’) argued appointing a single individual as the coordinator of the information security program can increase security and prevent security events based on lack of accountability and poor coordination.105 The Commission retains the requirement to designate a single qualified individual, because it believes there are clear benefits to the designation of a single coordinator. Designating a single coordinator to oversee an information security program clarifies lines of reporting in enforcing the program, can avoid gaps in responsibility in managing data 100 National Independent Automobile Dealers Association (comment 48, NPRM), at 5; Consumer Data Industry Association (comment 36, NPRM), at 5; National Association of Dealer Counsel (comment 44, NPRM), at 2; ACA International (comment 45, NPRM), at 7–8; Money Services Round Table (comment 53, NPRM), at 10; Gusto and others (Comment 11, Workshop), at 2; see also Remarks of James Crifasi, Safeguards Workshop TR, supra note 17, at 74 (stating ‘‘when we’re talking about a small and medium business [. . .] we really need to see that ‘qualified individual’ be a mix of folks’’). 101 Consumer Data Industry Association (comment 36, NPRM), at 5. 102 ACA International (comment 45, NPRM), at 7– 8. NPA raised similar concerns. National Pawnbrokers Association (comment 3, Workshop), at 2. 103 Consumer Data Industry Association (comment 36, NPRM), at 5; National Automobile Dealers Association (comment 46, NPRM), at 19; ACA International (comment 45, NPRM), at 8. 104 National Automobile Dealers Association (comment 46, NPRM), at 19. 105 National Consumer Law Center and others (comment 58, NPRM), at 3 (arguing that a clear line of reporting with a single responsible individual could have prevented the Equifax consumer data breach). PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 security, and improve communication.106 The Commission disagrees with the commenter who stated improved accountability does not lead to improved security. The goal of improving accountability is to ensure information security staff and financial institution management give the necessary attention and resources to information security. In addition, an individual that has clear responsibility for the strength of a financial institution’s information security program will be accountable to improve the program and ensure it protects customer information.107 The major breach that occurred at national consumer reporting agency Equifax in 2017 demonstrates the importance of clear lines of reporting and accountability in management of information security programs. The U.S. House Committee on Oversight and Government Reform issued a report on the breach that identified Equifax’s organization as one of the major causes of the breach.108 The report indicated Equifax’s division of responsibility for information security between two individuals that reported to two different company officers contributed to failures of communication, oversight, and enforcement that led to millions of consumers’ data being compromised.109 Increasing accountability for individuals and organizations can directly lead to improved security for customer information. Finally, the Commission does not believe the requirement to designate a single Qualified Individual would 106 Remarks of Adrienne Allen, Safeguards Workshop Tr., supra note 17, at 182–84 (stating that without a single responsible individual, information security staff ‘‘can fall into traps of each relying on someone else to make a hard call . . . [In a program without a single coordinator] issues can sometimes fall through the cracks.’’); Remarks of Michele Norin, Safeguards Workshop Tr., supra note 17, at 184–85 (‘‘I think it’s extremely important to have a person in front of the information security program. I think that there are so many components to understand, to manage, to keep an eye on. I think it’s difficult to do that if it’s part of someone else’s job. And so I found that it’s extremely helpful to have a person in charge of that program just from a pure basic management perspective and understanding perspective.’’). 107 See, e.g., Federal Trade Commission Staff Comment on the Preliminary Draft for the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Oct. 24, 2019), at 12–14 (suggesting NIST clarify that one person should be in charge of the program). https:// www.ftc.gov/system/files/documents/advocacy_ documents/ftc-staff-comment-preliminary-draftnist-privacy-framework/p205400nistprivacy frameworkcomment.pdf. 108 U.S. House, Committee on Oversight and Government Reform, Majority Staff Report, The Equifax Data Breach, at 55–62, 115th Congress (Dec. 2018). 109 Id. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations prevent the approach of having multiple people responsible for different aspects of the program, as some commenters asserted. While the Qualified Individual appointed as the coordinator of the information security program would have ultimate responsibility for overseeing and managing the information security program, financial institutions may still assign particular duties and responsibilities to other staff members.110 A financial institution may organize its personnel in teams or share decision making between individuals. Moreover, the Rule does not require this be the Qualified Individual’s sole job— he or she may have other duties. The Rule requires only that one individual assume the ultimate responsibility for overseeing and enforcing the program. Accordingly, the Final Rule requires designation of a single Qualified Individual, as proposed, but no longer uses the term ‘‘CISO.’’ khammond on DSKJM1Z7X2PROD with RULES3 Third-Party Coordinators The Proposed Rule stated that the Qualified Individual would not need to be an employee of the financial institution, but could be an employee of an affiliate or a service provider. This change was intended to accommodate financial institutions that may prefer to retain an outside expert, lack the resources to employ a qualified person to oversee a program, or decide to pool resources with affiliates to share staff to manage information security. The Proposed Rule required, however, that to the extent a financial institution used a service provider or affiliate, the financial institution must still: (1) Retain responsibility for compliance with the Rule; (2) designate a senior member of its personnel to be responsible for direction and oversight of the Qualified Individual; and (3) require the service provider or affiliate to maintain an information security program that protects the financial institution in accordance with the Rule. The Commission received one comment on this aspect of the provision. NADA argued that, because a senior member of a financial institution’s personnel must be responsible for the oversight of a thirdparty Qualified Individual, the supervising individual would need to be an expert in information security, and the financial institution would still be required to hire an expensive employee to supervise the third-party Qualified 110 See Remarks of Adrienne Allen, Safeguards Workshop Tr., supra note 17, at 189–90 (noting that, even where there is a single point person, decision makers rarely operate ‘‘in a vacuum.’’). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 Individual.111 The Rule, however, does not require individuals responsible for overseeing third-party Qualified Individuals to be information security experts themselves. The senior personnel that oversees the third-party Qualified Individual is charged with supervising and monitoring the thirdparty so the financial institution is aware of its data security needs and the safeguards being used to protect its information systems. This person does not need to be qualified to coordinate the information security program him or herself. Technical staff are frequently supervised by employees or officers with limited technical expertise.112 The Rule requires only the same responsibilities a supervisor would have in overseeing an in-house information security coordinator of a financial institution. Accordingly, the Commission adopts the proposed paragraph without modification. Proposed Paragraph (b) The NPRM proposed amending paragraph (b) to clarify a financial institution must base its information security program on the findings of its risk assessment by adding an explicit statement that financial institutions’ ‘‘information security program [shall be based] on a risk assessment.’’ 113 In addition, the Proposed Rule removed existing § 314.4(b)’s requirement that the risk assessment must include consideration of specific risks 114 because these specific risks are set forth elsewhere in the Proposed Rule.115 The Commission received no comments on this paragraph and adopts paragraph (b) as proposed. Written Risk Assessment Paragraph (b)(1) of the Proposed Rule required the risk assessment be written and include: (1) Criteria for the evaluation and categorization of 111 National Automobile Dealers Association (comment 46, NPRM), at 18. 112 See Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at 79–80 (stating that, in his work as a third-party information security service provider, he is often overseen by executives without technical backgrounds); see also Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 105–06 (noting distinction in how executives and technical staff may understand their organizations’ use of encryption); Remarks of Karthik Rangarajan, Safeguards Workshop Tr., supra note 17, at 196 (discussing challenges inherent in discussing technical issues with board members who lack a technical background)and at 211 (noting organizations can successfully manage their relationships with third-party service providers without ‘‘becom[ing] experts’’ in the services provided). 113 Proposed 16 CFR 314.4(b). 114 Proposed 16 CFR 314.4(b)(1), (2), and (3). 115 See, e.g., Proposed 16 CFR 314.4(c)(2) and (10) and (e). PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 70283 identified security risks or threats the financial institution faces; (2) criteria for the assessment of the confidentiality, integrity, and availability of the financial institution’s information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats to the financial institution; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the financial institution’s risks. Commenters raised several concerns about the Proposed Rule’s provisions on risk assessment, none of which merit changes to the Proposed Rule. First, some commenters objected to the level of specificity of the Proposed Rule, with some arguing the requirements were too specific, and others arguing the requirements were not specific enough. With respect to the Proposed Rule being too specific, commenters such as ACA and U.S. Chamber of Commerce argued it removed financial institutions’ flexibility in performing risk assessments.116 The U.S. Chamber of Commerce contended, because the criteria are too specific, a risk assessment performed using them would not be ‘‘sufficiently risk based.’’ 117 CDIA expressed concern it was unclear ‘‘what level of specificity is required’’ in the written risk assessment and if detailed risk assessments are required, they ‘‘could themselves become a roadmap for a security breach.’’ 118 In contrast, several other commenters recommended the Rule set forth more specific criteria for risk assessments. Inpher suggested the Commission add a requirement that risk assessments require financial institutions to examine ‘‘technologies that are deployed by [financial institutions’] information security systems, and evaluate the feasibility’’ of adopting ‘‘privacy enhancing technologies’’ that would better address vulnerabilities and thwart threats.119 Inpher also recommended the Rule require financial institutions to conduct privacy impact assessments with ‘‘specific guidelines to review internal data protection standards and adherence to fair information 116 ACA International (comment 45, NPRM), at 12; U.S. Chamber of Commerce (comment 33, NPRM), at 10. 117 U.S. Chamber of Commerce (comment 33, NPRM), at 10. 118 Consumer Data Industry Association (comment 36, NPRM), at 5. 119 Inpher, Inc. (comment 50, NPRM), at 4. E:\FR\FM\09DER3.SGM 09DER3 70284 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations principles.’’ 120 The Princeton Center suggested the Rule require risk assessments to include threat modeling and adopt the concept of defense in depth.121 HALOCK Security Labs recommended the Rule specifically require ‘‘a) That risk assessments should evaluate the likelihood of magnitudes of harm that result from threats and errors, b) That risk assessments should explicitly estimate foreseeable harm to consumers as well as to the covered financial institutions, c) That risk mitigating controls are commensurate with the risks they address, [and] d) That risk assessments estimate likelihoods and impacts using available data.’’ 122 The Commission believes the Proposed Rule’s provisions on risk assessment strike the right balance between specificity and flexibility. The amendments provide only a high-level list of criteria the risk assessment must address. They essentially require that the financial institution identify and evaluate risks to its systems, evaluate the adequacy of its existing controls for addressing these risks, and identify how these risks can be mitigated. These are core requirements of any riskassessment.123 The Rule does not require any specific methodology or approach for performing the assessment. Financial institutions are free to perform the risk assessment using the method most suitable for their organization as long as that method meets the general requirements set forth in the Rule. 124 And while the Commission agrees the additional requirements suggested by some commenters may be beneficial in many, or even most, risk assessments, it khammond on DSKJM1Z7X2PROD with RULES3 120 Id. 121 Princeton University Center for Information Technology Policy (comment 54, NPRM), at 2. 122 HALOCK Security Labs (comment 4, Workshop) at 2. See Rocio Baeza (comment 12, Workshop) at 2–3 (suggesting a detailed list of requirements for the risk assessment). 123 See, e.g., Remarks of Chris Cronin, Safeguards Workshop Tr., supra note 17, at 25 (stating that evaluating the likelihoods and impacts of potential security risks and evaluating existing controls is an important component of a risk assessment); Remarks of Serge Jorgensen, Safeguards Workshop Tr., supra note 17, at 29–30 (emphasizing the importance of risk assessments as tools for adjusting existing security measures to account for both current and future security threats); Nat. Inst. of Sci. & Tech., U.S. Dept. of Com., Special Publication 800–30 Rev. 1, Guide for Conducting Risk Assessments 1 (2012) (describing the purpose of risk assessments as the identification of and prioritization of risk in order to inform decision making and risk response). 124 ACA International further argued because risk assessment criteria are generally understood, they do not need to be included in the Final Rule. ACA International (comment 45, NPRM). The Commission believes it is helpful to be clear about the criteria the risk assessment must contain, even if those criteria are commonly understood. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 believes a more flexible requirement will better allow financial institutions to find the risk assessment method that best fits their organization and will better accommodate changes in recommended approaches in the future. In response to CDIA’s concern about the risk assessment providing a roadmap for bad actors, certainly, the written risk assessment will include details about a financial institution’s systems that could assist an attacker if obtained by the attacker. Accordingly, the risk assessment should be protected as any other sensitive information would be. The Commission does not view this concern as a reason not to create such a document. Indeed, the concern would apply to any written document that provides information regarding a financial institution’s information security procedures, from a network diagram to written security code. Second, some commenters argued implementing the risk-assessment provision as proposed would be too expensive and difficult for financial institutions.125 For example, NADA argued the contemplated risk assessment would be very costly because the criteria set out in paragraph (b)(1) are ‘‘well outside the scope of expertise of anyone but the most sophisticated IT professionals.’’ 126 In response, although the Commission declines to modify the provision, it addresses NADA’s concern in § 314.6 by exempting financial institutions that maintain information concerning fewer than 5,000 consumers from the specific requirements of paragraph (b)(1), and from the requirement to memorialize the risk assessment in writing. For those financial institutions that do not qualify for this exemption, the Commission believes they will be able to perform the required risk assessment in a manner that is practical and affordable for their institution. There are many resources available to financial institutions to aid in risk assessment, including service providers that can assist institutions of various sizes.127 125 National Association of Dealer Counsel (comment 44, NPRM), at 3; National Automobile Dealers Association (comment 46, NPRM), at 20. 126 National Automobile Dealers Association (comment 46, NPRM), at 20. 127 See, e.g., Slides Accompanying Remarks of Rocio Baeza, in Safeguards Workshop Slides, supra note 72, at 27–28 (describing three different compliance models: In-house, outsource, and hybrid, with costs ranging from $199 per month to more than $15,000 per month); Slides Accompanying the Remarks of Brian McManamon, ‘‘Sample Pricing,’’ in Safeguards Workshop Slides, supra note 72, at 29 (estimating the cost of cybersecurity services based on number of endpoints: $2K–$5K per month for 25–250 endpoints; $5K–$15K for 250–750 endpoints; PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 While acknowledging there will be some cost to conducting a risk assessment, the Commission believes a properly conducted risk assessment is an essential part of a financial institution’s information security program. The entire Safeguards Rule, both as it currently exists and as amended, requires that the information security program be based on a risk assessment. An information security program cannot properly guard against risks to customer information if those risks have not been identified and assessed.128 The Commission believes this requirement properly emphasizes the importance of robust risk assessments, while providing financial institutions sufficient flexibility in performing these assessments. Finally, the Commission notes, because the current Rule also requires that a risk assessment be performed, financial institutions that have complied with the current Rule have already conducted a risk assessment. And, even if that risk assessment was not memorialized in writing, the work conducted for that risk assessment should be useful in performing future risk assessments. Third, NADA objected to the requirement that the risk assessment describe how each identified risk will be ‘‘mitigated or accepted,’’ arguing it is not clear when it is appropriate to ‘‘accept a risk.’’ 129 NADA argued that documenting a decision to accept a risk would ‘‘create a record that can be distorted and second guessed after the fact,’’ and ‘‘context is lost when it is written and reviewed after an incident has occurred.’’ 130 The Rule does not require a financial institution to mitigate every risk identified, no matter how remote or insignificant. Instead, the Rule allows a financial institution to accept a risk, if its assessment of the risk reveals that the chance it will produce a security event is very small, if the consequences of the risk are minimal, or the cost of mitigating the risk far outweighs the benefit. In those cases, the financial institution may choose to accept the risk. A financial institution concerned that its decision to accept a risk will later be questioned may choose to set forth whatever context or $15K–$30K for 750–1,000 endpoints; and $30K– $50K for 1,500–2,500 endpoints); see also Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 83–85. 128 See Remarks of Chris Cronin, Safeguards Workshop Tr., supra note 17, at 48–49 (noting all information security frameworks and guidelines are based on risk analysis). 129 National Automobile Dealers Association (comment 46, NPRM) at 20. 130 Id. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations explanation it sees fit in the written assessment. Finally, while several commenters supported the idea of conducting ‘‘periodic’’ risk assessments as required by the Proposed Rule,131 NADA objected it is unclear how often financial institutions need to conduct risk assessments under this section. 132 In order to be effective, a risk assessment must be subject to periodic reevaluation to adapt to changes in both financial institutions’ information systems and changes in threats to the security of those systems. The Commission declines, however, to set forth a specific schedule for risk assessments. The Commission believes it would not be appropriate to set forth an inflexible schedule for periodic risk assessments because each financial institution must set its own schedule based on the needs and resources of its institution. The Final Rule adopts § 314.4(b) as proposed. khammond on DSKJM1Z7X2PROD with RULES3 Paragraph (c) Proposed paragraph (c) retained the existing Rule’s requirement for financial institutions to design and implement safeguards to control the risks identified in the risk assessment. In addition, it added more detailed requirements for what the safeguards must address (e.g., access controls, data inventory, disposal, change management, monitoring). These specific requirements represent elements of an information security program that the Commission views as essential and should be addressed by all financial institutions.133 As a preliminary matter, Global Privacy Alliance (GPA) argued all of these elements should be made optional 131 Inpher, Inc. (comment 50, NPRM), at 3; Global Privacy Alliance (comment 38, NPRM), at 11. 132 National Automobile Dealers Association (comment 46, NPRM), at 20. 133 NADA disagreed with the Commission’s statement in the NPRM for the Proposed Rule that ‘‘most financial institutions already implement’’ the specific requirements in paragraph (c), stating that many financial institutions ‘‘do not currently implement some or all of these measures.’’ National Automobile Dealers Association (comment 46, NPRM), at 20. The Commission continues to believe most financial institutions institute some form of most of these measures, such as access control, secure disposal, and monitoring authorized users, based on its enforcement and business outreach experience. While NADA’s statement that some financial institutions implement none of the measures may be true, this underlines the necessity of making these elements explicit requirements under the Rule, as these elements are necessary for a reasonable information security program for all financial institutions. Indeed, a financial institution that utilizes none of these elements and exercises no access control, no secure disposal procedures, and does not monitor users of its systems is unlikely to be in compliance with the current Rule. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 and financial institutions should be required only to take these elements ‘‘into consideration’’ when designing their information security programs.134 While the Commission agrees it is important that the Rule allow financial institutions flexibility in designing their information security programs, these elements are such important parts of information security that each program must address them. For example, an information security program that has no access controls or does not contain any measures to monitor the activities of users on the systems cannot be said to be protecting the financial institution’s systems. The Final Rule, therefore, continues to require each information security program to contain safeguards that address these elements, with modifications described below. Access Controls Proposed paragraph (c)(1) required financial institutions to ‘‘place access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of customer information and to periodically review such access controls.’’ Commenters suggested a number of modifications to this provision. First, GPA argued this provision should require controls on access to information, rather than on information systems.135 Second, several commenters suggested adding further safeguards to the ‘‘access control’’ requirement. For example, the Princeton Center argued the Rule should adopt the ‘‘Principle of Least Privilege,’’ a principle that no user should have access greater than is necessary for legitimate business purposes.136 Reynolds and Reynolds Company (Reynolds) suggested the Rule clarify that financial institutions must ‘‘vet, control, and monitor user access to sensitive information.’’ 137 Consumer Reports argued paragraph (c)(1) should be amended to control access not just to authorized users, but to further limit access to when such access is reasonably necessary.138 ACE argued that any requirement for physical access control allow financial institutions to determine which locations should have restricted access, rather than limiting physical access to every building and 134 Global Privacy Alliance (comment 38, NPRM), at 6. 135 Global Privacy Alliance (comment 38, NPRM), at 9–10. 136 Princeton University Center for Information Technology Policy (comment 54, NPRM), at 4–5. 137 Reynolds and Reynolds Company (comment 7, Workshop), at 7. 138 Consumer Reports (comment 52, NPRM), at 7. PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 70285 office within, say, a college campus.139 Finally, some commenters argued the proposed language was too vague,140 particularly as it applied to vendorsupplied services.141 In response to the comments, the Commission makes a number of changes to this provision in the Final Rule. First, the Commission clarifies that the Rule requires access controls, not just for information systems, but for all customer information, whether it is housed in information systems or in physical locations. To streamline the Rule, the Final Rule combines the separate physical access controls requirement found in proposed paragraph (c)(3) with this paragraph. Physical access controls will generally be most important in situations in which sensitive customer information is kept in physical form (such as hardcopy loan applications, or printed consumer reports). It may also require physical restrictions to access machines that contain customer information (e.g., locked doors and/or key card access to a computer lab).142 The Commission declines to make any changes in response to ACE’s concern that every physical location will need to be protected—as the Rule states, physical controls must be implemented to protect unauthorized access to customer information. Where no customer information exists, the Rule would not require physical controls. Second, the Commission agrees with the commenters who advocated that the Rule implement the principle of least privilege. The Commission does not believe it is appropriate, for example, for larger companies to give all 139 American Council on Education (comment 24, NPRM), at 10. 140 National Automobile Dealers Association (comment 46, NPRM), at 23; National Independent Automobile Dealers Association (comment 48, NPRM), at 5; American Council on Education (comment 24, NPRM), at 10; 141 National Independent Automobile Dealers Association (comment 48, NPRM), at 5; American Council on Education (comment 24, NPRM), at 10. 142 NIADA suggested instituting physical access controls would cost a dealership $215,000 because each computer would need to have its own lockable cubicle and there would need to be lockable offices for all desks. See Remarks of Lee Waters, Safeguards Workshop Tr., supra note 17, at 76. As originally promulgated, the Rule already requires financial institutions implement ‘‘physical safeguards that are appropriate to your size and complexity.’’ 16 CFR 314.3. The Final Rule’s requirement is consistent with that longstanding requirement. If computers have technical safeguards preventing unauthorized users from accessing customer information, they usually will not need to be in a lockable area, particularly if they are not generally left unattended and are not likely to be stolen. Similarly, desks would need to be in lockable offices only if they contain accessible paper records. A lockable file cabinet may be a more economical solution. E:\FR\FM\09DER3.SGM 09DER3 70286 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 employees and service providers access to all customer information. Such overbroad access could create additional harm in the event of an intruder gaining access to a system by impersonating an employee or service provider. Accordingly, the Commission clarifies this in the Final Rule by adding a requirement that not only must a financial institution implement access controls, but it should also restrict access only to customer information needed to perform a specific function. As to the suggestion the Commission impose monitoring requirements for access, that requirement exists in paragraph (c)(8). And as to the suggestion the requirement is too vague as to service providers, the Commission believes the Final Rule is clear: When a vendor accesses the financial institution’s data or information systems, the financial institution must ensure appropriate access controls are in place. Separately, under paragraph (f), the financial institution must reasonably oversee the vendor’s safeguards, which would necessarily include access controls for the vendor’s system. Finally, as to the suggestion the provision is vague generally, as discussed above, the Final Rule seeks to preserve flexibility in its provisions, both so that financial institutions can design programs appropriate for their systems and so that changes in technology or security practices will not render the Rule obsolete. The Commission believes maintaining less prescriptive requirements is the best way to achieve the goal of flexibility and protecting customer information.143 Accordingly, the Commission combines paragraphs (c)(1) and (3) from the Proposed Rule into revised paragraph (c)(1) of the Final Rule, which requires implementing and periodically reviewing access controls on customer information, including technical and, as appropriate, physical controls to (1) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information and (2) limit authorized users’ access only to customer information that they need to perform their duties and functions, or, in the 143 NPA expressed concern about the effect of the Rule on pawnbrokers who the commenter stated are required by law to allow law enforcement access to their physical records. National Pawnbrokers Association (comment 32, NPRM), at 7. Nothing in the Rule conflicts with any such requirements. Law enforcement appropriately accessing customer information under a law that requires that access would be considered authorized use under those circumstances. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 case of customers, to access their own information.144 System Inventory In the NPRM, the Commission proposed to require the financial institution to ‘‘[i]dentify and manage the data, personnel, devices, systems, and facilities that enable [the financial institution] to achieve business purposes in accordance with their relative importance to business objectives and [the financial institution’s] risk strategy.’’ 145 This requirement was designed to ensure the financial institution inventoried the data in its possession, inventoried the systems on which that data is collected, stored, or transmitted, and had a full understanding of the relevant portions of its information systems and their relative importance.146 The Commission retains this provision in the Final Rule without modification. Commenters raised two general objections to this provision. First, some commenters argued it was too vague and that it was not clear how such an inventory should be conducted or what systems should be included.147 The Commission believes the language provides effective guidance while still allowing a variety of approaches by financial institutions in identifying systems involved in their businesses. This provision requires a financial institution to identify all ‘‘data, personnel, devices, systems, and facilities’’ that are a part of its business and to determine their importance to the financial institution. This inventory of systems must include all systems that are a part of the business so the financial institution can locate all customer information it controls, the systems connected to that information, and how they are connected. This inventory forms the basis of an information security program because a system cannot be protected if the financial institution does not understand its structure or know what data is stored in its systems. Second, ACE suggested the scope of this provision should be limited to 144 As noted above, the Commission is also changing the term ‘‘authorized individuals’’ to ‘‘authorized users.’’ 145 Proposed 16 CFR 314.4(c)(2). 146 See, e.g., Complaint at 11, FTC v. Wyndham Worldwide Corp., No. CV 2:12–cv–01365–SPL (D. Ariz. June 26, 2012) (alleging company failed to provide reasonable security by, among other things, failing to inventory computers connected to its network). 147 National Automobile Dealers Association (comment 46, NPRM), at 23–24; American Financial Services Association (comment 41, NPRM), at 5; American Council on Education (comment 24, NPRM), at 10. PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 systems ‘‘directly related to the privacy and security of ‘customer information.’ ’’ 148 The Commission declines to make this change because the purpose of this provision is to allow financial institutions to obtain a clear picture of their systems and to identify where customer information is kept and how it can be accessed. An inventory must examine all systems in order to identify all systems that contain customer information or are connected to systems that do. If a financial institution does not first examine all systems and instead limits the inventory to systems it considers to be directly related to security, it could give an incomplete picture of the financial institution’s systems and could result in some customer information or ways to connect to that information being overlooked.149 The Commission adopts paragraph (c)(2) of the Proposed Rule as final, without modifications. Access to Physical Location Proposed paragraph (c)(3) would have required that financial institutions restrict access to physical locations containing customer information only to authorized individuals. The Final Rule combines this section with proposed paragraph (c)(1) in order to eliminate redundancy and clarify that access controls must consider both electronic and physical access. Encryption Proposed paragraph (c)(4) required financial institutions to encrypt all customer information, both in transit over external networks and at rest. The Proposed Rule allowed financial institutions to use alternative means to protect customer information, subject to review and approval by the financial institution’s Qualified Individual. Several commenters supported the inclusion of an encryption requirement.150 In fact, some suggested 148 American Council on Education (comment 24, NPRM), at 10. 149 Another commenter criticized proposed paragraph (c)(2) because some financial institutions ‘‘have no control’’ over which networks they transmit customer information. National Pawnbrokers Association (comment 32, NPRM), at 7. Paragraph (c)(2) does not require a financial system to identify all networks over which it may transmit customer information. See also, infra, this document’s discussion of NPA’s comments on § 314.4(f) of the Final Rule, noting financial institutions are generally not required to oversee other entities’ service providers over which they have no control. 150 Inpher, Inc. (comment 50, NPRM), at 4; Princeton University Center for Information Technology Policy (comment 54, NPRM), at 3; Electronic Privacy Information Center (comment 55, NPRM), at 8; National Consumer Law Center and others (comment 58, NPRM), at 3. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations the Proposed Rule did not go far enough in requiring encryption. Inpher suggested the Rule should require encryption of customer information when in use, in addition to when in transit or at rest.151 The Princeton Center suggested requiring encryption of data while in transit over internal networks, in addition to requiring it for external networks, noting the blurring of the distinction between internal and external networks.152 In contrast, others argued encryption could be too expensive and technically challenging for some financial institutions and should not be required in all cases.153 Indeed, GPA argued the Rule should not require encryption at all, financial institutions should be free to adopt other protective measures for customer information, and the Rule should allow financial institutions to ‘‘determine the controls that are most appropriate for protecting the sensitive information that they handle.’’ 154 Similarly, some commenters argued financial institutions should be required to encrypt customer information only when the risk to the customer information justifies it.155 Others suggested encryption in more limited circumstances, such as on systems ‘‘to which unauthorized individuals may have access,’’ 156 for sensitive data,157 or for data in transit.158 The Mortgage Bankers Association argued encryption at rest is unnecessary because customer information at rest in a financial institution’s system is sufficiently protected by controlling access to the 151 Inpher, Inc. (comment 50, NPRM), at 4. University Center for Information Technology Policy (comment 54, NPRM), at 3. 153 National Pawnbrokers Association (comment 32, NPRM), at 3; U.S. Chamber of Commerce (comment 33, NPRM), at 11; CTIA (comment 34, NPRM) at 10; Wisconsin Bankers Association (comment 37, NPRM), at 2. 154 Global Privacy Alliance (comment 38, NPRM), at 7–8. 155 Bank Policy Institute (comment 39, NPRM), at 14; Mortgage Bankers Association (comment 26, NPRM), at 6; Global Privacy Alliance (comment 38, NPRM), at 7–8. 156 Bank Policy Institute (comment 39, NPRM), at 14. 157 U.S. Chamber of Commerce (comment 33, NPRM), at 11; American Financial Services Association (comment 41, NPRM), at 5; ACA International (comment 45, NPRM), at 13; CTIA (comment 34, NPRM), at 10. 158 Mortgage Bankers Association (comment 26, NPRM), at 6; Wisconsin Bankers Association (comment 37, NPRM), at 2; American Financial Services Association (comment 41, NPRM), at 5; Ken Shaurette (comment 19, NPRM), (suggesting the Commission consider whether ‘‘databases, applications and operating systems are prepared to fully support full encryption without significant performance impact or ability to continue to function.’’); National Automobile Dealers Association (comment 46, NPRM), at 25–26 (arguing the terms ‘‘at rest’’ and ‘‘in transit’’ are unclear). khammond on DSKJM1Z7X2PROD with RULES3 152 Princeton VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 system.159 Two commenters stated guidelines issued by the Federal Financial Institutions Examination Council (FFIEC) do not require most banks to encrypt data at rest, unless the institution’s risk assessment indicates such encryption is necessary.160 The Commission declines to modify the encryption requirement from the Proposed Rule. As to the comments that suggest the requirement should be relaxed, the Commission notes there are numerous free or low cost encryption solutions available to financial institutions, particularly for data in transit,161 that make encryption a feasible solution in most situations. For data at rest, encryption is now cheaper, more flexible, and easier than ever before.162 In many cases, widely used software and hardware have built-in encryption capabilities.163 In response to the argument that the Rule should not require encryption at 159 Mortgage Bankers Association (comment 26, NPRM), at 6. 160 Wisconsin Bankers Association (comment 37, NPRM), at 2 (discussing FFIEC Information Technology Booklet); American Financial Services Association (comment 41, NPRM), at 5 (discussing FFIEC Cybersecurity Assessment Tool). 161 See Remarks of Matthew Green, Safeguards Workshop Tr, supra note 17, at 225 (noting website usage of encryption is above 80 percent; ‘‘Let’s Encrypt’’ provides free TLS certificates; and costs have gone down to the point that if a financial institution is not using TLS encryption for data in motion, it is making an unusual decision outside the norm); Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 106 (‘‘[T]he encryption of data in transit has been standard. There’s no pushback with that.’’); see also National Pawnbrokers Association (comment 3, Workshop), at 2 (‘‘[I]n states that allow us to use technology for the receipt of information from consumer customers and software to print our pawn tickets and store information, we believe our members have access through their software providers to protections that comply with the Safeguards Rule.’’). 162 See Remarks of Wendy Nather, Safeguards Workshop Tr., supra note 17, at 267 (‘‘we have a lot more options, a lot more technologies today than we did before that are making both of these solutions, both encryption and MFA, easier to use, more flexible, in some cases cheaper, and we should be encouraging their adoption wherever possible.’’); Remarks of Matthew Green, Safeguards Workshop Tr., supra note 17, at 265–66 (‘‘I think that we’re in a great time when we’ve reached the point where we can actually mandate that encryption be used. I mean, years ago—I’ve been in this field for 15, you know, 20 years now, I guess. And, you know, encryption used to be this exotic thing that was very, very difficult to use, very expensive and not really feasible for securing information security systems. And we’ve reached the point where now it is something that’s come to be and we can actually build well. So I’m really happy about that.’’). 163 See Remarks of Randy Marchany, Safeguards Workshop Tr., supra note 17, at 229–30 (noting encryption is already built into the Microsoft Office environment and a number of Microsoft products, such as Spreadsheets, Excel, Docs, and PowerPoint, support that encryption feature). Other applications that have encryption built in include database applications; app platforms iOS and Android; and development frameworks for web applications on banking sites. PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 70287 rest because FFIEC guidelines do not require it, the Commission notes the Safeguards Rule is very different from the guidelines issued by the FFIEC. The depository financial institutions regulated by the banking agencies are subject to regular examinations by their regulator. The guidelines created by the FFIEC are designed to be used by the examiner, as part of those examinations, to evaluate the security of the financial institution; the examiner thus has a direct role in regularly verifying the financial institution has taken appropriate steps to protect its customer information. In contrast, the Safeguards Rule regulates covered financial institutions directly and must be usable by those entities to determine appropriate information security without any interaction between the financial institution and the Commission. The Commission does not have the ability to examine each financial institution and work with that institution to ensure their information security is appropriate. Therefore, a requirement that institutions encrypt information by default is appropriate for the Safeguards Rule, as the Commission believes encryption of customer information at rest is appropriate in most cases. Finally, while some commenters suggested eliminating the encryption requirement for certain types of data (e.g., non-sensitive) or certain categories of data (e.g., data at rest), the Commission notes, as discussed in more detail above, the fact that an individual is a customer of a financial institution alone may be sensitive. In any event, the Rule provides financial institutions with flexibility to adopt alternatives to encryption with the approval of the Qualified Individual. Similarly, the Commission declines to extend the encryption requirement to data in use or to data transmitted over internal networks, as some commenters suggested. The Commission does not believe the technology that would encrypt data while in use (as opposed to in transit or at rest) has been adopted widely enough at this time to justify mandating its use by all financial institutions under the FTC’s jurisdiction. As to encryption of data transmitted over internal networks, the Commission acknowledges, due to changes in network design and the growth of cloud and mobile computing, the distinction between internal and external networks is less clear than it once was. However, the Commission believes requiring all financial institutions to encrypt all communications over internal networks would be unduly burdensome at this E:\FR\FM\09DER3.SGM 09DER3 70288 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 time. There remain significant costs and technical hurdles to encrypting transmissions on internal networks that would not be reasonable to impose on all financial institutions, especially smaller institutions with simpler systems that might realize less benefit from this approach. While the Commission encourages financial institutions to consider whether it would be appropriate for them to encrypt the transmission of customer information over internal networks, it declines to require this for all financial institutions.164 Commenters pointed to three additional concerns about encryption, none of which the Commission finds persuasive. First, the Bank Policy Institute commented the encryption requirement would in fact weaken security by blocking surveillance of the information by the financial institution and requiring the ‘‘broad distribution’’ of encryption keys.165 The Commission does not believe an encryption requirement would weaken security. Encryption is almost universally recommended by security experts and included in most security standards.166 Further, new tools have been developed to address the issue the Bank Policy Institute has raised. Many financial institutions have monitoring tools on the edge of their networks to monitor data leaving the network. It used to be the case these network monitoring tools could not see the content of encrypted data as it left the corporate network and was transmitted to the internet. However, there are now tools available that can see the data as it departs the network, even if the data is encrypted.167 Any marginal security costs of encryption are far outweighed by the benefits of rendering customer information unreadable. Second, some commenters argued financial institutions should be able to implement alternatives to encryption 164 The Commission believes transmissions of customer information to remote users or to cloud service providers should be treated as external transmissions, as those transmissions are sent out of the financial institution’s systems. 165 Bank Policy Institute (comment 39, NPRM), at 13–14. 166 See, e.g., Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1, PCI Security Standards Council (May 2018), https:// www.pcisecuritystandards.org/document_library (last accessed 30 Nov. 2020) (Requirement 4 encrypt transmission of cardholder data across open, public networks). 167 See, e.g., Encrypted Traffic Management, Broadcom Inc., https://www.broadcom.com/ products/cyber-security/network/encrypted-trafficmanagement (last accessed 30 Nov. 2020); SSL Visibility, F5, Inc., https://www.f5.com/solutions/ application-security/ssl-visibility (last accessed 30 Nov. 2020). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 without obtaining approval from the Qualified Individual.168 The New York Insurance Association expressed concern financial institutions might feel they need to encrypt all customer information because of the risk that the alternative controls approved by the Qualified Individual would be ‘‘second guessed’’ in the event unencrypted data is compromised.169 The Commission, however, believes this concern is a core element of information security based on risk assessment. Every aspect of an information security program is based on the judgment of the financial institution and its staff. The Qualified Individual’s decision concerning alternate controls, like other decisions by the financial institution and its staff, will be subject to review in any enforcement action to determine whether the decision was appropriate. If the Qualified Individual is not required to make a formal decision, it is much more likely a decision not to encrypt information will be made even if there is no compensating control, or even made without the Qualified Individual’s knowledge. Third, the National Pawnbrokers Association (‘‘NPA’’) expressed concern that if pawnbrokers are required to encrypt customer information they may fall out of compliance with state and local regulations concerning transaction reporting.170 NPA stated pawnbrokers are often required by state or local law to report every pawn transaction, along with nonpublic personally identifiable consumer information, to law enforcement, and the agencies that receive this information ‘‘prefer to take this information electronically and in unencrypted forms.’’ 171 The Commission believes if transmitting the information in unencrypted form is a preference of the agencies and not a requirement, then pawnbrokers can comply with both the Safeguards Rule and these laws by encrypting any transmissions that include customer information. If there are cases where a required transmission of customer information cannot be encrypted for technical reasons, then the pawnbroker’s Qualified Individual will need to work with the law enforcement agency to implement alternative compensating controls to ensure the 168 Bank Policy Institute (comment 39, NPRM), at 14; New York Insurance Association (comment 31, NPRM), at 1. 169 New York Insurance Association (comment 31, NPRM) at 1. 170 National Pawnbrokers Association (comment 3, Workshop), at 2–3. 171 Id. at 2. PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 customer information remains secure during these transmissions.172 The Final Rule adopts this paragraph as paragraph (c)(3) without revision. Secure Development Practices Proposed paragraph (c)(5) required financial institutions to ‘‘[a]dopt secure development practices for in-house developed applications utilized’’ for ‘‘transmitting, accessing, or storing customer information.’’ In this paragraph, the Commission proposed requiring financial institutions to address the security of software they develop to handle customer information, as distinct from the security of their networks that contain customer information.173 In addition, the Proposed Rule required ‘‘procedures for evaluating, assessing, or testing the security of externally developed applications [financial institutions] utilize to transmit, access, or store customer information.’’ This provision required financial institutions to take steps to verify that applications they use to handle customer information are secure.174 Some commenters argued evaluating the security of externally developed software would be too expensive or impractical for some financial institutions,175 while others raised different concerns. The American Council on Education suggested, in cases in which a financial institution cannot obtain access to a software provider’s code or technical 172 NADA suggested it is not clear how the encryption requirement will apply to customer information held on a service provider’s system or on the systems of the subcontractors of the service provider. National Automobile Dealers Association (comment 46, NPRM), at 21–22. The Commission believes the Final Rule lays out a financial institution’s obligations in this situation: It requires customer information be encrypted unless infeasible. Section 314.4(e), in turn, requires financial institutions to require service providers to implement and maintain appropriate safeguards by contract and to periodically assess the continued adequacy of those measures. A financial institution that uses a service provider to store and process customer information must require that service provider to encrypt that information and periodically determine whether it continues to do so. If it is infeasible for the service provider to meet these requirements then the financial institution’s Qualified Individual must work with the service provider to develop compensating controls or cease doing business with the service provider. 173 See, e.g., Complaint, FTC v. D-Link Systems, Inc., No. 3:17–CV–00039–JD (N.D. Cal. March 20, 2017) (alleging company failed to provide reasonable security when it failed to adequately test the software on its devices). 174 See, e.g., Complaint, Lenovo, FTC No. 152– 3134 (January 2, 2018) (alleging company failed to provide reasonable security by failing to properly assess and address security risks caused by thirdparty software). 175 American Council on Education (comment 24, NPRM), at 11; National Automobile Dealers Association (comment 46, NPRM), at 26–27. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations infrastructure, then evaluating the security of its software is infeasible.176 NADA further suggested in order to evaluate the security of software, financial institutions would need to hire an expensive IT professional.177 The Commission does not agree with these assertions. Evaluating the security of software does not require access to the source code of that software or access to the provider’s infrastructure. For example, a provider can supply the steps it took to ensure the software was secure, whether it uses encryption to transmit information, and the results of any testing it conducted. In addition, there are third party services that assess software. An institution can also set up automated searches regarding vulnerabilities, patches, and updates to software listed on the financial institution’s inventory. The exact nature of the evaluation required will depend on the size of the financial institution and the amount and sensitivity of customer information associated with the software. If the software will be used to handle large amounts of extremely sensitive information, then a more thorough evaluation will be warranted. Likewise, the nature of the software used will also affect the evaluation. Software that has been thoroughly tested by third parties may need little more than a review of the test results, while software that has not been widely used and tested will require closer examination. The Commission adopts proposed paragraph (c)(5) as paragraph (c)(4) of the Final Rule. khammond on DSKJM1Z7X2PROD with RULES3 Multi-Factor Authentication Proposed paragraph (c)(6) required financial institutions to ‘‘implement multi-factor authentication for any individual accessing customer information’’ or ‘‘internal networks that contain customer information.’’ 178 The Proposed Rule would have allowed financial institutions to adopt a method other than multi-factor authentication that offers reasonably equivalent or more secure access controls with the written permission of its Qualified Individual. In the Final Rule, the Commission retains the general requirements of proposed paragraph (c)(6) as paragraph (c)(5), with some modifications described below. Although several commenters expressed support for including a multifactor authentication requirement in the 176 American Council on Education (comment 24, NPRM), at 11. 177 National Automobile Dealers Association (comment 46, NPRM), at 26–27. 178 Proposed 16 CFR 314.4(c)(6). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 Final Rule,179 others opposed such a requirement. For example, ACE argued a blanket requirement mandating multifactor authentication for all institutions of all sizes and complexities is not the best solution.180 The National Independent Automobile Dealers Association (NIADA) commented the costs of multi-factor authentication would be too high for some financial institutions because it would need to be built into their information systems from scratch.181 NIADA also argued adopting multi-factor authentication would disrupt a financial institution’s activities as employees had to ‘‘jump through multiple hoops to log in.’’ 182 Cisco Systems, Inc. argued that while multi-factor authentication is an effective safeguard, it should not be specifically required by the Rule because, while it is currently good security practice, in the future multifactor authentication may become outdated, and that allowing financial institutions to satisfy the Rule in this way could result in inadequate protection.183 Other commenters did not dispute the benefits of multi-factor authentication generally, but argued the Rule should limit the multi-factor authentication requirement. Some of these commenters stated the Rule should only require multi-factor authentication when the financial institution’s risk assessment justifies it.184 Others argued there should be a distinction between internal access and external access. For example, some commenters argued the Rule should not require multi-factor authentication when a user accesses customer information from an internal network,185 because there are other 179 Justine Bykowski (comment 12, NPRM); Princeton University Center for Information Technology Policy (comment 54, NPRM), at 6–7; Electronic Privacy Information Center (comment 55, NPRM), at 8; National Consumer Law Center and others (comment 58, NPRM), at 2; see also Remarks of Wendy Nather, Safeguards Workshop Tr., supra note 17, at 240–41 (discussing the security poverty line). 180 American Council on Education (comment 24, NPRM), at 11–12. 181 National Independent Automobile Dealers Association (comment 48, NPRM), at 6; see also Ken Shaurette (comment 19, NPRM) (questioning whether multi-factor authentication is appropriate for all financial institutions). 182 National Independent Automobile Dealers Association (comment 48, NPRM), at 6. 183 Cisco Systems, Inc. (comment 51, NPRM), at 2–4. 184 Bank Policy Institute (comment 39, NPRM), at 11–13; Global Privacy Alliance (comment 38, NPRM), at 8. 185 Electronic Transactions Association (comment 27, NPRM), at 3 n.1; U.S. Chamber of Commerce (comment 33, NPRM), at 11; CTIA (comment 34, NPRM), at 11; Global Privacy Alliance (comment 38, NPRM), at 8; Bank Policy Institute (comment 39, NPRM), at 12; National Automobile Dealers PO 00000 Frm 00019 Fmt 4701 Sfmt 4700 70289 controls on internal access that make multi-factor authentication unnecessary.186 Another commenter stated requiring multi-factor authentication when a customer accesses their information from an external network could create problems for some institutions.187 Finally, the Princeton Center argued the Rule should be amended to clarify that multi-factor authentication should be required for internal and external networks.188 Finally, CTIA took issue with the proposed requirement that the Qualified Individual be permitted to approve ‘‘reasonably equivalent or more secure’’ controls if multi-factor authentication is not feasible, suggesting instead that Qualified Individuals be permitted to approve ‘‘effective alternative compensating controls.’’ 189 The Commission disagrees with the commenters who stated the Rule should not include a multi-factor authentication requirement. As to costs, many affordable multi-factor authentication solutions are available in the marketplace.190 Most financial institutions will be able to find a solution that is both affordable and workable for their organization. In the cases when that it is not possible, the Association (comment 46, NPRM), at 28; National Independent Automobile Dealers Association (comment 48, NPRM), at 6; New York Insurance Association (comment 31, NPRM), at 1. 186 CTIA (comment 34, NPRM), at 11; Electronic Transactions Association (comment 27, NPRM), at 3 n.1; U.S. Chamber of Commerce (comment 33, NPRM), at 11. 187 American Council on Education (comment 24, NPRM), at 11. 188 Princeton University Center for Information Technology Policy (comment 54, NPRM), at 6–7; see also Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 102 (stating his company TECH LOCK supports requiring multifactor authentication for users connecting from internal networks). 189 CTIA (comment 34, NPRM), at 11–12; see also Electronic Transactions Association (comment 27, NPRM) at 3 (suggesting use of the term ‘‘alternative compensating controls’’). 190 See, e.g., Slides Accompanying Remarks of Brian McManamon, ‘‘MFA/2FA Pricing (Duo),’’ in Safeguards Workshop Slides, supra note 72, at 30 (setting forth prices for multi-factor/two-factor services from Duo, including free services for up to ten users); Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 102–03; Slides Accompanying Remarks of Lee Waters, ‘‘Estimated Costs of Proposed Changes,’’ in Safeguards Workshop Slides, supra note 72, at 26 estimating costs of MFA to be $50 for smartcard or fingerprint readers, and $10 each per smartcard); Slides Accompanying Remarks of Wendy Nather, ‘‘Authentication Methods by Industry,’’ in Safeguards Workshop Slides, supra note 72, at 37 (chart showing the use of MFA solutions such as Duo Push, phone call, mobile passcode, SMS passcode, hardware token, Yubikey passcode, and U2F token in industries such as financial services and higher education); Remarks of Wendy Nather, Safeguards Workshop Tr., supra note 17, at 233–34. E:\FR\FM\09DER3.SGM 09DER3 70290 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 Rule allows financial institutions to adopt reasonably equivalent controls.191 As to potential disruptions requiring multi-factor authentication may cause, the Commission notes that many organizations, both financial institutions and otherwise, currently require employees to use multi-factor authentication without major disruption.192 Many multi-factor authentication systems are available that do not materially increase the time it takes to log into a system as compared to the use of only a password.193 In short, multi-factor authentication is an extremely effective way to prevent unauthorized access to a financial institution’s information system,194 and its benefits generally outweigh any increased time it takes to log into a system. In those situations when the need for quick access outweighs the security benefits of multi-factor authentication, the Rule allows the use of reasonably equivalent controls. Finally, although the Commission agrees the Rule should not lock financial institutions into using outmoded or obsolete technologies, the basic structure of using multiple factors to identify a user is unlikely to be rendered obsolete in the near future. The Rule’s definition of multi-factor authentication addresses only this principle and does not require any particular technology or technique to achieve it. This should allow it to accommodate most changes in information security practices. In the event of an unforeseen change to the information security environment that 191 See also Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at 103–04 (noting even where legacy systems do not support multifactor authentication, alternative measures can be used and ‘‘it’s things that can easily be done.’’) 192 See, e.g., Remarks of Randy Marchany, Safeguards Workshop Tr., supra note 17, at 236–38 (describing how Virginia Tech implemented multifactor authentication in 2016 for its more than 156,000 users); Slides Accompanying Remarks of Wendy Nather, ‘‘Authentication Methods by Industry,’’ in Safeguards Workshop Slides, supra note 72, at 37 demonstrating the types of multifactor authentication used by health care, financial services, higher education and the Federal Government); Remarks of Wendy Nather, Safeguards Workshop Tr., supra note 17, at 233–35. 193 See Remarks of Wendy Nather, Safeguards Workshop Tr., supra note 17, at 234 (describing how a phone call to a landline is popular in some segments). 194 See, e.g., Remarks of Matthew Green, Safeguards Workshop Tr., supra note 17, at 266 (explaining passwords are not enough of an authentication feature but when MFA is used and deployed, the defenders can win against attackers); id. at 239 (describing how because smart phones have modern secure hardware processors, biometric sensors and readers built in, increasingly consumers can get the security they need through the devices they already have by storing cryptographic authentication keys on the devices and then using the phone to activate them). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 would discount the value of multi-factor authentication, the Commission will adjust the Rule accordingly.195 The Commission agrees with the commenter who stated multi-factor authentication is justified both when external users, such as customers, and internal users, such as employees, access an information system. Multifactor authentication can prevent many attacks focused on using stolen passwords from both employees and customers to access customer information. Other common attacks on information systems, such as social engineering or brute force password attacks, target employee credentials and use those credentials to get access to an information system.196 These attacks can usually be stopped through the use of multi-factor authentication. Accordingly, the Final Rule requires multi-factor authentication whenever any individual—employee, customer or otherwise—accesses an information system. If a financial institution determines it is not the best solution for its information system, it may adopt reasonably equivalent controls with the approval of the Qualified Individual. The Commission recognizes the language of the Proposed Rule may have created some confusion by its use of the term ‘‘internal networks’’ to define the systems affected by the multi-factor authentication requirement, instead of the term ‘‘information systems’’ as used other places in the Rule.197 In addition, 195 The Mortgage Bankers Association expressed concern the Proposed Rule would not allow the use of a single-sign on process, where a user is given access to multiple applications with the use of one set of credentials. Mortgage Bankers Association (comment 26, NPRM), at 7. The Commission does not view the Rule as preventing such a system, if the user has used multi-factor authentication to access the system and the system is designed to ensure any user of a given application has been subjected to multi-factor authentication. 196 See Remarks of Pablo Molina, Safeguards Workshop Tr., supra note 17, at 30 (mentioning ‘‘phishing,’’ or social engineering, as a common type of cybersecurity attack); Remarks of Lee Waters, Safeguards Workshop, supra note 17, at 91 (same); Remarks of Michele Norin, Safeguards Workshop Tr., supra note 17, at 179 (same); see also Cyber Div., Fed. Bureau of Investigation, Private Industry Notification No. 20200303–001, Cyber Criminals Conduct Business Email Compromise through Exploitation of Cloud-Based Email Services, Costing U.S. Businesses Over Two Billion Dollars, (March 2020), https://www.ic3.gov/media/ news/2020/200707-4.pdf, at 1–2, (last accessed 1 Dec. 2020) (‘‘Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from [Business Email Compromise (‘‘BEC’’)] scams targeting the largest [cloud-based email] platforms. Losses from BEC scams overall have increased every year since IC3 began tracking the scam in 2013 and have been reported in all 50 states and in 177 countries.’’). 197 Consumer Data Industry Association (comment 36, NPRM), at 6–7; Cisco Systems, Inc. (comment 51, NPRM), at 3–4. PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 the Commission agrees with commenters that argued separating the multi-factor authentication into two sentences created confusion.198 Accordingly, the Commission modifies paragraph (c)(5) of the Final Rule, which was proposed as paragraph (c)(6), to require financial institutions to ‘‘[i]mplement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.’’ Finally, the Commission declines to adopt CTIA’s proposed alternative that would allow Qualified Individuals to approve ‘‘effective alternative compensating controls,’’ even if they are not ‘‘reasonably equivalent or more secure’’ than multi-factor authentication. Given the important role multi-factor authentication has in access control, any alternative measure should provide at least as much protection as multi-factor authentication.199 Audit Trails Proposed paragraph (c)(7) required information security programs to include audit trails designed to detect and respond to security events.200 Audit trails are chronological logs that show who has accessed an information system and what activities the user engaged in during a given period.201 Some commenters supported this requirement.202 The Princeton Center noted audit trails are ‘‘crucial to designing effective security measures 198 Bank Policy Institute (comment 39, NPRM), at 11. 199 NADA argued, for financial institutions that have appointed a third party to act as their information security coordinator, this provision would require the institution to turn over decisionmaking to someone ‘‘with no stake in the business outcome.’’ National Automobile Dealers Association (comment 46, NPRM), at 29–30. This concern misinterprets the role of the Qualified Individual. Whether the Qualified Individual is inside the company or at a third-party company, that individual will report to and be supervised by senior management of a financial institution (unless the Qualified Individual is the head of the financial institution). If a Qualified Individual recommends a safeguard that would not be practical for the business, the financial institution is not required to adopt this safeguard but can use an alternative adequate safeguard that will be functional. Indeed, when it comes to third parties, the Rule specifically requires someone in the financial institution direct and oversee the third party. 200 Proposed 16 CFR 314.4(c)(7). 201 See Information Technology Laboratory Computer Security Resource Center, Glossary, National Institute of Standards and Technology, https://csrc.nist.gov/glossary/term/audit-trail (last accessed Dec. 2, 2020). 202 Princeton University Center for Information Technology Policy (comment 54, NPRM), at 8; Electronic Privacy Information Center (comment 55, NPRM), at 8. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations that allow institutions to detect and respond to security incidents.’’ 203 It also stated audit trails ‘‘help understand who has accessed the system and what activities the user has engaged in.’’ 204 Other commenters argued this requirement imposed unclear obligations or would not improve security.205 For example, GPA commented the Proposed Rule conflated the use of logs to reconstruct past events and the active use of logs to monitor user activity.206 The American Financial Services Association argued adding logging capabilities to some legacy systems would be expensive and difficult.207 Another commenter argued the increased use of cloud storage would mean that financial institutions might not have access to any audit trails.208 In addition, NADA argued it did not believe maintenance of logs would increase security but would instead create records that could be sought by parties ‘‘seeking to place blame’’ for breaches.209 The Commission believes logging user activity is a crucial component of information security because in the event of a security event it allows financial institutions to understand what was accessed and when. However, the term ‘‘audit trails’’ may have been unclear in this context. In order to clarify that logging user activity is a part of the user monitoring process, the Final Rule does not include paragraph (c)(7) of the Proposed Rule and instead modifies the user monitoring provision to include a requirement to log user activity.210 By putting the ‘‘monitoring’’ and ‘‘logging’’ requirements together, the Final Rule provides greater clarity on the comment raised by the GPA: Financial institutions are expected to use logging to ‘‘monitor’’ active users and reconstruct past events. Disposal Procedures Proposed paragraph (c)(8) required financial institutions to develop procedures for the secure disposal of 203 Princeton khammond on DSKJM1Z7X2PROD with RULES3 University Center for Information Technology Policy (comment 54, NPRM), at 8. 204 Id. 205 National Automobile Dealers Association (comment 46, NPRM), at 30–31; National Independent Automobile Dealers Association (comment 48, NPRM), at 6; American Financial Services Association (comment 41, NPRM), at 6; Global Privacy Alliance (comment 38, NPRM), at 11. 206 Global Privacy Alliance (comment 38, NPRM), at 11. 207 American Financial Services Association (comment 41, NPRM), at 6. 208 American Council of Education (comment 24, NPRM), at 12. 209 National Automobile Dealers Association (comment 46, NPRM), at 30–31. 210 See Final Rule, 16 CFR 314.4(c)(8). customer information that is no longer necessary for their business operations or other legitimate business purposes.211 The Proposed Rule allowed the retention of information when retaining the information is required by law or where targeted disposal is not feasible. Some commenters supported the inclusion of a disposal requirement as proposed or suggested that the disposal requirements should be strengthened.212 Consumer Reports argued financial institutions should be required to dispose of customer information when it is no longer needed for the business purpose for which it was gathered.213 The Princeton Center suggested the Rule require disposal after a set period unless the company can demonstrate a current need for the data and that financial institutions periodically review their data practices to minimize their data retention.214 Several other commenters opposed the disposal requirement as set forth in the Proposed Rule. Some argued the requirement to dispose of information goes beyond the Commission’s authority under the GLB Act.215 NADA argued the GLB Act does not ‘‘contain[ ] any authority to require financial institutions to delete any information’’ and a requirement to have procedures to delete information for which a company has no legitimate business purpose would constitute a ‘‘new privacy regime.’’ 216 The American Financial Services Association (AFSA) stated the requirement was too prescriptive and the Rule should allow financial institutions to retain information as long as that retention complies with the retention policy created by the financial institution.217 AFSA further argued the proposed requirement exceeds the Federal banking standards, pointing to the FFIEC Cybersecurity Assessment Tool, which sets disposal of records ‘‘according to documented requirements and within expected time frames’’ as a VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 211 Proposed 16 CFR 314.4(c)(8). University Center for Information Technology Policy (comment 54, NPRM), at 8; Electronic Privacy Information Center (comment 55, NPRM), at 8; Consumer Reports (comment 52, NPRM), at 7. 213 Consumer Reports (comment 52, NPRM), at 7– 8. 214 Princeton University Center for Information Technology Policy (comment 54, NPRM), at 8–9. 215 National Automobile Dealers Association (comment 46, NPRM), at 31; National Independent Automobile Dealers Association (comment 48, NPRM), at 6. 216 National Automobile Dealers Association (comment 46, NPRM), at 31–32. 217 American Financial Service Association (comment 41, NPRM), at 6. 212 Princeton PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 70291 baseline requirement for access and data management.218 Yet other commenters suggested modifying the requirement. NADA argued that if there was to be a disposal requirement, then it should be modeled after the Disposal Rule, which requires businesses to properly dispose of consumer reports, but does not have an explicit requirement to dispose of information on any particular schedule.219 ACE suggested modifying the Proposed Rule to require disposal of information only where there is no longer any ‘‘legitimate purpose’’ rather than any ‘‘legitimate business purpose.’’ 220 It argued in some cases a financial institution may have legitimate purposes for retaining information that are not readily defined as ‘‘business’’ purposes, such as the retention of data by educational institutions for institutional research or student analytics.221 The Commission believes requiring the disposal of customer information for which the financial information has no legitimate business purpose is within the authority granted by the GLB Act to protect the security of customer information. The disposal of records, both physical and digital, can result in exposure of customer information if not performed properly.222 Similarly, if records are retained when they are no longer necessary, there is a risk those records will be subject to unauthorized access. The risk of unauthorized access may be reasonable where the retention of data provides some benefit. In situations where the information is no longer needed for a legitimate business purpose, though, the risk to the customer information becomes unreasonable because the retention is no longer benefiting the customer or financial institution. Disposing of unneeded customer information, therefore, is a vital part of protecting customer information and serves the purpose of the GLB Act.223 218 Cybersecurity Assessment Tool, FFIEC, https://www.ffiec.gov/pdf/cybersecurity/FFIEC_ CAT_May_2017_Cybersecurity_Maturity_June2.pdf at 37 (last visited December 3, 2020). 219 National Automobile Dealers Association (comment 46, NPRM), at 32. 220 American Council on Education (comment 24, NPRM), at 12. 221 Id. 222 See, e.g., Complaint, Rite Aid Corp., FTC No. 072–3121 (November 22, 2010) (alleging company failed to provide reasonable data security when it failed to implement policies and procedures to dispose securely of personal information). 223 As to the Princeton Center’s suggestion financial institutions periodically review their disposal practices (Princeton University Center for Information Technology Policy (comment 54, NPRM), at 8–9), the Commission believes this E:\FR\FM\09DER3.SGM Continued 09DER3 70292 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 The Commission disagrees with commenters who suggested narrowing the disposal requirement or doing away with it altogether. As noted above, although no disposal requirement appears in FFIEC guidelines, those guidelines represent a different regulatory approach and are not an appropriate model for the Safeguards Rule. Finally, as to setting retention periods or narrowing the legitimate business purposes for which financial institutions may retain customer information, the Commission recognizes financial institutions need some flexibility. Whereas customers may want to, for example, access and transfer older data in some circumstances, in other circumstances, retaining such data would not be consistent with any legitimate business purpose. The Commission believes the Princeton Center’s recommendation that companies be required to delete information after a set period unless the information is still needed for a legitimate business purpose properly balances the needs of financial institutions with the need to protect customer information. Thus, the Commission modifies proposed paragraph (c)(6) to require the deletion of customer information two years after the last time the information is used in connection with providing a product or service to the customer unless the information is required for a legitimate business purpose as paragraph (c)(6)(i) of the Final Rule. In addition, paragraph (c)(6)(ii) of the Final Rule requires financial institutions to periodically review their policies to minimize the unnecessary retention of information. Change Management Proposed paragraph (c)(9) required financial institutions to adopt procedures for change management.224 Change management procedures govern the addition, removal, or modification of elements of an information system.225 This paragraph required financial institutions to develop procedures to assess the security of devices, networks, and other items to be added to their information system, or the effect of removing such items or otherwise modifying the information system. For example, a financial institution that adds additional servers or other requirement is already encompassed in the requirement contained in § 314.4(g) to periodically review their safeguards overall. 224 Proposed 16 CFR 314.4(c)(9). 225 See, e.g., Change Management, Rutgers OIT Information Security Office, https://rusecure. rutgers.edu/content/change-management (last accessed 1 Dec. 2020). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 machines to its information system would need to evaluate the security of the new devices and the effect of adding them to the existing network. Some commenters supported this requirement,226 while others stated it was too broad and would impose unnecessary burdens on financial institutions.227 In particular, NADA argued financial institutions that have not made changes in their systems ‘‘for some time’’ should not be required to create procedures for change management.228 ACE argued including a change management requirement is unnecessary because such a requirement is ‘‘generally incorporated into an organization’s IT operations’’ for nonsecurity purposes and the security considerations of those changes will be considered as part of those procedures.229 Alterations to an information system or network introduce heightened risk of cybersecurity incidents; 230 thus, it is important to expressly require change management to be a part of an information security program. The Commission agrees with ACE that many financial institutions will already have change management procedures in place. If those procedures adequately consider security issues involved in the change, then they may satisfy this requirement. As to the comment a financial institution that has not made changes to its environment in some time should not be required to have change management processes, the Commission disagrees. Few information systems can remain unchanged for a significant period of time, given the changing technical requirements for business and security. Indeed, NADA acknowledges financial institutions will need to ‘‘adapt[] their programs to keep up with changes in data security.’’ 231 For this 226 Electronic Privacy Information Center (comment 55, NPRM), at 8; National Consumer Law Center and others, (comment 58, NPRM) at 3. 227 American Council on Education (comment 24, NPRM), at 12–13; National Automobile Dealers Association (comment 46, NPRM), at 33. 228 National Automobile Dealers Association (comment 46, NPRM), at 32–33. 229 American Council on Education (comment 24, NPRM), at 12. 230 See Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 95 (‘‘[E]very time there is a change to any of these [network] environments, that is creating additional risk.’’); Remarks of Scott Wallace, Safeguards Workshop Tr., supra note 17, at 147–48 (giving an example of an incident in which network changes led to the exposure of sensitive information); Remarks of Matthew Green, Safeguards Workshop Tr., supra note 17, at 252 (noting it is ‘‘a little dangerous’’ to make ‘‘major changes’’ to an information system at a time of heightened stress). 231 National Automobile Dealers Association (comment 46, NPRM), at 33 n.96. PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 reason, all financial institutions must have procedures for when the changes occur. As with all of the requirements of the Rule, though, the exact nature of these procedures will vary depending on the size, complexity and nature of the information system. A simple system may have equally simple change management procedures. The Commission adopts this proposed paragraph as paragraph (c)(7) of the Final Rule without change. System Monitoring Proposed paragraph (c)(10) required financial institutions to implement policies and procedures designed ‘‘to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.’’ 232 The Proposed Rule required financial institutions to take steps to monitor those users and their activities related to customer information in a manner adapted to the financial institution’s particular operations and needs. NADA stated this requirement would create unnecessary expense because it would require financial institutions to ‘‘continually monitor all authorized use’’ and would mean ‘‘yet more new employees or third-party IT consultants.’’ 233 The Commission disagrees, however, noting that monitoring of system use can be automated.234 There is no requirement a separate staff member would be required to exclusively monitor system use. In addition, one commenter stated monitoring the use of paper files is impossible and should be excluded from this provision.235 The Commission acknowledges monitoring of paper records is qualitatively different than the monitoring of electronic records. This requirement goes hand in hand with limiting access to documents, whether electronic or paper. For example, if an institution has a file room and access to the room is limited to particular employees (e.g., the payroll office), the institution should have measures in place to ensure those access controls are in fact being utilized (e.g., sign in with front desk, logging of key card access, security camera). As discussed above, this paragraph is amended to also require the logging of user activity, but is otherwise adopted as proposed as paragraph (c)(8). 232 Proposed 16 CFR 314.4(c)(10). Automobile Dealer Association (comment 46, NPRM), at 33. 234 See Remarks of Nicholas Weaver, Safeguards Workshop Tr., supra note 17, at 124–25. 235 American Financial Services Association (comment 41, NPRM), at 6. 233 National E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 Proposed Paragraph (d) Proposed paragraph (d)(1) retained the current Rule’s requirement that financial institutions ‘‘[r]egularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.’’ Proposed paragraph (d)(2) provided further detail to this requirement by stating the monitoring must take the form of either ‘‘continuous monitoring’’ or ‘‘periodic penetration testing and vulnerability assessments.’’ The proposal explained continuous monitoring is any system that allows real-time, ongoing monitoring of an information system’s security, including monitoring for security threats, misconfigured systems, and other vulnerabilities.236 For those who elected to engage in periodic penetration testing and vulnerability assessment, the proposal required penetration testing at least once annually (or more frequently if called for in the financial institution’s risk assessment) and vulnerability assessments at least twice a year.237 Some commenters thought the proposal went too far in requiring continuous monitoring or penetration and vulnerability testing, while others thought the proposal did not go far enough. On one hand, ACE argued continuous monitoring is too burdensome and difficult for some financial institutions,238 particularly those with ‘‘highly decentralized systems,’’ such as colleges and universities, which could be required to monitor their entire system.239 ACE further suggested the Rule should not prescribe any particular testing methodology or schedule and should allow financial institutions to develop a testing approach appropriate for the financial institution.240 The NPA commented penetration and vulnerability testing would be too expensive for small pawnbrokers with small staffs and a small customer base, where their members would be ‘‘likely to notice a penetration of our records.’’ 241 One commenter stated the requirements for monitoring and testing 236 Financial institutions that choose the option of continuous monitoring would also be satisfying § 314.4(c)(8). 237 Proposed 16 CFR 314.4(d)(1) and (2). 238 American Council on Education (comment 24, NPRM), at 13–14. 239 American Council on Education (comment 24, NPRM), at 13. 240 American Council on Education (comment 24, NPRM), at 14. 241 National Pawnbrokers Association (comment 3, Workshop), at 2. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 were ‘‘overlapping and confusing’’ and suggested the Commission avoid confusion by including continuous monitoring, penetration testing, vulnerability scanning, periodic risk assessment reviews, and logging as optional components of an information security program to be included on an as-needed basis.242 Some commenters recommended the testing requirement be limited to electronic data and exclude monitoring of physical data.243 The American Financial Services Association argued the testing of physical safeguards required by paragraph (d)(1) ‘‘would be impossible.’’ 244 Finally, CTIA argued, for entities that choose the approach of penetration and vulnerability testing, these tests should be required less regularly.245 On the other hand, the Princeton Center suggested, rather than requiring either continuous monitoring or penetration testing, the Rule should require both. It noted continuous monitoring is very effective at detecting problems with, and threats to, ‘‘off-theshelf systems’’ but penetration testing is better at ‘‘for checking the interaction between systems, proprietary systems, or subtle security issues.’’ 246 Similarly, the MSRT was concerned that the Proposed Rule suggested annual penetration testing alone could protect financial institutions, rather than serve as a supplement to proper monitoring.247 The Commission agrees with commenters who pointed out the difficulty of applying certain testing requirements to physical safeguards. Although the general testing requirement set forth in paragraph (d)(1) should apply to physical safeguards (e.g., testing effectiveness of physical locks), the continuous monitoring, vulnerability assessment, and penetration testing in paragraph (d)(2) is not relevant to information in physical 242 Global Privacy Alliance (comment 38, NPRM), at 10–11. 243 National Independent Automobile Dealers Association (comment 48, NPRM), at 6; American Financial Services Association (comment 41, NPRM), at 6. 244 American Financial Services Association (comment 41, NPRM), at 6. 245 CTIA (comment 34, NPRM) at 12–13 (arguing penetration testing should be required only once every two years and vulnerability testing be required only once a year). 246 Princeton University Center for Information Technology Policy (comment 54, NPRM), at 5. 247 Money Services Round Table (comment 53, NPRM), at 9; see also Gusto and others (Comment 11, Workshop), at 2 (arguing penetration testing and vulnerability assessments both have their weaknesses and financial institutions should develop a testing program that it is appropriate for them). PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 70293 form. Accordingly, the final version of paragraph (d)(2) is limited to safeguards on information systems. The Commission also agrees biannual vulnerability testing may not be sufficient to detect new threats. Thus, given the relative ease with which vulnerability assessments can be performed, it modifies the Final Rule to require financial institutions to perform assessments when there is an elevated risk of new vulnerabilities having been introduced into their information systems, in addition to the required biannual assessments. Beyond these modifications, the Commission believes the proposal struck the right balance between flexibility and protection of customer information, and adopts the proposed provision as final. For commenters concerned about costs of testing and continuous monitoring, the Commission notes the Rule requires one, not both. Although many financial institutions may choose to use both, the Commission agrees the costs of requiring both for all financial institutions may not be justified. 248 As to arguments that the testing required by the Rule is too frequent and will therefore be too costly, the Commission does not agree vulnerability assessments will be costly. Indeed, there are resources for free and automated vulnerability assessments.249 And although the Commission acknowledges penetration testing can be a somewhat lengthy and costly process for large or complex systems,250 a longer period between penetration tests will leave information systems vulnerable to attacks that exploit weaknesses normally revealed by penetration testing. Two other portions of the Final Rule should help financial institutions concerned about the costs of monitoring and testing. First, because the Commission is limiting the definition of ‘‘information system’’ in the Final Rule, financial institutions will be able to limit this provision’s application by segmenting their network and conducting monitoring or testing only of systems that contain customer information or that are connected to such systems. Second, this requirement does not apply to those institutions that 248 The Commission believes a system for continuous monitoring will include some form of vulnerability assessment as part of monitoring the information system. 249 Remarks of Frederick Lee, Safeguards Workshop Tr., supra note 17, at 139–40. 250 See id. at 129–30 (noting the cost of a penetration test can increase significantly depending on the complexity of the system to be tested and the scope of the test). E:\FR\FM\09DER3.SGM 09DER3 70294 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations maintain records on fewer than 5,000 individuals. Accordingly, for example, it should not apply to businesses small enough for staff to personally know a majority of customers. Finally, the Commission does not believe the testing requirements are duplicative of other provisions of the Final Rule. The provision relating to additional risk assessments, § 314.4(b)(2), requires a financial institution to reevaluate its risks and to determine if safeguards should be modified or added—it does not require testing to detect threats and technical vulnerabilities in the existing system. Section 313.4(c)(8)’s requirement that financial institutions monitor users’ activity in an information system is focused on one aspect of information security—detecting and preventing unauthorized access and use of the system. The requirement of this paragraph, on the other hand, is focused on testing the overall effectiveness of a financial institution’s safeguards. It is broader than paragraph (c)(8)’s requirement and is necessary to ensure financial institutions test the strength of their safeguards as a whole. Accordingly, the Final Rule requires financial institutions to perform vulnerability assessments at least once every six months and, additionally, whenever there are material changes to their operations or business arrangements and whenever there are circumstances they know or have reason to know may have a material impact on their information security program. Proposed Paragraph (e) Proposed paragraph (e) set forth a requirement that financial institutions implement policies and procedures ‘‘to ensure that personnel are able to enact [the financial institution’s] information security program.’’ This requirement included four components: (1) General employee training; (2) use of qualified information security personnel; (3) specific training for information security personnel; and (4) verification that security personnel are taking steps to maintain current knowledge on security issues. khammond on DSKJM1Z7X2PROD with RULES3 General Employee Training Proposed paragraph (e)(1) required financial institutions to provide their personnel with ‘‘security awareness training that is updated to reflect risks identified by the risk assessment.’’ 251 While one commenter specifically supported the inclusion of this training 251 Proposed VerDate Sep<11>2014 16 CFR 314.4(e)(1). 18:18 Dec 08, 2021 Jkt 256001 requirement,252 the U.S. Chamber of Commerce argued the Rule should not have any specific training requirements at all.253 NADA stated the requirement that the training be ‘‘updated to reflect risks identified by the risk assessment’’ will require companies to develop individualized training programs to suit their financial institution and that such a process would be expensive and unnecessary because ‘‘general security awareness’’ is generally enough for most financial institutions.254 Given the current Rule includes a similar training requirement and training remains a vital part of effective information security, the Commission declines to eliminate it. The Commission believes the Final Rule’s training requirement retains the same flexibility as the existing Rule and allows financial institutions to adopt a training program appropriate to their organization. The Commission disagrees with NADA’s concern the requirement to update training programs would be too expensive. Without a requirement that the training program be updated based on an assessment of risks, employees may be subject to the same training year after year, which might reflect obsolete threats, as opposed to addressing current ones. The Commission interprets this provision to require only that the training program be updated as necessary based on changes in the financial institution’s risk assessment. The provision also gives financial institutions the flexibility to use programs provided by a third party, if that program is appropriate for the financial institution. In order to clarify updates are required only when needed by changes in the financial institution or new security threats, though, the Final Rule states training programs need to be updated only ‘‘as necessary.’’ Information Security Personnel Proposed paragraph (e)(2) required financial institutions to ‘‘[u]tiliz[e] qualified information security personnel,’’ employed either by them or by affiliates or service providers, ‘‘sufficient to manage [their] information security risks and to perform or oversee the information security program.’’ 255 This proposed provision was designed 252 Electronic Privacy Information Center (comment 55, NPRM), at 8. 253 U.S. Chamber of Commerce (comment 33, NPRM), at 12; see also American Financial Services Association (comment 41, NPRM), at 6 (stating the Commission should acknowledge that a training program for a small financial institution will be different than a program for a larger program). 254 National Automobile Dealers Association (comment 46, NPRM), at 34. 255 Proposed 16 CFR 314.4(e)(2). PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 to ensure information security personnel used by financial institutions are qualified for their positions and information security programs are sufficiently staffed. Some commenters argued this provision was too vague because it does not define what personnel are necessary and what ‘‘qualified’’ means.256 NADA argued hiring additional staff to meet this requirement could be prohibitively expensive.257 As discussed in relation to the appointment of a ‘‘Qualified Individual,’’ the Commission believes a more specific definition of ‘‘qualified’’ would not be appropriate because each financial institution has different needs and different levels of training, experience, and expertise will be appropriate for the information security staff of each institution. The term ‘‘qualified’’ conveys only that staff must have the abilities and expertise to perform the duties required by the information security program.258 The Commission declines to include a more prescriptive set of qualification requirements in the Final Rule.259 As to the concern about expense, the Commission acknowledges hiring employees or retaining third parties to maintain financial institutions’ information security programs can be a substantial expense. But the expense is necessary to effectuate Congressional intent that financial institutions implement reasonable safeguards to protect customer information. The Rule requires only that a financial institution have personnel ‘‘sufficient’’ to manage its risk and to maintain its information security program. A financial institution is required only to have the staff necessary to maintain its information security. An information security program that is not properly maintained cannot offer the protection it is designed to provide. A financial institution that 256 National Automobile Dealers Association (comment 46, NPRM), at 35; National Independent Automobile Dealers Association (comment 48, NPRM), at 7. 257 National Automobile Dealers Association (comment 46, NPRM), at 35. 258 NADA also asks whether this provision would require financial institutions to hire more personnel if they do not have enough qualified staff. Id. The Final Rule does require the hiring of additional personnel if existing personnel are not enough to maintain the financial institution’s information security program. 259 One commenter, on the other hand, approved of the decision not to define ‘‘qualified’’ in the Proposed Rule, but argued the requirement in its totality was unclear because it did not set forth ‘‘how the Commission would hold covered entities accountable.’’ American Council on Education (comment 24, NPRM) at 14. The Commission believes the term ‘‘qualified’’ provides a clear enough requirement to allow a financial institution’s compliance to be evaluated. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations does not comply with this requirement, by definition, has insufficient staffing, and thus, cannot reasonably protect customer information. Although the expense is necessary, the level of expense is mitigated by several factors. First, existing financial institutions should already have information security personnel (either in the form of employees or third-party service providers) qualified to perform the duties necessary to maintain reasonable security in order to comply with the requirements of the current Rule. Depending on the skills of those employees, additional staffing may not be necessary to meet the demands of the Final Rule. Second, the required staffing will vary greatly based on the size and complexity of the information system. A financial institution with an extremely simple system may not require even a single full time employee. Finally, the Rule allows the use of service providers to meet this requirement. This can significantly reduce costs as services exist to share the expense of qualified personnel and offer information security support at significantly less than the cost of employing a single qualified employee.260 The Commission continues to believe utilizing qualified and sufficient information security personnel is a vital part of any information security program and accordingly, adopts proposed paragraph (e)(2) in the Final Rule without modification. khammond on DSKJM1Z7X2PROD with RULES3 Training of Security Personnel The Proposed Rule also required financial institutions to ‘‘[p]rovid[e] information security personnel with security updates and training sufficient to address relevant security risks.’’ 261 This is separate from paragraph (e)(1)’s requirement to train all personnel generally. Some commenters argued providing ongoing training could be too costly for some financial institutions.262 The Commission disagrees. Maintaining awareness of emerging threats and 260 See, e.g., Slides Accompanying Remarks of Rocio Baeza, ‘‘Models for Complying to the Safeguards Rule Changes,’’ in Safeguards Workshop Slides, supra note 72, at 27–28 (describing three different compliance models: In-house, outsource, and hybrid, with costs ranging from $199 per month to more than $15,000 per month); see also remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 81–83; slides Accompanying Remarks of Brian McManamon, ‘‘Sample Pricing,’’ in Safeguards Workshop Slides, supra note 72, at 29 (estimating the cost of cybersecurity services based on number of endpoints); Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 83–85. 261 Proposed 16 CFR 314.4(e)(3). 262 National Automobile Dealers Association (comment 46, NPRM), at 35. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 vulnerabilities is a critical aspect of information security. In order to perform their duties, security personnel must be educated on the changing nature of threats to the information systems they maintain. There are resources that will allow smaller institutions to meet this requirement at little or no cost, such as published security updates, online courses, and educational publications.263 For financial institutions that utilize service providers to meet information security needs, the service provider is likely to include assurances that provided personnel will be trained in current security practices. The Commission views the use of such a service provider as meeting this requirement, as the financial institution is ‘‘providing’’ the service as part of the price it pays to the service provider. Thus, the Final Rule adopts paragraph (e)(3) as proposed.264 Verification of Current Knowledge Proposed paragraph (e)(4) required financial institutions to ‘‘[v]erify[ ] that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.’’ 265 This requirement was intended to complement the proposed requirement regarding ongoing training of data security personnel, by requiring verification such training has taken place. NADA argued this requirement should not apply to smaller financial institutions, stating the examples set forth in the Proposed Rule would be difficult for some smaller financial institutions to perform.266 The examples provided with the Proposed Rule were that a financial institution could: (1) Offer incentives or funds for key personnel to undertake continuing education that addresses recent developments, (2) include a requirement to stay abreast of security research as part of their performance metrics, or (3) conduct an annual assessment of key personnel’s knowledge of threats related to their information system. The Commission believes smaller financial institutions can take advantage of any of these methods, particularly ‘‘requiring 263 See, e.g., Federal Trade Commission, Cybersecurity for Small Business, https:// www.ftc.gov/tips-advice/business-center/smallbusinesses/cybersecurity (last accessed 1 Dec. 2020); Remarks of Kiersten Todt, Safeguards Workshop Tr. at 86–88 (describing the resources of the Cyber Readiness Institute). 264 The Clearing House suggested the Rule should require background checks on employees. The Clearing House (Comment 49, NPRM) at 19. 265 Proposed 16 CFR 314.4(e)(4). 266 National Automobile Dealers Association (comment 46, NPRM), at 35–36. PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 70295 key personnel to undertake continuing education’’ as part of that personnel’s duties. If they outsource responsibility for data security to service providers, they can simply include these requirements in their contracts. The Commission believes the rapidly changing nature of information security mandates this requirement, in order that information security leadership can properly supervise the information security program. Accordingly, the Final Rule adopts proposed paragraph (e)(4) without change. Proposed Paragraph (f) Proposed paragraphs (f)(1) and (2) retained the current Rule’s requirement, found in existing paragraphs (d)(1) and (2), to oversee service providers, and added a paragraph (f)(3), requiring financial institutions also periodically assess service providers ‘‘based on the risk they present and the continued adequacy of their safeguards.’’ 267 The current Rule expressly requires an assessment of service providers’ safeguards only at the onboarding stage; proposed paragraph (f)(3) required financial institutions to monitor their service providers on an ongoing basis to ensure they are maintaining adequate safeguards to protect customer information they possess or access.268 Several commenters argued it would be costly and difficult for some financial institutions to periodically assess their service providers.269 These commenters were particularly concerned with smaller financial institutions’ ability to ‘‘monitor’’ larger service providers.270 The Internet Association commented the requirement to periodically assess service providers would be too onerous for the service providers themselves, arguing the requirement would place ‘‘service providers under constant surveillance by their financial institution clients.’’ 271 HITRUST suggested the Rule should state the periodic assessment requirement may be satisfied by requiring service providers to obtain and maintain information 267 Proposed 16 CFR 314.4(g). Clearing House wrote in support of this element of the Proposed Rule, noting it would bring the Safeguards Rule’s provisions relating to service provider oversight into better alignment with security guidelines for banks. The Clearing House (comment 49, NPRM), at 14. 269 National Automobile Dealers Association (comment 46, NPRM), at 37; National Independent Automobile Dealers Association (comment 48, NPRM), at 7; see also Wangyang Shen (comment 3, Privacy Rule) (noting difficulty of supervising cloud services). 270 National Automobile Dealers Association (comment 46, NPRM), at 22; National Association of Dealer Counsel (comment 44, NPRM), at 3. 271 Internet Association (comment 9, Workshop), at 3–4. 268 The E:\FR\FM\09DER3.SGM 09DER3 70296 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations security certifications provided by third parties and based on proper information security frameworks.272 In contrast, Consumer Reports took issue with the Rule requiring only ‘‘assessment’’ of service providers, and argued financial institutions should be required to monitor their service providers for compliance.273 Yet other commenters expressed confusion over the term ‘‘service provider,’’ asking whether it would cover national consumer reporting agencies that smaller financial institutions would be hard-pressed to assess.274 The Commission retains the service provider oversight requirement from proposed paragraph (f) without modification. Some high profile breaches have been caused by service providers’ security failures,275 and the Commission views the regular assessment of the security risks of service providers as an important part of maintaining the strength of a financial institution’s safeguards. The Commission disagrees with the commenters who expressed concerns this provision, and particularly the assessment requirement, would impose undue costs on financial institutions. The Rule would require financial institutions only to assess the risks service providers present and evaluate whether they continue to provide the safeguards required by contract, which need not include extensive investigation of a service provider’s systems. In the case of large service providers, this oversight may consist of reviewing public reports of insecure practices, changes in the services provided, or security failures in the services provided. In other circumstances, such as where a large company hires a vendor to secure sensitive customer information, certifications, reports, or even third-party audits may be appropriate. The exact steps required depend both on the size and complexity of the financial institution and the nature of the services provided by the service provider. For this reason, the Commission declines to adopt the 272 HITRUST (comment 18, NPRM), at 3–4. Reports (comment 52, NPRM) at 7. 274 American Financial Services Association (comment 41, NPRM), at 7. 275 For example, in 2013, attackers were reportedly able to use stolen credentials obtained from a third-party service provider to access a customer service database maintained by national retailer Target Corporation, resulting in the theft of information relating to 41 million customer payment card accounts. Kevin McCoy, Target to pay $18.5M for 2013 data breach that affected 41 million consumers, USA Today, May 23, 2017, https://www.usatoday.com/story/money/2017/05/ 23/target-pay-185m-2013-data-breach-affectedconsumers/102063932/. khammond on DSKJM1Z7X2PROD with RULES3 273 Consumer VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 suggestion to allow a financial institution to accept an information security certification from the service provider to satisfy the service provider oversight requirement. The fact that a company maintains an information security certification may be a significant part of assessing the adequacy of a service provider’s safeguards, but the Commission declines to prescribe a one-size-fits all approach, given the variation in size and complexity of financial institutions and their service providers. To avoid imposing undue costs on financial institutions, the Commission declines to require ongoing monitoring, rather than periodic assessment, as recommended by Consumer Reports. The Commission believes periodic assessment strikes the right balance between protecting consumers and imposing undue costs on financial institutions. The Commission acknowledges financial institutions may have limited bargaining power in obtaining services from large service providers and limited ability to demand access to a service provider’s systems. In those cases, any sort of hands-on assessment of the provider’s systems may not be possible. As to the concern the assessment requirement will impose undue burdens on the service providers themselves, the Commission does not believe this concern justifies a modification to the proposed requirement. First, the Rule does not require ‘‘constant surveillance’’ by financial institutions—they are required only to ‘‘periodically assess’’ the risks presented by service providers. Second, as discussed above, the supervision of service providers is a vitally important aspect of information security, and while there may be some burdens on the service providers associated with being supervised, these are necessary burdens. A financial institution must be sure a service provider is protecting the information of its customers, and any expenses this involves are a necessary part of fulfilling this duty. Finally, as to concerns about potential ambiguities in the definition of service provider, the amendments preserve the definition in the current Rule. Thus, entities subject to this requirement under the Final Rule will remain the same as under the existing Rule and may include consumer reporting agencies. As discussed above, even larger service providers such as national CRAs can be subjected to some form of review by financial institutions.276 276 The National Pawnbrokers Association expressed concern they cannot control vendors of PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 The Commission adopts proposed paragraph (f) in the Final Rule without modification. Proposed Paragraph (g) Paragraph (g) of the Proposed Rule retained the language of existing paragraph (e) in the current Rule, which requires financial institutions to evaluate and adjust their information security programs in light of the result of testing required by this section, material changes to their operations or business arrangements, or any other circumstances they know or have reason to know may have a material impact on their information security program. The Commission received no comments on this paragraph and adopts the language of the Proposed Rule. Proposed Paragraph (h) Proposed paragraph (h) required financial institutions to establish written incident response plans that addressed (1) the goals of the plan; (2) the internal processes for responding to a security event; (3) the definition of clear roles, responsibilities and levels of decision-making authority; (4) external and internal communications and information sharing; (5) identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; (6) documentation and reporting regarding security events and related incident response activities; and (7) the evaluation and revision as necessary of the incident response plan following a security event. Several commenters supported the proposal to require an incident response plan.277 The Credit Union National Association observed an incident response plan ‘‘helps ensure that an entity is prepared in case of an incident by planning how it will respond and what is required for the response.’’ 278 Consumer Reports noted a rapid response to a security event can limit damage caused by the event.279 The local law enforcement agencies to whom they are required to provide customer information. National Pawnbrokers Association (comment 32, NPRM), at 2. However, the Rule does not require financial institutions oversee service providers employed by other entities over which they have no control. 277 Consumer Reports (comment 52, NPRM), at 6; Princeton University Center for Information Technology Policy (comment 54, NPRM), at 7; Electronic Privacy Information Center (comment 55, NPRM), at 8; Credit Union National Association (comment 30, NPRM), at 2; Heartland Credit Union Association (comment 42, NPRM), at 2; National Association of Federally-Insured Credit Unions (comment 43, NPRM), at 1; HITRUST (comment 18, NPRM), at 2. 278 Credit Union National Association (comment 30, NPRM), at 2. 279 Consumer Reports (comment 52, NPRM), at 6. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations Princeton Center commented ‘‘a written incident response plan is an essential component of a good security system.’’ 280 HITRUST commented incident response plans can help organizations ‘‘to better allocate limited resources.’’ 281 The South Carolina Department of Consumer Affairs suggested the provision go further by requiring the incident response plan include a process for notifying senior information security personnel of the event.282 Other commenters opposed requiring an incident response plan or objected to particular aspects of the requirement. Some commenters suggested requiring financial institutions to have incident response plans is outside the Commission’s authority under the GLB Act.283 NADA argued the requirement for an incident response plan was overbroad in light of the broad definition of security event,284 and the requirement was vague as to what the plan should include.285 Other commenters argued the requirement was too burdensome. ACE argued ‘‘the range of security events that might occur and their potential impacts on institutional capacity to recover’’ make establishing an incident response plan that will allow an institution to ‘‘respond to, and recover from, any security event materially affecting . . . customer information’’ impossible.286 The Mortgage Bankers Association (‘‘MBA’’) suggested ‘‘institutions of smaller sizes may not necessarily be capable of addressing all seven of the proposed goals.’’ 287 Further, the MBA argued an incident response plan requirement had ‘‘the potential to cripple small businesses under the pressure of repeatedly checking the boxes for potentially harmless events.’’ 288 Finally, some commenters raised questions about what it means for khammond on DSKJM1Z7X2PROD with RULES3 280 Princeton University Center for Information Technology Policy (comment 54, NPRM), at 7. 281 HITRUST (comment 18, NPRM), at 2. 282 South Carolina Department of Consumer Affairs (comment 47, NPRM), at 2. 283 National Automobile Dealer Association (comment 46, NPRM), at 38; National Independent Automobile Dealers Association (comment 48, NPRM), at 7. 284 National Automobile Dealer Association (comment 46, NPRM), at 38. 285 National Automobile Dealer Association (comment 46, NPRM), at 12, 38–39. NPA also asked for greater detail on what constitutes an ‘‘incident.’’ National Pawnbroker Association (comment 32, NPRM), at 4. 286 American Council on Education (comment 24, NPRM), at 15. 287 Mortgage Bankers Association (comment 26, NPRM), at 4. 288 Mortgage Bankers Association (comment 26, NPRM), at 4. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 customer information to be in a financial institution’s ‘‘possession’’ for purposes of the incident response plan requirement. ACE argued the requirement does not adequately account for customer information held in cloud storage operated by third parties, asserting such information is not technically within the financial institution’s possession.289 ACE suggested the provision should apply to customer information for which the financial institution is responsible, instead.290 Relatedly, the NPA expressed concern pawnbrokers might be subject to liability under the Proposed Rule when law enforcement agencies or their third-party vendors make public disclosures of customer information pawnbrokers are obligated to report.291 The Commission retains the requirement for financial institution to develop and implement an incident response plan, with one modification described below. The Commission believes the creation of an incident response plan is directly related to safeguarding customer information and is within its authority under the GLBA. The requirement to create an incident response plan focuses on preparing financial institutions to respond promptly and appropriately to security events, and mitigating any weaknesses in their information systems in the process. By responding quickly and promptly mitigating weaknesses, financial institutions can stop ongoing or future compromise of customer information.292 A well-organized response to a security event can limit the number of consumers affected by an outside attacker by promptly identifying the attack and taking steps to stop the attack. The Commission disagrees with the commenters who stated this requirement was too burdensome. The Final Rule requires incident response plans address ‘‘security event[s] materially affecting the confidentiality, integrity, or availability of customer information in [a financial institution’s] control.’’ Significantly, the plan must address events that ‘‘materially’’ affect customer information. Thus, the required incident response plan does 289 American Council on Education (comment 24, NPRM), at 15. 290 Id. 291 National Pawnbroker Association (comment 32, NPRM), at 4. 292 See Remarks of Serge Jorgenson, Safeguards Workshop Tr., supra note 17, at 52 (observing a prompt response to an incident can prevent a ‘‘threat actor running around in my environment for days, months, years, and able to access anything they want.’’). PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 70297 not require a plan to address every security event that may occur. The plan need not include minute details or all possible scenarios. Instead, the Rule requires the plan to establish a system— for example, by laying out clear lines of responsibility, systems for information sharing, and methods for evaluating possible solutions—that will facilitate a financial institution’s response to security events regardless of the nature of the event. A detailed approach may be appropriate for some financial institutions, such as those with especially complicated systems or personnel hierarchies, but the Rule is designed to give financial institutions the flexibility needed to develop plans that best suit their needs.293 Moreover, the Commission believes the requirement is clear as to what an incident response plan should include. The seven listed requirements for the incident response plans provide sufficient guidance to financial institutions designing incident response plans while giving them flexibility to design a plan suited to their organization. In addition, there are many resources for designing incident response plans available for financial institutions, as well as service providers that can assist with the design process.294 Individual institutions can determine the exact details of the plans. To address questions about whether information is in the financial institution’s ‘‘possession,’’ the Commission is revising paragraph (h) of the Final Rule to require financial institutions develop incident response plans ‘‘designed to promptly respond to, and recover from, any security event materially affecting . . . customer information in your control.’’ (emphasis added) Replacing the term ‘‘possession’’ with ‘‘control’’ resolves the questions raised by ACE and the NPA regarding 293 Although the Commission agrees with the South Carolina Department of Consumer Affairs that notification of senior personnel is valuable, the requirement that the plan address ‘‘the definition of clear roles, responsibilities and levels of decisionmaking authority’’ will almost always result in communication of decision-making to senior personnel authorized to make decisions about the security response. Coupled with the requirement the Qualified Individual report to the board or equivalent body on material events affecting security, the Commission does not see the need to make this change. 294 See, e.g., FTC, Data Breach Response: A Guide for Business (2019), www.ftc.gov/tips-advice/ business-center/guidance/data-breach-responseguide-business; NIST, Guide for Cybersecurity Event Recovery (2016), nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-184.pdf; Orion Cassetto, Incident Response Plan 101: How to Build One, Templates and Examples, Exabeam: Information Security Blog (November 21, 2018), www.exabeam.com/incident-response/incidentresponse-plan/ (last visited December 2, 2020). E:\FR\FM\09DER3.SGM 09DER3 70298 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations whether financial institutions must plan for security events affecting data that has been transferred to various kinds of third parties. Where a financial institution has voluntarily opted to store its customer information in the cloud, to whatever extent the information is no longer in the ‘‘possession’’ of the financial institution, it is certainly within the institution’s ‘‘control.’’ By contrast, customer information that has been obtained by a third party such as a law enforcement agency, over whom a financial institution has no authority and of whose actions the financial institution has no knowledge, cannot fairly be said to be in the financial institution’s control. Consequently, the financial institution need not account for possible disclosures of that information by the third party.295 khammond on DSKJM1Z7X2PROD with RULES3 Notification of Security Events to the Commission The Commission also requested comment on whether the Rule should require financial institutions to report security events to the Commission. Several commenters supported this requirement.296 The Princeton University Center for Information Technology Policy noted such a reporting requirement would ‘‘provide the Commission with valuable information about the scope of the problem and the effectiveness of security measures across different entities’’ and ‘‘help the Commission coordinate responses to shared threats.’’ 297 The National Association of Federally-Insured Credit Unions argued requiring financial institutions to report security events to the Commission would provide an ‘‘appropriate incentive for covered financial companies to disclose information to consumers and relevant regulatory bodies.’’ 298 NAFCU also suggested notification requirements are important 295 NADA further argued the incident response plan constitutes a de facto consumer notification requirement. National Automobile Dealer Association (comment 46, NPRM), at 39. Financial institutions have an independent obligation to perform notification as required by state law, whether or not they have an incident response plan in place. The fact that the Rule requires a plan that sets forth procedures for satisfying that requirement does not impose any independent notification requirement on the financial institution. 296 Consumer Reports (comment 52, NPRM), at 6; Princeton University Center for Information Technology Policy (comment 54, NPRM), at 7; Credit Union National Association (comment 30, NPRM), at 2; Heartland Credit Union Association (comment 42, NPRM), at 2; National Association of Federally-Insured Credit Unions (comment 43, NPRM), at 1–2. 297 Princeton University Center for Information Technology Policy (comment 54, NPRM), at 7. 298 National Association of Federally-Insured Credit Unions (comment 43, NPRM), at 1. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 because they ‘‘ensure independent assessment of whether a security incident represents a threat to consumer privacy.’’ 299 Other commenters opposed the inclusion of a reporting requirement.300 ACE argued such a requirement ‘‘would simply add another layer on top of an already crowded list of federal and state law enforcement contacts and state breach reporting requirements.’’ 301 ACE also suggested any notification requirement should be limited to a more restricted definition of ‘‘security event’’ than the definition in the Proposed Rule, so financial institutions would only be required to report incidents that could lead to consumer harm.302 The Commission agrees with commenters that stated a requirement financial institutions report security events to the Commission would have many benefits, including allowing the Commission to identify emerging threats and assisting the Commission’s enforcement of the Rule. In addition, such a requirement would be unlikely to create a significant burden on financial institutions because a security event that leads to notification to the Commission is very likely to create breach notification obligations under various state laws, and the financial institution will thus already be engaged in notifying consumers and state regulators. The addition of a notification to the FTC would not require any significant additional preparation or effort. However, because the notice of proposed rulemaking did not set forth a detailed proposal for a notification requirement, the Final Rule does not include such a requirement. Instead, the Commission is issuing a supplemental notice of proposed rulemaking (SNPRM) that proposes adding a requirement financial institutions notify the Commission of detected security events under certain circumstances.303 Proposed Paragraph (i) Proposed paragraph (i) required a financial institution’s CISO to ‘‘report in writing, at least annually, to [the financial institution’s] board of directors or equivalent governing body’’ regarding the following information: (1) The overall status of the information security 299 National Association of Federally-Insured Credit Unions (comment 43, NPRM), at 1–2. 300 National Independent Automobile Dealers Association (comment 48, NPRM), at 7; American Council on Education (comment 24, NPRM), at 15. 301 American Council on Education (comment 24, NPRM), at 15. 302 Id. 303 Standards for Safeguarding Customer Information, SNPRM, published elsewhere in this issue of the Federal Register. PO 00000 Frm 00028 Fmt 4701 Sfmt 4700 program and financial institution’s compliance with the Safeguards Rule; and (2) material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the information security program.304 For financial institutions that did not have a board of directors or equivalent, the proposal required the CISO to make the report to a senior officer responsible for the financial institution’s information security program. One commenter supported this requirement.305 Additionally, several workshop participants emphasized the value of communication between information security leaders and corporate boards or their equivalent. For example, workshop participant Michele Norin stated it is ‘‘important’’ for the topic of information security to be discussed at the level of the board or senior leadership regularly, and at least once per year.306 Participant Adrienne Allen agreed annual reporting made sense as a requirement, but noted for some financial institutions, particularly those with an online presence, even more frequent communication could be beneficial.307 ACE argued the Proposed Rule created too much emphasis on a single annual report and should instead focus on regular reporting to the Board or equivalent.308 It also expressed concern the report required by the Proposed Rule would be too detailed and would not allow the Board to see ‘‘the forest for the trees,’’ 309 the requirements for the report were too prescriptive, and the requirements focused too much on compliance rather than security.310 Similarly, NADA argued the report would not improve security but would instead create ‘‘unnecessary liability exposure for the board/leadership of the entity.’’ 311 HITRUST suggested 304 Proposed 16 CFR 314.4(i). Baeza (comment 12, Workshop), at 3–8 (supporting requirement and providing sample report form and compliance questionnaire); see also The Clearing House (comment 49, NPRM), at 15– 16 (arguing that Rule should require more involvement from Board and senior management). 306 Remarks of Michele Norin, Safeguards Workshop Tr., supra note 17, at 194. 307 Remarks of Adrienne Allen, Safeguards Workshop Tr., supra note 17, at 199–200. 308 American Council on Education (comment 24, NPRM), at 16. 309 Id. 310 Id. 311 National Automobile Dealer Association (comment 46, NPRM), at 41. NADA also argued the 305 Rocio E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 Qualified Individuals should be able to meet this reporting requirement by submitting a report from an information security certification program to the Board or equivalent body.312 The Commission adopts the proposal as final, with one modification discussed below. This provision is intended to ensure the governing body of the financial institution is engaged with and informed about the state of the financial institution’s information security program. Likewise, this will create accountability for the Qualified Individual by requiring him or her to set forth the status of the information security program for the governing body.313 This will help financial institutions to ensure their information security programs are being maintained appropriately and given the necessary resources. Written reports will create a record of decisions made and the information upon which they were based, which may aid future decisionmaking.314 Management involvement in information security programs can improve the strength of those programs and help to reduce breaches.315 The Commission disagrees with the commenters who stated the reporting reports by third-party Qualified Individuals might not include useful information and were ‘‘more likely to be filled with platitudes and/or efforts to ‘upsell’ the dealership on additional CISO services.’’ Id. at 42. NADA provided no support for this claim. The Commission notes such a report would not meet the requirements of this provision, and the financial institution would be justified in terminating their relationship with that provider or, at least, demanding a revised report that did meet those requirements. 312 HITRUST (comment 18, NPRM), at 4. 313 See Remarks of Karthik Rangarajan, Safeguards Workshop Tr., supra note 17, at (‘‘If quarter over quarter, year over year, this watermark isn’t reducing, then board of directors should be able to challenge us and say maybe you’re not mapping your risks correctly, or vice versa if it’s reducing but we’re seeing more incidents, we’re seeing potential breaches, things like that, then the board of directors should be able to say maybe you don’t have the right risk quantification framework or the right risk management framework.’’). 314 Workshop participants Adrienne Allen, Karthik Rangarajan, and Michele Norin each emphasized this point. See Safeguards Workshop Tr., supra note 17, pp. 201–09. 315 See Juhee Kwon Jackie Rees Ulmer, & Tawei Wang, The Association Between Top Management Involvement and Compensation and Information Security Breaches, Journal of Information Systems, Spring 2013, at 219–236 (‘‘. . . the involvement of an IT executive decreases the probability of information security breach reports by about 35 percent . . .’’); Julia L. Higgs, Robert E. Pinsker, Thomas Joseph Smith, & George Young, The Relationship Between Board-Level Technology Committees and Reported Security Breaches, Journal of Information Systems, Fall 2016, at 79–98 (‘‘[A]s a technology committee becomes more established, its firm is not as likely to be breached. To obtain further evidence on the perceived value of a technology committee, this study uses a returns analysis and finds that the presence of a technology committee mitigates the negative abnormal stock returns arising from external breaches.’’). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 requirement would be too prescriptive. In fact, the language only requires reporting of (1) the overall status of the information security program and its compliance with this Rule; and (2) material matters related to the information security program. The language includes examples of what material matters might include, such as risk assessments and security events, but does not require all of them be included. The financial institution and the Qualified Individual will be responsible for determining what is material for their organization. The Commission does not believe these requirements call for overly detailed reports.316 Although the Commission agrees a certification report from a Qualified Individual could be a part of the annual report and may cover many material matters, it may not suffice in all cases; thus, the Commission declines to include such a one-size-fits-all requirement. As to the suggestion to require ‘‘regular’’ reporting, the Commission agrees more regular reporting may be the best approach for many financial institutions. To this end, the Commission modifies the requirement in the final rule to say ‘‘regularly, and at least annually.’’ 317 Beyond this modification, the Final Rule adopts proposed paragraph (i) as proposed. Board Certification The Commission specifically sought comment on whether the Board or equivalent should be required to certify the contents of the report. The two commenters who addressed this question stated they should not.318 ACE noted ‘‘governing boards generally will not have the knowledge and expertise to 316 Indeed, workshop participants discussed a variety of strategies for meaningful communication between security personnel and senior leadership. Participants noted the proper content, style, and cadence of reporting (beyond the minimum annual report) will vary depending on, among other things, the type of financial institution in question and the level of familiarity of leadership with the relevant technical issues. See Safeguards Workshop Tr., supra note 17, at 194–200. 317 NADA argued reports required by this provision would be expensive because the Proposed Rule stated they would need to be prepared by a ‘‘CISO,’’ which NADA takes to mean a highly compensated expert of the type retained by the most sophisticated large institutions. National Automobile Dealer Association (comment 46, NPRM), at 41. As discussed above, however, the Rule does not require all financial institutions to retain such an expert. Instead, the report will be made by the Qualified Individual, whose expertise and compensation will vary according to the size and complexity of a financial institution’s information system. 318 National Automobile Dealer Association (comment 46, NPRM), at 41 n.126; American Council on Education (comment 24, NPRM), at 16. PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 70299 independently certify’’ the technical aspects of the report and certification might require the employment of outside auditors.319 The Commission agrees senior management of financial institutions will often lack the technical expertise to personally attest to its validity. In addition, the primary purpose of the required report is to encourage communication between information security personnel and senior management, not to show compliance with the Rule. Requiring the governing board to certify the contents of the report would likely transform the report into a compliance document and might reduce its efficacy as a communication between the Qualified Individual and the Board. Accordingly, the Commission declines to adopt this requirement in the Final Rule. § 314.5: Effective Date The Proposed Rule set a new effective date for some portions of the Rule. Proposed § 314.5 provided certain elements of the information security program would not be required until six months after the publication of a final rule, rather than immediately upon publication. The paragraphs that would have a delayed effective date were: § 314.4(a), related to the appointment of a Qualified Individual; § 314.4(b)(1), relating to conducting a written risk assessment; § 314.4(c)(1) through (8), setting forth the new elements of the information security program; § 314.4(d)(2), requiring continuous monitoring or annual penetration testing and biannual vulnerability assessment; § 314.4(e), requiring training for personnel; § 314.4(f)(3), requiring periodic assessment of service providers; § 314.4(h), requiring a written incident response plan; and § 314.4(i), requiring annual written reports from the Qualified Individual. All other requirements under the Safeguards Rule would remain in effect during this sixmonth period. These remaining requirements largely mirrored the requirements of the existing Rule. All commenters that addressed this provision noted the difficulty of complying with some of the provisions of the Proposed Rule, and argued financial institutions should be given more time to comply with them. ACE suggested financial institutions be given one year to create a plan for compliance and two years to come into actual compliance.320 AFSA suggested compliance not be required for two 319 American Council on Education (comment 24, NPRM), at 16. 320 American Council on Education (comment 24, NPRM), at 4–5. E:\FR\FM\09DER3.SGM 09DER3 70300 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations years.321 ACA International requested the effective date be one year after publication of the Rule.322 The Commission agrees some financial institutions may need longer to modify their information security programs to comply with the new requirements in the Final Rule, especially given the current pandemic and the strains it is placing on businesses. Accordingly, the Final Rule extends the effective date for these enumerated provisions to one year after the publication of this document. Proposed § 314.6: Exceptions khammond on DSKJM1Z7X2PROD with RULES3 Proposed § 314.6 exempted financial institutions that maintain customer information concerning fewer than five thousand consumers from certain requirements of the Proposed Rule, namely § 314.4(b)(1), requiring a written risk assessment; § 314.4(d)(2), requiring continuous monitoring or annual penetration testing and biannual vulnerability assessment; § 314.4(h), requiring a written incident response plan; and § 314.4(i), requiring an annual written report by the CISO (as revised, the Qualified Individual).323 This proposed section was designed to reduce the burden on smaller financial institutions. The Commission sought comment on whether it was appropriate to include such an exemption, whether the specific exemptions were appropriate, whether the use of the number of customers concerning whom the financial institution retains customer information is the most effective way to determine which financial institutions should be exempted and, if so, whether five thousand customers was an appropriate number. After reviewing the comments received, the Commission retains the exemption for financial institutions with fewer than 5,000 customers as proposed. Several commenters supported the inclusion of an exemption for small financial institutions. Consumer Reports supported the exemption as proposed.324 NPA supported the decision to base this exemption on the number of customers whose information the financial institution maintains, but questioned how the number of 321 American Financial Services Association (comment 41, NPRM), at 7. 322 ACA International (comment 45, NPRM), at 10–11. 323 Proposed 16 CFR 314.6. 324 Consumer Reports (comment 52, NPRM), at 6; see also Credit Union National Association (comment 30, NPRM), at 2 (noting the exemption will be helpful for smaller businesses, but suggesting other changes to the Proposed Rule so the exemption is not required). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 customers would be determined.325 NPA asked whether the number of customers would be counted on an annual basis or include all records the financial institution maintains. It also asked if each transaction with a customer would be counted separately.326 Some commenters argued the number of customers whose records a financial institution maintains was the wrong measure by which to assess whether the exemption should apply. For example, commenters suggested the Rule should take into account businesses with revenue beneath a certain threshold,327 the number of students enrolled at covered educational institutions,328 or the number of individuals employed by the financial institution.329 Additionally, some commenters argued the threshold for application of the exemption should be higher. ACA International suggested the exemption should apply to all financial institutions maintaining records concerning fewer than 10,000 customers.330 AFSA suggested a 50,000 customer threshold.331 NADA 332 and NIADA 333 argued the threshold should be raised to 100,000 customers. Without proposing a specific alternative, NPA expressed concern the 5,000-customer threshold may be too low, noting pawnbrokers who accept firearms as collateral are required to keep customer records related to certain transactions for twenty years.334 As to the substance of the exemption, some commenters felt it did not go far enough to relieve the burden of the rule for small financial institutions. ACA International proposed eligible financial 325 National Pawnbrokers Association (comment 32, NPRM), at 6. 326 Id.; see also National Independent Automobile Dealers Association (comment 48, NPRM), at 3. 327 ACA International (comment 45, NPRM), at 11–12. 328 American Council on Education (comment 24, NPRM), at 5. 329 Ahmed Aly (comment 22, NPRM). 330 ACA International (comment 45, NPRM), at 11–12. 331 American Financial Services Association (comment 41, NPRM), at 3–4. 332 National Automobile Dealers Association (comment 46, NPRM), at 43–44. NADA also suggested information about customers for which the nonpublic information has been removed should not be counted to the total. If the information is anonymized or otherwise transformed so it is no longer reasonably linkable to a customer, that information will not count towards the exemption. NADA’s example of retaining only ‘‘name, phone number, address, and VIN of the vehicle they own,’’ would still count as customer information under the Rule. 333 National Independent Automobile Dealers Association (comment 48, NPRM), at 3. 334 National Pawnbrokers Association (comment 32, NPRM), at 6. PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 institutions should also be exempt from the requirement to designate a single qualified individual to oversee their information security programs.335 The National Federation of Independent Business argued businesses with 15 or fewer employees should be exempted from the Rule entirely and instead held only to a requirement to take ‘‘commercially reasonable steps’’ to safeguard customer information.336 The Small Business Administration Office of Advocacy suggested, in the absence of additional information regarding the impact of the proposed changes on small businesses, the Rule should ‘‘maintain the status quo’’ for small entities as defined by the Small Business Administration’s size standards.337 On the other hand, other commenters opposed the inclusion of any exemption. The Independent Community Bankers of America noted the Federal Financial Institutions Examination Council Interagency Guidelines Establishing Standards for Safeguarding Customer Information (‘‘FFIEC Guidelines’’), which detail how depository institutions are required to protect customer information, include no exemption for smaller institutions and suggested the Rule should also have no exemption and apply equally to all financial institutions.338 Under the existing Rule, there is no exception for smaller entities. Still, the Commission continues to believe it is appropriate to exempt small businesses from some of the revised Rule’s requirements. Although the FFIEC Guidelines do not exempt small businesses from its requirements, the FFIEC Guidelines regulate only depository financial institutions subject to an entirely different regulatory regime, including supervision by their regulatory agencies. While the provisions from which eligible financial institutions are exempt have significant benefits for the security of customer information and other sensitive data,339 335 ACA International (comment 45, NPRM), at 12. 336 National Federation of Independent Business (comment 16, NPRM), at 4. 337 Small Business Administration Office of Advocacy (comment 28, NPRM), at 6. 338 Independent Community Bankers of America (comment 35, NPRM), at 4; see also American Escrow (comment 6, Workshop), at 3 (arguing even small companies may need to comply with all portions of the Rule to maintain consumer confidence); see also Caiting Wang (Comment 6, Privacy) (suggesting exempted provisions should be optional for smaller businesses, or the Commission create a fund to enable small businesses to comply with these provisions). 339 See, e.g., Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 85 (noting continuous monitoring allows organizations E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 those provisions may be less necessary in situations where the overall volume of retained data is low. This is true in part because the potential for cumulative consumer harm is less where fewer consumers’ information may be exposed as the result of a security incident.340 For similar reasons, the Commission finds the number of individuals concerning whom a financial institution maintains customer information is the appropriate measure of whether the exemption should apply to a particular financial institution. The application of the exemption should take into account both the potential burden of compliance to financial institutions and the risk to consumers when standards are relaxed—in other words, the purpose of the exemption is to avoid imposing undue burden while assuring customer information is subject to necessary protections. Even a very small financial institution, depending on its business model, may retain very large quantities of sensitive customer information.341 Adequate security is necessary to protect such information, which may constitute an attractive target for bad actors such as identity thieves; the value of the target is correlated with the volume of information maintained.342 to detect and quickly respond to threats); Remarks of Frederick Lee, Safeguards Workshop Tr., supra note 17, at 126–28 (Frederick Lee) (discussing benefits of penetration testing); Remarks of Tom Dugas, Safeguards Workshop Tr., supra note 17, at 143 (noting the importance of vulnerability scans); Remarks of Michele Norin, Safeguards Workshop Tr., supra note 17, 194–95 (asserting annual reporting by the Qualified Individual to an organization’s board or equivalent is beneficial); Remarks of Adrienne Allen, Safeguards Workshop Tr., supra note 17, at 201. 340 See Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at 91–92 (noting companies that control large amounts of consumer data should in most instances implement the full range of data security safeguards, whereas small businesses with less data may need to focus on cybersecurity basics); see also Remarks of Lee Waters, Safeguards Workshop Tr., supra note 17, at 91 (‘‘[T]he amount of data [that a business holds] would definitely have an influence on whether a business is even going to be attacked.’’); Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 94 (citing the volume of consumer records held by an organization as an important factor in assessing cybersecurity risk). 341 See, e.g., Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at 91–92 (noting small businesses with an enormous amount of consumer records need to follow all of the safeguards and ‘‘can’t get away with just doing the basics’’); see also ACA International (comment 45, NPRM) at 11 (‘‘Many small financial institutions, including a number of ACA members, have objectively limited operations in terms of number of employees and revenues, but handle large volumes of consumer account data for each of their clients on whose behalf they are collecting debts.’’). 342 See. e.g., Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 94 (opining ‘‘the better indicators for cybersecurity risk are going to be two things: The volume of consumer records that VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 While a business’s revenue or number of employees may provide a measure of the burden of compliance for that business, these figures do not capture consumer risk. By contrast, the number of individuals about whom a financial institution maintains customer information is a proxy for the level of security necessary in light of both the risk of attack and the potential consumer harm should a security incident occur.343 In addition, basing the exemption on the number of individuals concerning whom a financial institution maintains customer information provides an incentive to financial institutions to reduce the amount of information they retain. A financial institution may choose to dispose of information so it holds information on few enough consumers to qualify for exemption.344 The Final Rule adopts this section as proposed. The Commission continues to believe the cutoff for financial institutions maintaining information concerning 5,000 consumers appropriately balances the need for security with the burdens on smaller businesses. The requirements to which exempted financial institutions would still be required to adhere are tailored to balance the importance of adequately securing customer information against the need to limit financial burdens for small businesses. Many of these requirements were already in force as part of the existing Rule—for example, covered financial institutions were already required to design and implement a written information security program, conduct risk assessments, perform an initial assessment of their service providers, and designate one or more employees to oversee information security. For reasons discussed elsewhere in this document, the new requirements that apply to exempted financial institutions, such as the requirement to designate a single qualified individual to oversee information security rather than one or more individuals, will a financial institution holds and also the rate of change.’’); Remarks of Lee Waters, Safeguards Workshop Tr., supra note 17, at 91 (noting the amount of data a company holds influences whether it is going to be attacked). 343 See Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 89–90 (noting the size of a financial institution and the amount and nature of the information it holds factor into an appropriate information security program). 344 The Commission understands this provision to count all individual consumers about which a financial institution maintains customer information, including both current and former customers. The exemption counts consumers rather than transactions so a financial institution that had 100 transactions with a single customer would count only a single consumer. PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 70301 ensure financial institutions of all sizes continue to adequately protect customer information in an environment of increasing cybersecurity risk, while avoiding the imposition of undue burden. IV. Paperwork Reduction Act The Paperwork Reduction Act (‘‘PRA’’), 44 U.S.C. 35, requires Federal agencies to seek and obtain Office of Management and Budget (OMB) approval before undertaking a collection of information directed to ten or more persons.345 A ‘‘collection of information’’ occurs when ten or more persons are asked to report, provide, disclose, or record information in response to ‘‘identical questions.’’ 346 Applying these standards, neither the Safeguards Rule nor the amendments constitute a ‘‘collection of information.’’ 347 The Rule calls upon affected financial institutions to develop or strengthen their information security programs in order to provide reasonable safeguards. Under the Rule, each financial institution’s safeguards will vary according to its size and complexity, the nature and scope of its activities, and the sensitivity of the information involved. For example, a financial institution with numerous employees would develop and implement employee training and management procedures beyond those that would be appropriate or reasonable for a sole proprietorship, such as an individual tax preparer or mortgage broker. Similarly, a financial institution that shares customer information with numerous service providers would need to take steps to ensure such information remains protected, while a financial institution with no service providers would not need to address this issue. Thus, although each financial institution must summarize its compliance efforts in one or more written documents, the discretionary balancing of factors and circumstances the Rule allows—including the myriad operational differences among businesses it contemplated—does not require entities to answer ‘‘identical questions’’ and therefore does not trigger the PRA’s requirements. The amendments to the Rule do not change this analysis because they retain the existing Rule’s process-based approach, allowing financial institutions to tailor their programs to reflect the financial institutions’ size, complexity, and operations, and to the 345 44 U.S.C. 3502(3)(A)(i). 44 U.S.C. 3502(3)(A). 347 See Standards for Safeguarding Customer Information, 67 FR 36484, 36491 (May 23, 2002). 346 See E:\FR\FM\09DER3.SGM 09DER3 70302 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations sensitivity and amount of customer information they collect. For example, amended § 314.4(b) would require a written risk assessment, but each risk assessment will reflect the particular structure and operation of the financial institution and, though each assessment must include certain criteria, these are only general guidelines and do not consist of ‘‘identical questions.’’ Similarly, amended § 314.4(h), which requires a written incident response plan, is only an extension of the preexisting requirement of a written information security plan and would necessarily vary significantly based on factors such as the financial institution’s internal procedures, which officials within the financial institution have decision-making authority, how the financial institution communicates internally and externally, and the structure of the financial institution’s information systems. Likewise, the proposed requirement for Qualified Individuals to produce annual reports under proposed § 314.4(i) does not consist of answers to identical questions, as the content of these reports would vary considerably between financial institutions and Qualified Individuals are given flexibility in deciding what to include in the reports. Finally, the modification of the definition of ‘‘financial institution’’ to include ‘‘activities incidental to financial activities’’ and therefore bring finders under the scope of the Rule do not constitute a ‘‘collection of information,’’ and therefore do not trigger the PRA’s requirements. khammond on DSKJM1Z7X2PROD with RULES3 V. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Flexibility Analysis (IRFA) with a proposed Rule, or certify that the proposed Rule will not have a significant impact on a substantial number of small entities.348 The Commission published an Initial Regulatory Flexibility Analysis in order to inquire into the impact of the Proposed Rule on small entities. In response, the Commission received comments that argued the revision to the Safeguards Rule would be unduly burdensome for smaller financial institutions. The discussion below summarizes these comments and the Commission’s response to them. 348 5 U.S.C. 603 et seq. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 1. Description of the Reason for Agency Action The Commission issues these amendments to clarify the Safeguards Rule by including a definition of ‘‘financial institution’’ and related examples in the Safeguards Rule rather than incorporating them from the Privacy Rule by reference. The amendments also expand the definition of ‘‘financial institution’’ in the Rule to include entities engaged in activities incidental to financial activities. This change would bring ‘‘finders’’ within the scope of the Rule. This change harmonizes the Rule with other agencies’ rules and requires finders that collect consumers’ sensitive financial information to comply with the Safeguards Rule’s process-based approach to protect that data. In addition, the amendments modify the Safeguards Rule to include more detailed requirements for the information security program required by the Rule. 2. Issues Raised by Comments in Response to the IRFA As stated above, the Commission received several comments that argued the revised Safeguards Rule would impose unduly heavy burdens on smaller businesses. The Small Business Administration’s Office of Advocacy commented it was concerned the FTC had not gathered sufficient data as to either the costs or benefits of the proposed changes for small financial institutions. The FTC shares the Office of Advocacy’s interest in ensuring regulatory changes have an evidentiary basis. Many of the questions on which the FTC sought public comment, both in the regulatory review and in the proposed rule context, specifically related to the costs and benefits of existing and proposed Rule requirements. Following the initial round of commenting, the Commission conducted the FTC Safeguards Workshop and solicited additional public comments with the explicit goal of gathering additional data relating to the costs and benefits of the proposed changes.349 As detailed throughout this document, the Commission believes there is a strong evidentiary basis for the issuance of the Final Rule. The Office of Advocacy also argued the Proposed Rule’s requirements were unduly prescriptive and should not be enacted as they apply to small businesses until the Commission can 349 See Public Workshop Examining Information Security for Financial Institutions and Information Related to Changes to the Safeguards Rule, 85 FR 13082 (Mar. 6, 2020). PO 00000 Frm 00032 Fmt 4701 Sfmt 4700 ‘‘ascertain the quantitative impact on small entities.’’ 350 The Office of Advocacy, along with other commenters, argued the amendments taken together would create a large burden on smaller financial institutions. In particular, commenters pointed to the requirements that financial institutions appoint a chief information security officer, customer information be encrypted, financial institutions utilize multi-factor authentication, and financial institutions regularly update training programs. These comments and the Commission’s response are discussed at length above. Most commenters did not provide any specific estimates of these expenses, but two commenters did provide a summary of their expected expenses. As discussed in the document, the Commission believes any burden imposed by the revised Rule is substantially mitigated by the fact the Rule continues to be process-based, flexible, and based on the financial institution’s size and complexity. In addition, the amendments exempt institutions that maintain information on fewer than 5,000 consumers from certain requirements that require additional written product and might pose a greater burden on smaller entities. The Commission believes most of the entities covered by the exemption will be small businesses. Finally, the Commission believes all financial institutions, including small businesses, that comply with the current Safeguards Rule will already be in compliance with most of the new provisions of the revised Rule as part of their current information security program. In addition, in response to the comments concerned about the burden of the amendments, the Commission extended the effective date from six months after the publication of the Final Rule to one year after the publication to allow financial institutions additional time to come into compliance with the revised Rule. In addition, in response to comments that argued hiring a chief information security officer would be prohibitively expensive for small financial institutions, the Commission amended the rule to clarify such an employee was not required for all financial institutions. The Final Rule is modified to clarify a financial institution need only appoint an individual who is qualified to coordinate its information security program, and those qualifications will vary based on the complexity of the program and size and nature of the 350 Small Business Administration Office of Advocacy (comment 28, NPRM), at 6. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations financial institution. The Commission also clarified employee training programs need to be updated only as necessary, to respond to a comment regular updating would be difficult for smaller financial institutions. 3. Estimate of Number of Small Entities to Which the Amendments Will Apply As previously discussed in the IRFA, determining a precise estimate of the number of small entities 351—including newly covered entities under the modified definition of financial institution—is not readily feasible. Financial institutions already covered by the Rule as originally promulgated include lenders, financial advisors, loan brokers and servicers, collection agencies, financial advisors, tax preparers, and real estate settlement services, to the extent they have ‘‘customer information’’ within the meaning of the Rule. Finders are also covered under the Final Rule. However, it is not known whether any finders are small entities, and if so, how many there are. The Commission requested comment and information on the number of ‘‘finders’’ that would be covered by the Rule’s modified definition of ‘‘financial institution,’’ and how many of those finders, if any, are small entities. The Commission received no comments that addressed this question. khammond on DSKJM1Z7X2PROD with RULES3 4. Projected Reporting, Recordkeeping, and Other Compliance Requirements The Rule does not impose any reporting or any specific recordkeeping requirements as discussed earlier. See supra Section IV (Paperwork Reduction Act). With regard to other compliance requirements, the addition of definitions and examples from the Privacy Rule is 351 The U.S. Small Business Administration Table of Small Business Size Standards Matched to North American Industry Classification System Codes (‘‘NAICS’’) are generally expressed in either millions of dollars or number of employees. A size standard is the largest a business can be and still qualify as a small business for Federal Government programs. For the most part, size standards are the annual receipts or the average employment of a firm. Depending on the nature of the financial services an institution provides, the size standard varies. By way of example, mortgage and nonmortgage loan brokers (NAICS code 522310) are classified as small if their annual receipts are $8.0 million or less. Consumer lending institutions (NAICS code 522291) are classified as small if their annual receipts are $41.5 million or less. Commercial banking and savings institutions (NAICS codes 522110 and 522120) are classified as small if their assets are $600 million or less. Assets are determined by averaging the assets reported on businesses’ four quarterly financial statements for the preceding year. The 2019 Table of Small Business Size Standards is available at https:// www.sba.gov/sites/default/files/2019-08/ SBA%20Table%20of%20Size%20Standards_ Effective%20Aug%2019%2C%202019_Rev.pdf. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 not expected to have an impact on covered financial institutions, including those that may be small entities. (The preceding section of this analysis discusses classes of covered financial institutions that may qualify as small entities.) The addition of ‘‘finders’’ to the definition of financial institutions imposes the obligations of the Rule on entities that engage in ‘‘finding’’ activity and also collect customer information. The addition of more detailed requirements may require some financial institutions to perform additional risk assessments or monitoring, or to create additional safeguards as set forth in the Proposed Rule. These obligations may require institutions to retain employees or thirdparty service providers with skills in information security, but, as discussed above, the Commission believes most financial institutions will have already complied with many parts of the Rule as part of their information security programs required under the existing Rule. There may be additional related compliance costs (e.g., legal, new equipment or systems, modifications to policies or procedures), but, as discussed above, the Commission believes these are limited by several factors, including the flexibility of the Rule, the existing safeguards in place to comply with the existing Rule, and the exemption for financial institutions that maintain less consumer information. Although two commenters provided summaries of the expected expenses for some financial institutions to comply with the Rule, those estimates did not provide sufficient detail to fully evaluate whether they were accurate or representative of other financial institutions and appeared to be based, at least in part, on a misunderstanding of the requirement to appoint a Qualified Individual. The Commission believes, for most smaller financial institutions, there are very low-cost solutions for any additional duties imposed by the Final Rule. This view is supported by the comments of several experts at the Safeguards Rule Workshop.352 352 See, e.g., Remarks of Brian McManamon, Safeguards Workshop Tr., supra note 17, at 78 (describing virtual CISO services); Matthew Green, Safeguards Workshop Tr., supra note 17, at 225 (noting website usage of encryption for data in motion is above 80 percent; ‘‘Let’s Encrypt’’ provides free TLS certificates; and costs have gone down to the point that if a financial institution is not using TLS encryption for data in motion, it is making an unusual decision outside the norm); Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 106 (‘‘[T]he encryption of data in transit has been standard. There’s no pushback with that.’’); Slides Accompanying the Remarks of Lee Waters, ‘‘Information Security Programs and Smaller Businesses,’’ in Safeguards Workshop Slides, supra note 72, at 26 (‘‘Estimated Costs of Proposed PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 70303 The Commission believes the protection of consumers’ financial information is of the utmost importance and the cost of the safeguards required to provide that protection is justified and necessary. The Commission carefully balanced the cost of these requirements with the need to protect consumer information and has made every effort to ensure the Final Rule retains flexibility so financial institutions can tailor information security programs to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue. 5. Description of Steps Taken To Minimize Significant Economic Impact, if Any, on Small Entities, Including Alternatives The standards in the Final Rule allow a small financial institution to develop an information security program appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue. The amendments include certain design standards (e.g., a company must implement encryption, authentication, and incident response) in the Rule, in addition to the performance standards (reasonable security) the Rule currently uses. As discussed, while these design standards may introduce some additional burden, the Commission believes many financial institutions’ existing information security programs already meet most of these requirements. In addition, the requirements in the Final Rule, like those in the existing Rule, are designed to allow financial institutions flexibility in how and whether they should be implemented. For example, the requirement encryption be used to protect customer information in transit and at rest may be met with effective alternative compensating controls if encryption is infeasible for a given financial institution. In addition, the amendments exempt financial institutions that maintain relatively small amounts of customer information from certain requirements of the Final Rule. The exemptions would apply to financial institutions that maintain customer information Changes,’’ estimating costs of multi-factor authentication to be $50 for smartcard or fingerprint readers, and $10 each per smartcard); Slides Accompanying Remarks of Wendy Nather, Safeguards Workshop Slides, supra note 72, at 37 (chart showing the use of multi-factor authentication solutions such as Duo Push, phone call, mobile passcode, SMS passcode, hardware token, Yubikey passcode, and U2F token in industries such as financial services and higher education). E:\FR\FM\09DER3.SGM 09DER3 70304 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 concerning fewer than ten thousand consumers. The Commission believes exempted financial institutions are generally, but not exclusively, small entities. Such financial institutions are not required to perform a written risk assessment, conduct continuous monitoring or annual penetration testing and biannual vulnerability assessment, prepare a written incident response plan, or prepare an annual written report by the Qualified Individual. These exemptions are intended to reduce the burden on smaller financial institutions. The Commission believes the obligations subject to these exemptions are the ones most likely to cause undue burden on smaller financial institutions. Exempted financial institutions will still need to conduct risk assessments, design and implement a written information security program with the required elements, utilize qualified information security personnel and train employees, monitor activity of authorized users, oversee service providers, and evaluate and adjust their information security program. These are core obligations under the Rule any financial institution that collects customer information must meet, regardless of size. The Commission considered allowing compliance with a third-party data security standard, such as the NIST framework, to act as a safe harbor for compliance with the Rule. The Commission, however, determined any reduction of burden created by allowing such safe harbors is offset by issues they would cause. For example, such safe harbors would require the Commission to monitor the third-party standard or standards to determine whether they continued to align with the Safeguards Rule. In addition, the Commission would still have to investigate a company’s compliance with the outside standard in any enforcement action. The Commission also does not agree compliance with an outside standard is likely to be less burdensome than complying with the Safeguards Rule itself. VI. Other Matters Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), the Office of Information and Regulatory Affairs designated this rule as not a ‘‘major rule,’’ as defined by 5 U.S.C. 804(2). List of Subjects in 16 CFR Part 314 Consumer protection, Credit, Data protection, Privacy, Trade practices. For the reasons stated above, the Federal Trade Commission amends 16 CFR part 314 as follows: VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION 1. The authority citation for part 314 continues to read as follows: ■ Authority: 15 U.S.C. 6801(b), 6805(b)(2). 2. In § 314.1, revise paragraph (b) to read as follows: ■ § 314.1 Purpose and scope. * * * * * (b) Scope. This part applies to the handling of customer information by all financial institutions over which the Federal Trade Commission (‘‘FTC’’ or ‘‘Commission’’) has jurisdiction. Namely, this part applies to those ‘‘financial institutions’’ over which the Commission has rulemaking authority pursuant to section 501(b) of the Gramm-Leach-Bliley Act. An entity is a ‘‘financial institution’’ if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which incorporates activities enumerated by the Federal Reserve Board in 12 CFR 225.28 and 225.86. The ‘‘financial institutions’’ subject to the Commission’s enforcement authority are those that are not otherwise subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805. More specifically, those entities include, but are not limited to, mortgage lenders, ‘‘pay day’’ lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders. They are referred to in this part as ‘‘You.’’ This part applies to all customer information in your possession, regardless of whether such information pertains to individuals with whom you have a customer relationship, or pertains to the customers of other financial institutions that have provided such information to you. ■ 3. Revise § 314.2 to read as follows: § 314.2 Definitions. (a) Authorized user means any employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data. PO 00000 Frm 00034 Fmt 4701 Sfmt 4700 (b)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. (2) For example: (i) An individual who applies to you for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended. (ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended. (iii) An individual who provides nonpublic personal information to you in connection with obtaining or seeking to obtain financial, investment, or economic advisory services is a consumer, regardless of whether you establish a continuing advisory relationship. (iv) If you hold ownership or servicing rights to an individual’s loan that is used primarily for personal, family, or household purposes, the individual is your consumer, even if you hold those rights in conjunction with one or more other institutions. (The individual is also a consumer with respect to the other financial institutions involved.) An individual who has a loan in which you have ownership or servicing rights is your consumer, even if you, or another institution with those rights, hire an agent to collect on the loan. (v) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution. (vi) An individual is not your consumer solely because he or she has designated you as trustee for a trust. (vii) An individual is not your consumer solely because he or she is a beneficiary of a trust for which you are a trustee. (viii) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary. (c) Customer means a consumer who has a customer relationship with you. (d) Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled E:\FR\FM\09DER3.SGM 09DER3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations or maintained by or on behalf of you or your affiliates. (e)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. (2) For example: (i) Continuing relationship. A consumer has a continuing relationship with you if the consumer: (A) Has a credit or investment account with you; (B) Obtains a loan from you; (C) Purchases an insurance product from you; (D) Holds an investment product through you, such as when you act as a custodian for securities or for assets in an Individual Retirement Arrangement; (E) Enters into an agreement or understanding with you whereby you undertake to arrange or broker a home mortgage loan, or credit to purchase a vehicle, for the consumer; (F) Enters into a lease of personal property on a non-operating basis with you; (G) Obtains financial, investment, or economic advisory services from you for a fee; (H) Becomes your client for the purpose of obtaining tax preparation or credit counseling services from you; (I) Obtains career counseling while seeking employment with a financial institution or the finance, accounting, or audit department of any company (or while employed by such a financial institution or department of any company); (J) Is obligated on an account that you purchase from another financial institution, regardless of whether the account is in default when purchased, unless you do not locate the consumer or attempt to collect any amount from the consumer on the account; (K) Obtains real estate settlement services from you; or (L) Has a loan for which you own the servicing rights. (ii) No continuing relationship. A consumer does not, however, have a continuing relationship with you if: (A) The consumer obtains a financial product or service from you only in isolated transactions, such as using your ATM to withdraw cash from an account at another financial institution; purchasing a money order from you; cashing a check with you; or making a wire transfer through you; (B) You sell the consumer’s loan and do not retain the rights to service that loan; VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 (C) You sell the consumer airline tickets, travel insurance, or traveler’s checks in isolated transactions; (D) The consumer obtains one-time personal or real property appraisal services from you; or (E) The consumer purchases checks for a personal checking account from you. (f) Encryption means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material. (g)(1) Financial product or service means any product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). (2) Financial service includes your evaluation or brokerage of information that you collect in connection with a request or an application from a consumer for a financial product or service. (h)(1) Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution. (2) Examples of financial institutions are as follows: (i) A retailer that extends credit by issuing its own credit card directly to consumers is a financial institution because extending credit is a financial activity listed in 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)(4)(F)), and issuing that extension of credit through a proprietary credit card demonstrates that a retailer is significantly engaged in extending credit. (ii) An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (iii) A personal property or real estate appraiser is a financial institution PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 70305 because real and personal property appraisal is a financial activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (iv) A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution because such career counseling activities are financial activities listed in 12 CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (v) A business that prints and sells checks for consumers, either as its sole business or as one of its product lines, is a financial institution because printing and selling checks is a financial activity that is listed in 12 CFR 225.28(b)(10)(ii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (vi) A business that regularly wires money to and from consumers is a financial institution because transferring money is a financial activity referenced in section 4(k)(4)(A) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(A), and regularly providing that service demonstrates that the business is significantly engaged in that activity. (vii) A check cashing business is a financial institution because cashing a check is exchanging money, which is a financial activity listed in section 4(k)(4)(A) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(A). (viii) An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity listed in 12 CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G). (ix) A business that operates a travel agency in connection with financial services is a financial institution because operating a travel agency in connection with financial services is a financial activity listed in 12 CFR 225.86(b)(2) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G). (x) An entity that provides real estate settlement services is a financial institution because providing real estate settlement services is a financial activity E:\FR\FM\09DER3.SGM 09DER3 khammond on DSKJM1Z7X2PROD with RULES3 70306 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations listed in 12 CFR 225.28(b)(2)(viii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (xi) A mortgage broker is a financial institution because brokering loans is a financial activity listed in 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (xii) An investment advisory company and a credit counseling service are each financial institutions because providing financial and investment advisory services are financial activities referenced in section 4(k)(4)(C) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(C). (xiii) A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate is a financial institution because acting as a finder is an activity that is financial in nature or incidental to a financial activity listed in 12 CFR 225.86(d)(1). (3) Financial institution does not include: (i) Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.); (ii) The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); (iii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party other than as permitted by §§ 313.14 and 313.15; or (iv) Entities that engage in financial activities but that are not significantly engaged in those financial activities, and entities that engage in activities incidental to financial activities but that are not significantly engaged in activities incidental to financial activities. (4) Examples of entities that are not significantly engaged in financial activities are as follows: (i) A retailer is not a financial institution if its only means of extending credit are occasional ‘‘lay away’’ and deferred payment plans or accepting payment by means of credit cards issued by others. (ii) A retailer is not a financial institution merely because it accepts VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 payment in the form of cash, checks, or credit cards that it did not issue. (iii) A merchant is not a financial institution merely because it allows an individual to ‘‘run a tab.’’ (iv) A grocery store is not a financial institution merely because it allows individuals to whom it sells groceries to cash a check, or write a check for a higher amount than the grocery purchase and obtain cash in return. (i) Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. (j) Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information or connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems that contains customer information or that is connected to a system that contains customer information. (k) Multi-factor authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics. (l)(1) Nonpublic personal information means: (i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. (2) Nonpublic personal information does not include: (i) Publicly available information, except as included on a list described in paragraph (l)(1)(ii) of this section; or (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available. (3) For example: (i) Nonpublic personal information includes any list of individuals’ names PO 00000 Frm 00036 Fmt 4701 Sfmt 4700 and street addresses that is derived in whole or in part using personally identifiable financial information (that is not publicly available), such as account numbers. (ii) Nonpublic personal information does not include any list of individuals’ names and addresses that contains only publicly available information, is not derived, in whole or in part, using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution. (m) Penetration testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems. (n)(1) Personally identifiable financial information means any information: (i) A consumer provides to you to obtain a financial product or service from you; (ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer. (2) For example: (i) Information included. Personally identifiable financial information includes: (A) Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service; (B) Account balance information, payment history, overdraft history, and credit or debit card purchase information; (C) The fact that an individual is or has been one of your customers or has obtained a financial product or service from you; (D) Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer; (E) Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on, or servicing, a credit account; (F) Any information you collect through an internet ‘‘cookie’’ (an information collecting device from a web server); and (G) Information from a consumer report. (ii) Information not included. Personally identifiable financial information does not include: E:\FR\FM\09DER3.SGM 09DER3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations (A) A list of names and addresses of customers of an entity that is not a financial institution; and (B) Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses. (o)(1) Publicly available information means any information that you have a reasonable basis to believe is lawfully made available to the general public from: (i) Federal, State, or local government records; (ii) Widely distributed media; or (iii) Disclosures to the general public that are required to be made by Federal, State, or local law. (2) You have a reasonable basis to believe that information is lawfully made available to the general public if you have taken steps to determine: (i) That the information is of the type that is available to the general public; and (ii) Whether an individual can direct that the information not be made available to the general public and, if so, that your consumer has not done so. (3) For example: (i) Government records. Publicly available information in government records includes information in government real estate records and security interest filings. (ii) Widely distributed media. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper, or a website that is available to the general public on an unrestricted basis. A website is not restricted merely because an internet service provider or a site operator requires a fee or a password, so long as access is available to the general public. (iii) Reasonable basis. (A) You have a reasonable basis to believe that mortgage information is lawfully made available to the general public if you have determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded. (B) You have a reasonable basis to believe that an individual’s telephone number is lawfully made available to the general public if you have located the telephone number in the telephone book or the consumer has informed you that the telephone number is not unlisted. (p) Security event means an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 information system, or customer information held in physical form. (q) Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part. (r) You includes each ‘‘financial institution’’ (but excludes any ‘‘other person’’) over which the Commission has enforcement jurisdiction pursuant to section 505(a)(7) of the GrammLeach-Bliley Act. ■ 4. In § 314.3, revise paragraph (a) to read as follows: § 314.3 Standards for safeguarding customer information. (a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section. * * * * * ■ 5. Revise § 314.4 to read as follows: § 314.4 Elements. In order to develop, implement, and maintain your information security program, you shall: (a) Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program (for purposes of this part, ‘‘Qualified Individual’’). The Qualified Individual may be employed by you, an affiliate, or a service provider. To the extent the requirement in this paragraph (a) is met using a service provider or an affiliate, you shall: (1) Retain responsibility for compliance with this part; (2) Designate a senior member of your personnel responsible for direction and oversight of the Qualified Individual; and (3) Require the service provider or affiliate to maintain an information security program that protects you in accordance with the requirements of this part. (b) Base your information security program on a risk assessment that identifies reasonably foreseeable PO 00000 Frm 00037 Fmt 4701 Sfmt 4700 70307 internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. (1) The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats you face; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of your information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats you face; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. (2) You shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and reassess the sufficiency of any safeguards in place to control these risks. (c) Design and implement safeguards to control the risks you identity through risk assessment, including by: (1) Implementing and periodically reviewing access controls, including technical and, as appropriate, physical controls to: (i) Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information; and (ii) Limit authorized users’ access only to customer information that they need to perform their duties and functions, or, in the case of customers, to access their own information; (2) Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy; (3) Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest. To the extent you determine that encryption of customer information, either in transit over external networks or at rest, is infeasible, you may instead secure such customer information using effective E:\FR\FM\09DER3.SGM 09DER3 khammond on DSKJM1Z7X2PROD with RULES3 70308 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations alternative compensating controls reviewed and approved by your Qualified Individual; (4) Adopt secure development practices for in-house developed applications utilized by you for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store customer information; (5) Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls; (6)(i) Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained; and (ii) Periodically review your data retention policy to minimize the unnecessary retention of data; (7) Adopt procedures for change management; and (8) Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users. (d)(1) Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. (2) For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, you shall conduct: (i) Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and (ii) Vulnerability assessments, including any systemic scans or reviews of information systems reasonably VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program. (e) Implement policies and procedures to ensure that personnel are able to enact your information security program by: (1) Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment; (2) Utilizing qualified information security personnel employed by you or an affiliate or service provider sufficient to manage your information security risks and to perform or oversee the information security program; (3) Providing information security personnel with security updates and training sufficient to address relevant security risks; and (4) Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures. (f) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards. (g) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (d) of this section; any material changes to your operations or business arrangements; the results of risk assessments performed under paragraph (b)(2) of this section; or any other circumstances that you know or have reason to know may have a material impact on your information security program. (h) Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control. Such incident response plan shall address the following areas: (1) The goals of the incident response plan; PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 (2) The internal processes for responding to a security event; (3) The definition of clear roles, responsibilities, and levels of decisionmaking authority; (4) External and internal communications and information sharing; (5) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; (6) Documentation and reporting regarding security events and related incident response activities; and (7) The evaluation and revision as necessary of the incident response plan following a security event. (i) Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a senior officer responsible for your information security program. The report shall include the following information: (1) The overall status of the information security program and your compliance with this part; and (2) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the information security program. ■ 6. Revise § 314.5 to read as follows: § 314.5 Effective date. Section 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (h), and (i) are effective as of December 9, 2022. ■ 7. Add § 314.6 to read as follows: § 314.6 Exceptions. Section 314.4(b)(1), (d)(2), (h), and (i) do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers. By direction of the Commission, Commissioners Phillips and Wilson dissenting. April Tabor, Secretary. Note: The following appendix will not appear in the Code of Federal Regulations. E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations Appendix—Statements Issued on October 27, 2021 khammond on DSKJM1Z7X2PROD with RULES3 Statement of Chair Lina M. Khan Joined by Commissioner Rebecca Kelly Slaughter Regarding Regulatory Review of the Safeguards Rule Today the FTC is significantly strengthening the Safeguards Rule,1 first promulgated by the FTC twenty years ago pursuant to a Congressional directive to protect personal information that is stored by financial institutions. This revamping—the first time in the Rule’s history—is sorely needed. In the twenty years since the Rule was first issued, the complexity of information security has increased drastically, the use of computer networks in every aspect of life has expanded exponentially, and, most notably, an unending chain of damaging data breaches caused by inadequate security have cost Americans heavily.2 The amendments adopted today require financial institutions to develop information security programs that can meet the challenges of today’s security environment. For Americans, the harms stemming from the types of security vulnerabilities that this Rule addresses are all too real. Victims of breaches have their most sensitive information exposed, making them more vulnerable to identity theft, phishing attacks, and other forms of fraud.3 In 2018, almost 10 percent of Americans suffered some form of identity theft, costing many of them hundreds of dollars and dozens of hours of time, an experience that many describe as distressing.4 For some, the cost is much higher, with victims losing tens of thousands of dollars.5 The Rule amendments the FTC is issuing today are strongly supported by the evidence in the record.6 The evidence gathered from 1 16 CFR part 314. Pursuant to the Gramm Leach Bliley Act (‘‘GLB’’ or ‘‘GLBA’’), Public Law 106– 102, 113 Stat. 1338 (1999) (codified as amended in scattered sections of 12 and 15 U.S.C.), the Commission promulgated the Safeguards Rule in 2001. 2 See, e.g., 2020 Internet Crime Report, Fed. Bur. Investigations,at 20 (Mar. 2021) (reporting consumer loss of over $128 million resulting from corporate data breaches to those who filed complaints in 2020 alone); Int’l Bus. Mach, Cost of a Data Breach, at 4 (2021) (estimating that the average cost of single data breach has risen to $4.24 million). 3 2013 Identity Fraud Report: Data Breaches Becoming a Treasure Trove for Fraudsters, Javelin Strategy, at 1 (Feb. 2013) (reporting that 1 in 4 recipients of a data breach notification become victims of identity theft); Michelle Singletary, Your online profile may help identity thieves, Washington Post (Feb. 28, 2012), https:// www.washingtonpost.com/business/economy/ michelle-singletary-your-online-profile-may-helpidentity-thieves/2012/02/28/gIQAXFjygR_story.html (reporting that recipients of data breach letters are 9.5% more likely to suffer identity theft). 4 See Erika Harrell, Victims of Identity Theft, 2018, U.S. Dep’t of Just., at 1 (Apr. 2021), https:// bjs.ojp.gov/content/pub/pdf/vit18.pdf. 5 See 2021 Consumer Aftermath Report, Identity Theft Resource Center (2021), at 6 (finding that in a study of 427 identity crime victims, 21% of them suffered losses of over $20,000). 6 The Commission first sought public comments on the proposed amendments in April 2019. See VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 information security experts, industry associations, and consumer groups—those with hands-on experience in the area and knowledge of the field—decisively show that the amendments are necessary. Of course, all of this information supplements the experience that Commission staff has obtained over twenty years of enforcing the Rule, and gained through investigations of companies’ data security practices under the FTC’s deception and unfairness authority. The dissent’s conclusion that these amendments are unnecessary is belied by both the reality of rampant data security breaches as well as the robust evidentiary record. The recent history of major data breaches affecting millions of consumers shows that more needs to be done to protect consumers’ sensitive information. Despite the increasing sophistication of cyberattacks, many businesses continue to offer inadequate security.7 In particular, the massive Equifax Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 84 FR 13150; Standards for Safeguarding Customer Information, 84 FR 13158 (April 4, 2019). The agency received almost 50 comments from consumer groups, industry associations, and data security experts. See FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules, 16 CFR part 314, Project No. P145407, (FTC–2019–0019) (‘‘2019 Safeguards and Privacy NPRM ’’), https:// www.regulations.gov/docket/FTC-2019-0019/ document. Further, the Commission conducted a workshop discussing the proposed amendments with information security professionals and experts, including IT staff from financial institutions covered by the Safeguards Rule. See Transcript, Information Security and Financial Institutions: An FTC Workshop to Examine Safeguards Rule, Fed. Trade Comm’n (July 13, 2020) (‘‘Safeguards Workshop’’), https://www.ftc.gov/system/files/ documents/public_events/1567141/transcript-glbsafeguards-workshop-full.pdf. Connected with the workshop, the Commission sought and received another round of public comments on the amendments. The eleven relevant public comments relating to the subject matter of the July 13, 2020, workshop can be found here: Postponement of Public Workshop Related to Proposed Changes to the Safeguards Rule, 85 FR 23354 (FTC–2020–0038) (Apr. 27, 2020) (‘‘Workshop Comment Docket’’), https://www.regulations.gov/document/FTC-20200038-0001. 7 See, e.g., Electronic Privacy Information Center, Comment Letter No. 55 on 2019 Safeguards and Privacy NPRM (FTC–2019–0019), at 3 (Aug. 1, 2019) (citing dramatic increase in data breaches at financial services firms affecting millions of consumers), https://www.regulations.gov/comment/ FTC-2019-0019-0055; Consumer Reports, Comment Letter No. 52 on 2019 Safeguards and Privacy NPRM (FTC–2019–0019) (Aug. 2, 2019), https:// www.regulations.gov/comment/FTC-2019-00190052 (noting several high profile data breaches at financial institutions as evidence for the need for stronger regulation); Inpher, Inc., Comment Letter No. 50 on 2019 Safeguards and Privacy NPRM (FTC–2019–0019), at 1 (Aug. 1, 2019), https:// www.regulations.gov/comment/FTC-2019-00190050 (pointing to major breaches at financial institutions as evidence for the need of stronger security regulations); Independent Community Bankers of America, Comment Letter No. 35 on 2019 Safeguards and Privacy NPRM (FTC–2019– 0019) (Aug. 2, 2019), https://www.regulations.gov/ comment/FTC-2019-0019-0035 (noting that FTCregulated financial institutions are subject to less stringent security requirements than those regulated by banking agencies, even though many handle the same types of information as those financial PO 00000 Frm 00039 Fmt 4701 Sfmt 4700 70309 breach, which the FTC alleged was caused by inadequate data security that could have been easily corrected by the company, is a glaring example of how a financial institution’s lax security practices can have devastating consequences for Americans.8 The dissent’s suggestion that our current framework is sufficient falls flat in the face of such a stark example of the harm that can arise from avoidable lax security practices by covered financial institutions. Moreover, the dissent’s complaint that the rule is also informed by evidence arising from breaches and practices occurring in other types of industries misses the mark. Not only is there substantial evidence in the rulemaking record clearly illustrating security lapses of financial institutions that are covered by the Rule,9 but the implication that we shouldn’t use our broader knowledge of common security pitfalls is unwise. The record evidence also shows that the amendment’s requirements track bedrock principles of data security and represent proven elements of effective data security programs that reduce the risk of breaches.10 institutions); National Consumer Law Center et al., Comment Letter No. 58 on 2019 Safeguards and Privacy NPRM (FTC–2019–0019) (Aug. 2, 2019), https://www.regulations.gov/document/FTC-20190019-0058 (arguing that the recent Equifax breach showed the need for strengthening the Safeguards Rule); Cisco Systems, Inc., Comment Letter No. 51 on 2019 Safeguards and Privacy NPRM (FTC–2019– 0019) (Aug. 2, 2019), https://www.regulations.gov/ document/FTC-2019-0019-0051 (noting that sophisticated hacking techniques used in state sponsored attacks are likely to be adopted by ‘‘more garden variety, less sophisticated hackers.’’); Safeguards Workshop, at 24–26 (July 13, 2020) (remarks of Chris Cronin) (stating that many companies do not conduct complete or adequate risk assessments). Id. at 38–39 (remarks of Serge Jorgensen) (noting that businesses’ understanding of the need for security has improved, but that they continue to struggle to implement controls across business units). Id. at 39–41 (remarks of Chris Cronin) (stating that, ‘‘as a rule,’’ businesses of all sizes are ‘‘behind’’ on cybersecurity, attributing this in part to consultants whose advice about reasonable security is motivated by a desire to ‘‘make the clients happy’’). Id. at 43 (remarks of Pablo Molina) (citing ‘‘the mounting losses that come from cybercrime’’ as evidence that many businesses are ‘‘falling behind’’ cybercriminals). Id. at 114 (remarks of Brian McManamon) (noting that ‘‘the proposed changes are the minimum necessary to have an effective security program in place.’’). Id. at 44 (remarks of Sam Rubin) (noting that, in his experience, companies make significant investments in technical security measures but that investment in personnel to oversee and use those measures is ‘‘a huge shortcoming that I’m seeing in the field.’’); The Clearing House Association LLC, Comment Letter No. 49 on 2019 Safeguards and Privacy NPRM (FTC–2019–0019), at 7–9 (Aug. 2, 2019), https://www.regulations.gov/comment/FTC2019-0019-0049 (citing a 2018 study by the Center for Financial Inclusion that showed widespread data security failures among financial technology companies around the globe). 8 Press Release, Fed. Trade Comm’n, Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach, (July 22, 2019), https://www.ftc.gov/news-events/pressreleases/2019/07/equifax-pay-575-million-partsettlement-ftc-cfpb-states-related. 9 See infra, note 7. 10 See, e.g., for Single Qualified Individual Requirement: National Consumer Law Center et al., E:\FR\FM\09DER3.SGM Continued 09DER3 khammond on DSKJM1Z7X2PROD with RULES3 70310 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations supra note 7, at 3 (arguing that a clear line of reporting with a single responsible individual could have prevented the Equifax consumer data breach); Safeguards Workshop, at 182–84 (remarks of Adrienne Allen) (stating that without a single responsible individual, information security staff ‘‘can fall into traps of each relying on someone else to make a hard call . . . [In a program without a single coordinator] issues can sometimes fall through the cracks.’’). Id. at 184–85 (remarks of Michele Norin) (‘‘I think it’s extremely important to have a person in front of the information security program. I think that there are so many components to understand, to manage, to keep an eye on. I think it’s difficult to do that if it’s part of someone else’s job. And so I found that it’s extremely helpful to have a person in charge of that program just from a pure basic management perspective and understanding perspective.’’); Risk Assessment Requirement: Id. at 25 (remarks of Chris Cronin) (stating that evaluating the likelihoods and impacts of potential security risks and evaluating existing controls is an important component of a risk assessment). Id. at 29–30 (remarks of Serge Jorgensen) (emphasizing the importance of risk assessments as tools for adjusting existing security measures to account for both current and future security threats); Encryption Requirement: Princeton University Center for Information Technology Policy, Comment Letter No. 54 on 2019 Safeguards and Privacy NPRM (FTC–2019–0019), at 3 (Aug. 2, 2019), https://www.regulations.gov/ document/FTC-2019-0019-0054 (noting the effectiveness of encryption); Inpher, Inc., supra note 7, at 4; Safeguards Workshop, at 225 (remarks of Matthew Green) (noting website usage of encryption is above 80 percent; ‘‘Let’s Encrypt’’ provides free TLS certificates; and costs have gone down to the point that if a financial institution is not using TLS encryption for data in motion, it is making an unusual decision outside the norm). Id. at 106 (remarks of Rocio Baeza) (‘‘[T]he encryption of data in transit has been standard. There’s no pushback with that.’’); Multifactor Authentication Requirement: Princeton University Center for Information Technology Policy, supra note 10, at 6– 7; Electronic Privacy Information Center, supra, note 7, at 8; National Consumer Law Center et al., supra note 7, at 2; Safeguards Workshop, at 102 (remarks of Brian McManamon) (stating that his company TECH LOCK supports requiring multifactor authentication for users connecting from internal networks). Id. at 266 (remarks of Matthew Green) (explaining that passwords are not enough of an authentication feature but when MFA is used and deployed, the defenders can win against attackers). Id. at 239 (describing how because smart phones have modern secure hardware processors, biometric sensors and readers built in, increasingly consumers can get the security they need through the devices they already have by storing cryptographic authentication keys on the devices and then using the phone to activate them); Incident Response Plan: Credit Union National Association, Comment Letter No. 30 on 2019 Safeguards and Privacy NPRM (FTC–2019–0019), at 2 (Aug. 1, 2019), https://www.regulations.gov/ document/FTC-2019-0019-0030 (noting that that an incident response plan ‘‘helps ensure that an entity is prepared in case of an incident by planning how it will respond and what is required for the response.’’). Consumer Reports, supra note 7, at 6 (observing that ‘‘a written incident response plan is an essential component of a good security system.’’); HITRUST, Comment Letter No. 18 on 2019 Safeguards and Privacy NPRM (FTC–2019– 0019), at 2 (July 1, 2019), https:// www.regulations.gov/document/FTC-2019-00190018 (commenting that incident response plans can help organizations ‘‘to better allocate limited resources.). Safeguards Workshop, at 52 (remarks of Serge Jorgenson) (observing that a prompt response to an incident can prevent a ‘‘threat actor running around in my environment for days, months, years, VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 The amended Rule requires that financial institutions’ information security plans address such core concepts as controlling who is accessing their system,11 understanding their system,12 monitoring what users do in their system,13 and protecting the information contained in their system.14 More particularly, it also requires encryption of customer information and the use of multifactor authentication. Adopting these practices will reduce the chances of a breach occurring. In fact, it is likely that the massive breach at Equifax could have been prevented or mitigated by adopting practices required by these amendments. For example, the Commission’s complaint alleged that the vulnerability that led to the breach was not detected for four months because Equifax’s automated vulnerability scanner was not configured to scan all of the networks in the system, something that could have been prevented if Equifax had performed an adequate inventory of its system as required by § 314.4(c)(2) of the amended Rule.15 Equifax allegedly did not encrypt the data of 145 million consumers as required by § 314.4(c)(3) of the amended Rule; such encryption might have prevented the intruders from misusing individuals’ sensitive information, even if they were able to obtain it.16 In addition, the complaint charged that Equifax did not adequately monitor activity on its network, which allowed intruders to access and use their network undetected for months; such monitoring will be required by § 314.4(c)(8).17 Finally, and perhaps most importantly, Equifax split authority over its information security program between two people, which caused failures of and able to access anything they want.’’); Board Reporting Requirement: Workshop participants Adrienne Allen, Karthik Rangarajan, and Michele Norin each emphasized that such reporting can aid decision making. See Safeguards Workshop, at 201– 09; see also Rocio Baeza, Comment Letter No. 12 on Workshop Comment Docket (FTC–2020–0038), at 3–8 (Aug. 12, 2020), https://www.regulations.gov/ comment/FTC-2020-0038-0012 (supporting requirement and providing sample report form and compliance questionnaire); Juhee Kwon et al., The Association Between Top Management Involvement and Compensation and Information Security Breaches, J. L. Info. Sys., at 219–236 (2013) (‘‘. . . the involvement of an IT executive decreases the probability of information security breach reports by about 35 percent . . .’’); Julia L. Higgs et al., The Relationship Between Board-Level Technology Committees and Reported Security Breaches, J. L. Info. Sys., at 79–98 (2016) (‘‘[A]s a technology committee becomes more established, its firm is not as likely to be breached. To obtain further evidence on the perceived value of a technology committee, this study uses a returns analysis and finds that the presence of a technology committee mitigates the negative abnormal stock returns arising from external breaches.’’). 11 16 CFR 314.4(c)(1). 12 16 CFR 314.4(c)(2). 13 16 CFR 314.4(c)(8). 14 16 CFR 314.4(c)(3) and 314.4(c)(5). 15 Compl. for Permanent Injunction & Other Relief., FTC v. Equifax, Inc., No. 1:19–mi–99999– UNA (N.D. Ga. July 22, 2019) ¶ 17. 16 Id. ¶ 22.E. 17 Id. ¶ 22.F. PO 00000 Frm 00040 Fmt 4701 Sfmt 4700 communications and oversight.18 Indeed, the U.S. House Committee on Oversight and Government identified Equifax’s organization as one of the major causes of the breach.19 Appointing a single Qualified Individual as the coordinator of Equifax’s information security system, as required by § 314.4(a) of the amended Rule, could have helped prevent or limit the scope of one of the largest breaches in American history. By implementing the measures required in the amended Rule, financial institutions will prevent or mitigate many future breaches, protecting consumers and their information. There is also no support for the dissent’s notion that the amendments eliminate financial institutions’ flexibility in a way that will hurt smaller businesses. The amendments require that information security programs address certain aspects of security, but do not prescribe any particular method for doing so. Specifically, the amended Rule requires that the information security program address areas such as access control, change management, information disposal, and monitoring user activity, but it does not require that financial institutions take any particular action in those areas. In fact, the Rule recognizes the concerns of small businesses and adopts appropriate flexibilities. Section 314.6 of the revised Rule exempts financial institutions that maintain information concerning fewer than 5,000 consumers from certain requirements. In addition, financial institutions with smaller and simpler systems may determine that minimal procedures are required in those areas, and they retain flexibility under these amendments to follow that route. Moreover, the record contains significant evidence that there are free and low-cost solutions for smaller businesses with more modest data security needs.20 18 While the dissent questions the requirements in the Rule regarding elevating security issues to the top levels of the corporate structure, research supports these requirements. Boards are becoming increasingly involved in cybersecurity governance, as demonstrated by surveys of practitioners and the growth of literature aimed at educating board members on cybersecurity. Some studies suggest that Board attention to data security decisions can dramatically improve data safeguarding. For example, one study found a 35% decrease in the probability of information security breaches when companies include the Chief Information Security Officer (or equivalent) in the top management team and the CISO has access to the board. See Juhee Kwon et al., supra note 10. see also Safeguards Workshop, at 201–09. 19 U.S. H. Rep. Comm. on Oversight and Gov. Reform, Majority Staff Report on The Equifax Data Breach, 115th Cong., at 55–62 (Dec. 2018). 20 See, e.g., Safeguards Workshop, at 267 (remarks of Wendy Nather) (‘‘we have a lot more options, a lot more technologies today than we did before that are making both of these solutions, both encryption and MFA, easier to use, more flexible, in some cases cheaper, and we should be encouraging their adoption wherever possible.’’). Id. at 265–66 (remarks of Matthew Green) (‘‘I think that we’re in a great time when we’ve reached the point where we can actually mandate that encryption be used. . . . And we’ve reached the point where now it is something that’s come to be and we can actually build well.’’). Id. at 229–30 (remarks of Randy Marchany) (noting that encryption is already built into the Microsoft Office environment and that a number of Microsoft products, such as E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations We believe that these amendments represent a much-needed step forward in protecting Americans’ data security. Given growing recognition that the requirements captured in the Rule represent best practices, some financial institutions seem to have already taken appropriate steps to protect customers’ data and meet the requirements set out in the amended Rule. It is important, though, to require those that lag behind to strengthen their security and prevent future breaches before they occur, rather than in the wake of a devastating breach after the damage has already been done. khammond on DSKJM1Z7X2PROD with RULES3 Joint Statement of Commissioners Noah Joshua Phillips and Christine S. Wilson in the Matter of the Final Rule Amending the Gramm-Leach-Bliley Act’s Safeguards Rule In 1999, Congress passed the GrammLeach-Bliley Act, which charged the Federal Trade Commission (the ‘‘Commission’’) with promulgating and enforcing a regulation to ensure that financial firms take care to safeguard the information they collect from consumers.1 The Safeguards Rule 2 has established more data security obligations for consumer financial data than for data collected by non-financial firms, a gap that underlies our view—shared by our colleagues—that congressional data security legislation is warranted. One hallmark of the Safeguards Rule is its recognition that, in a world of continuously Spreadsheets, Excel, Docs, and PowerPoint, support that encryption feature). Id. at 225. Id. at 106 (Remarks of Rocio Baeza) (‘‘[T]he encryption of data in transit has been standard. There’s no pushback with that.’’). Id. at 74 (remarks of James Crifasi) (stating that car dealerships can rely on existing staff for the role of Qualified Individual). Id. at 78– 79 (remarks of Lee Waters) (stating that any dealership with any IT staff at all would have someone who could assume the role of ‘‘qualified individual,’’ perhaps requiring some additional research or outside help). Id. at 81–82 (remarks of Rocio Baeza) (stating that companies may use an existing employee for the role and ‘‘for any areas where there may be skill gaps, that can be supplemented with either certifications or some type of education.’’). Id. at 89–90 (remarks of Brian McManamon) (noting that the size of a financial institution and the amount and nature of the information that it holds factor into an appropriate information security program); Presentation Slides, Inf. Security & Fin. Inst.: An FTC Workshop of GLB Safeguards, at 27–28 (July 13, 2020) (slides Accompanying remarks of Rocio Baeza, ‘‘Models for Complying to the Safeguards Rule Changes) (‘‘Safeguards Workshop Presentation Slides’’) https://www.ftc.gov/system/files/documents/ public_events/1567141/slides-glb-workshop.pdf (describing three different compliance models: Inhouse, outsource, and hybrid, with costs ranging from $199 per month to more than $15,000 per month). Safeguards Workshop, at 81–83 (remarks of Rocio Baeza) (describing three compliance models in more detail); Safeguards Workshop Presentation Slides, at 29 (remarks of Brian McManamon, ‘‘Sample Pricing’’) (estimating the cost of cybersecurity services based on number of endpoints). Id. at 83–85. 1 Public Law 106–102, 113 Stat. 1338 (1999). Notably, even as it transferred authority for other consumer financial regulation to the Consumer Financial Protection Bureau in the Dodd-Frank Act, Congress left this rulemaking authority with the Commission, a vote of confidence in our approach. 15 U.S.C. 6804(a)(1). 2 16 CFR part 314. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 evolving threats and standards, a one-sizefits-all approach to data security may not work. Under Democratic and Republic leadership, the Commission has repeatedly emphasized this principle.3 We have traditionally eschewed an overly prescriptive approach, both to data security in general and to the Safeguards Rule itself.4 The FTC has never demanded ‘‘perfect’’ security because the Commission has recognized that data security is neither cost- nor consequence-free, and often requires tradeoffs.5 At the same time, during our tenure, the Commission has continued to enforce data security standards vigorously, including those embodied in the Safeguards Rule.6 In March 2019, the Commission approved a Notice of Proposed Rulemaking (‘‘NPRM’’) proposing additional requirements to the 3 See, e.g., Federal Trade Commission, Statement Marking the FTC’s 50th Data Security Settlement, at 1 (Jan. 31, 2014), https://www.ftc.gov/system/ files/documents/cases/140131gmrstatement.pdf (‘‘FTC Data Security Statement’’) (‘‘Through its settlements, testimony, and public statements, the Commission has made clear that it does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law.’’); see also Prepared Statement of the Federal Trade Commission: Before the Committee on Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, 116 Cong. 3 (2019) (statement of Andrew Smith, Director, Bureau of Consumer Protection) (‘‘[t]here is no one-size-fits-all data security program . . .’’), https://www.ftc.gov/ system/files/documents/public_statements/ 1466607/commission_testimony_re_data_security_ senate_03072019.pdf. Federal Trade Commission, Stick with Security: A Business Blog Series (Oct. 2017), https://www.ftc.gov/news-events/blogs/ business-blog/2017/10/stick-security-ftc-resourcesyour-business. 4 FTC Notice of Proposed Rulemaking, 84 FR 13158 (Apr. 4, 2019), https:// www.federalregister.gov/documents/2019/04/04/ 2019-04981/standards-for-safeguarding-customerinformation (‘‘The Commission continues to believe that a flexible, non-prescriptive Rule enables covered organizations to use it to respond to the changing landscape of security threats, to allow for innovation in security practices, and to accommodate technological changes and advances.’’). 5 Under the FTC’s unfairness authority, the Commission brings cases when companies under its jurisdiction fail to employ ‘‘reasonable’’ security. FTC Data Security Statement, supra note 3 (‘‘The touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.’’). 6 See, e.g., In the matter of Ascension Data & Analytics, LLC, FTC File No. 1923126 (2020), https://www.ftc.gov/enforcement/casesproceedings/192-3126/ascension-data-analytics-llcmatter; U.S. v. Mortgage Solutions FCS, Inc., Civ. Action No. 4:20–cv–110 (N.D. Cal 2020), https:// www.ftc.gov/enforcement/cases-proceedings/1823199/mortgage-solutions-fcs-inc; FTC v. Equifax, Inc., Civ. Action No. 1:19–cv–03297–TWT (N.D. Ga. 2019), https://www.ftc.gov/enforcement/casesproceedings/172-3203/equifax-inc. PO 00000 Frm 00041 Fmt 4701 Sfmt 4700 70311 Safeguards Rule. While we recognize the value in regularly reviewing our rules and updating them as needed, we dissented then because the proposal lacked data demonstrating the need for and efficacy of the proposed amendments.7 We appreciate Staff’s diligent work on this rule and many of the modifications made to the original proposal. The Federal Register Notice does a commendable job of presenting the full panoply of comments that the Commission received. The FTC is at its best when it seeks input from experts, industry, and consumer groups; this rulemaking process reflects a commitment to that approach. But the comment period did not produce data demonstrating that the previous iteration of the rule was inadequate, or that the costs and consequences of the new prescriptive obligations will translate into actual consumer safeguards. That was our concern, and the comments did not allay it. In fact, as several commenters observed, the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions. It is ironic that the revisions mandate a risk assessment and then order firms to prioritize specified precautions ahead of the risks and needs counseled by that assessment. The revisions also impose intrusive corporate governance obligations wholly unsupported by record evidence of prevalent failures at the senior managerial level. For these reasons, which we explain more fully below, we dissent. The Record Fails To Provide a Basis for the New Requirements We expressed concern in March 2019 that some of the proposals in the NPRM tracked issues that arose in cases involving firms not covered by the Safeguards Rule. That is, those failures occurred at companies to which the Safeguards Rule did not apply. And heightened obligations imposed in a settlement context, when a company has engaged in risky and allegedly illegal behavior, may not be appropriate for all market participants. We did not see evidence that covered firms had a systematic problem—i.e., that the Rule was not 7 Dissenting Statement of Commissioner Noah Joshua Phillips and Commissioner Christine S. Wilson, Review of Safeguards Rule (Mar. 5, 2019), https://www.ftc.gov/system/files/documents/ public_statements/1466705/reg_review_of_ safeguards_rule_cmr_phillips_wilson_dissent.pdf; See, e.g., Noah Joshua Phillips (@FTCPhillips), Twitter (Mar. 5, 2019, 3:08 p.m.), https:// twitter.com/FTCPhillips/status/ 1103024596247289867 (‘‘A reexamination of the Rule may indeed be appropriate and necessary; but, before we borrow from other existing schemes, we must first understand whether the existing Rule is inadequate for its purpose and whether the data supports the efficacy of the alternatives.’’); Christine S. Wilson, Remarks at NAD 2020, One Step Forward, Two Steps Back: Sound Policy on Consumer Protection Fundamentals 7–8 (Oct. 5, 2020), https://www.ftc.gov/system/files/documents/ public_statements/1581434/wilson_remarks_at_ nad_100520.pdf. E:\FR\FM\09DER3.SGM 09DER3 70312 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 working.8 The Commission can—and does— promote best practices and reasonable care requirements through speeches, guidance, reports, and the like, to help financial firms evaluate whether they are taking proper precautions.9 But new rules that set concrete standards for all companies, regardless of risk, require more justification. Such rules make companies liable for penalties, and could focus efforts on compliance to address penalty deterrence rather than risk. Dozens of commenters have shared their views on the Safeguards proposal, and FTC Staff held a workshop to evaluate the need to change the Rule. While there is no shortage of opinions as to the need and benefits of the proposed changes (nor is there a shortage of opinions critiquing the new requirements), this process failed to provide evidence of market failure or other systemic problems 10 necessitating the proposed changes for firms already governed by the requirements of the Rule. In fact, one commenter that generally supported the rule changes noted that it was not clear that the new rules would have prevented the alleged 8 Commenters on the proposed rules reflected these same concerns. See, e.g, CTIA (comment 34, NPRM) at 4, https://www.regulations.gov/comment/ FTC/2019-0019-0034 (observing that most examples cited in the NPRM are from non-financial firms and arguing that the FTC’s action in Equifax demonstrated that the agency is able to use to the current framework effectively); Global Privacy Alliance (comment 38, NPRM) at 4, https:// www.regulations.gov/comment/FTC/2019-00190038 (the changes to the rules started not from FTC experience but rather from state laws); Electronic Transactions Association (comment 27, NPRM), https://www.regulations.gov/comment/FTC/20190019-0027 (the current rule is effective and there are no harms that warrant these changes); National Automobile Dealers Association (comment 46, NPRM) at 6, https://www.regulations.gov/comment/ FTC/2019-0019-0046 (‘‘[N]ew requirements for all financial institutions should not be based on unrelated enforcement actions that may not be generally applicable to all financial institutions subject to the Rule.’’). 9 Federal Trade Commission, Data Security, https://www.ftc.gov/datasecurity. 10 One study cited by commenters pointed toward widespread problems among fintech firms ‘‘including misuse of cryptography, use of weak cryptography, and excessive permission requirements.’’ The Clearing House Association LLC (comment 49, NPRM) at 7–9, https:// www.regulations.gov/comment/FTC/2019-00190049 (citing a 2018 study by the Center for Financial Inclusion, https://content.centerfor financialinclusion.org/wp-content/uploads/sites/2/ 2018/09/CFI43-CFI_Online_Security-Final2018.09.12.pdf). This study included firms from around the world and did not indicate that this limited set of issues arose in U.S. firms covered by the Safeguards Rule. See also National Automobile Dealers Association (comment 46, NPRM) at 46, https://www.regulations.gov/comment/FTC/20190019-0046 (‘‘These requirements have largely not been proven to be necessary or effective.’’). Participants at the FTC’s July 2020 Workshop generally agreed that companies could invest more in security, but the fact of under-investment does not mean that these changes to the Safeguards Rule constitute the best course of action. FTC, Information Security and Financial Institutions: An FTC Workshop to Examine Safeguards Rule Tr. at 23–70 (July 13, 2020), https://www.ftc.gov/system/ files/documents/public_events/1567141/transcriptglb-safeguards-workshop-full.pdf (‘‘Safeguards Workshop’’). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 lapses that led to the Equifax breach, the largest Safeguards case on record.11 That these proposals may constitute best practices appropriate to certain firms or situations does not justify imposing them on every firm and in every situation.12 The FTC historically has been appropriately cautious in mandating specific security practices, and we see no sound basis in the rulemaking record to change that approach.13 The Revised Safeguards Rule Is Premature In our 2019 statement, we expressed concern that the proposals in the NPRM were premature. They are based in large part on the New York Department of Financial Service data security rules,14 adopted in 2016. At the same time, Congress and the Executive Branch were evaluating new privacy and data security legislation that may overlap with the proposed amendments.15 Since our original statement, we have been provided with no additional information on the impact and efficacy of the NYDFS rules.16 Without this critical input, we do not believe adopting wholesale the NYDFS approach is the prudent course.17 We would have been better served by monitoring the efficacy, costs and unintended consequences of the NYDFS rules during this ramp-up period. Imposing similar rules on far more firms across a broader array of industries makes even less sense. Congress, with the encouragement of the Commission, has continued to consider legislative initiatives in this area. Throughout 2019, 2020 and 2021, we saw the release of several draft bills addressing data security, as well as privacy.18 And other developments, such as data security requirements of the General Data Protection Regulation 19 and new cybersecurity incidents 20 ensure that 11 Consumer Reports (comment 52, NPRM), https://www.regulations.gov/comment/FTC/20190019-0052 at 2. Not all the commenters agreed with this perspective, and some felt that these rules would have prevented the Equifax breach. See National Consumer Law Center and others (comment 58, NPRM), https://www.regulations.gov/ comment/FTC/2019-0019-0058. Chair Khan and Commissioner Slaughter focus on the Equifax breach to justify the adoption of prescriptive and complex data security measures, measures that match the sophistication and complexity of the consumer financial data managed by one of the largest credit bureaus. But even assuming the new rules would have prevented it, one (albeit) highprofile breach, without more, should not be extrapolated to an entire industry with diverse business models housing varied consumer financial data. Reasonable safeguards for a company like Equifax, based on its size and complexity, the nature and scope of its activities, and the sensitivity of the information involved, would likely outpace procedures that would be appropriate or reasonable for a sole proprietorship or small business. 12 While the Final Rule is based on proposals from New York State Department of Financial Services (‘‘NYDFS’’), the FTC imposes its requirements much more broadly than the NYDFS Cybersecurity Requirements for Financial Services Companies, 23 NYCRR Pt. 500. The NYDFS requirements exempt a much larger cross-section of organizations from the most onerous, prescriptive, and expensive provisions in their rule. 23 NYCRR § 500.19. Nor do the exceptions in the Final Rule, while helpful, suffice. 13 Unfortunately, this is not the first time this Commission has emphasized what we can do over what we should do. See, e.g., Joint Statement of Commissioners Noah Joshua Phillips and Christine S. Wilson, In the matter of Resident Home LLC, Commission File No. 2023179 (Oct. 7, 2021), https://www.ftc.gov/system/files/documents/ public_statements/1597270/resident_home_ dissenting_statement_wilson_and_phillips_final_ 0.pdf; Joint Statement of Commissioners Noah Joshua Phillips and Christine S. Wilson, U.S. v. iSpring Water Systems, LLC, Commission File No. C4611 (Apr. 12, 2019), https://www.ftc.gov/system/ files/documents/public_statements/1513499/ ispring_water_systems_llc_c4611_modified_joint_ statement_of_commissioners_phillips_and_wilson_ 4-12.pdf. 14 Cybersecurity Requirements for Financial Services Companies, 23 NYCRR Pt. 500 (2016). 15 See Consumer Data Industry Association (comment 36, NPRM) at 2, https:// www.regulations.gov/document?D=FTC-2019-00190036 (noting that the NY rule is too recent and Congress is debating new legislation that should be left to Congress to resolve); National Automobile Dealers Association (comment 46, NPRM) at 46, https://www.regulations.gov/comment/FTC-20190019-0046 (The new rules ‘‘are premature as they are based on untested and new standards in a rapidly changing environment, and in a context where federal debate is ongoing.’’); New York Insurance Association (comment 31, NPRM), https://www.regulations.gov/comment/FTC-20190019-0031 (it is premature to adopt these rules without the benefit of the state’s experience). 16 We appreciate the time and resources the NYDFS invested in commenting on our proposed rule. Though the NYDFS does say that its rules have ‘‘enhanced cybersecurity protection across the financial industry and fostered an environment in which the threat of a cyber attack is taken seriously at all levels of New York’s financial services firms,’’ it offers no supporting data. New York State Department of Financial Services (comment 40, NPRM), https://www.regulations.gov/comment/ FTC-2019-0019-0040. 17 As several commenters pointed out, the NYDFS rules are more nuanced that the amendments introduced today. For instance, under the NYDFS regulations, certain additional requirements only apply to a category of sensitive data, a limitation not carried through to the Safeguards Rule. See, e.g., U.S. Chamber of Commerce (comment 33, NPRM), https://www.regulations.gov/comment/FTC-20190019-0033; CTIA (comment 34, NPRM), https:// www.regulations.gov/comment/FTC/2019-00190034; Electronic Transactions Association (comment 27, NPRM), https://www.regulations.gov/ comment/FTC/2019-0019-0027. These distinctions only raise more questions and concerns about basing our regulations on the New York rules. 18 See, e.g., Fourth Amendment is Not for Sale Act, S. 1265, 117th Cong. (2021); Data Care Act of 2021, S. 919, 117th Cong. (2021); Data Protection Act of 2021, S. 2134, 117th Cong. (2021); SAFE DATA Act, S. 2499, 117th Cong. (2021); Consumer Online Privacy Rights Act, S. 2968, 116th Cong. (2019). See also, California Privacy Rights Act of 2020, Cal. Civ. Code § 1798.100 et seq.; Virginia Consumer Data Protection Act, Va. Code § 59.1–575 et seq.; and Colorado Privacy Act, 2021 Colo. ALS 483, 2021 Colo. Ch. 483, 2021 Colo. SB. 190. 19 Council Directive 2016/679, art. 32 2016 O.J. (L119). 20 See, e.g., Joseph Menn and Christopher Bing, Hackers of SolarWinds stole data on U.S. sanctions policy, intelligence probes, Reuters (Oct. 8, 2021), https://www.reuters.com/world/us/hackerssolarwinds-breach-stole-data-us-sanctions-policyintelligence-probes-2021-10-07/; Stephanie Kelly and Jessica Resnick-ault, One password allowed hackers to disrupt Colonial Pipeline, CEO tells senators, Reuters (June 8, 2021), https:// www.reuters.com/business/colonial-pipeline-ceotells-senate-cyber-defenses-were-compromised- PO 00000 Frm 00042 Fmt 4701 Sfmt 4700 E:\FR\FM\09DER3.SGM 09DER3 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations these issues will continue to draw congressional attention. The decisions about tradeoffs in this space are complex and significant for consumers, business, and government; intrusive mandates are best left to the people’s representatives rather than to the vagaries of the administrative rulemaking process.21 khammond on DSKJM1Z7X2PROD with RULES3 The Revised Rules Inhibit Flexibility and Impose Substantial Costs The Safeguards Rule originally drafted and evaluated by the Commission embraced a flexible approach, emphasizing protections targeted to a company’s size and risk profile.22 As we wrote in 2019, these new rules move us away from that approach; that loss of flexibility will impose costs without necessarily improving safeguards for consumer data, which should be the point of this exercise. Commenters and the Commission itself have noted that there are financial impacts to these new requirements.23 The Small Business Administration’s Office of ahead-hack-2021-06-08; Carly Page, The Accellion data breach continues to get messier, TechCrunch (July 8, 2021), https://techcrunch.com/2021/07/08/ the-accellion-data-breach-continues-to-get-messier/; Peter Valdes-Dapena, Volkswagen hack: 3 million customers have had their information stolen, CNN (June 11, 2021), https://www.cnn.com/2021/06/11/ cars/vw-audi-hack-customer-information/ index.html. 21 Sen. Roger Wicker, Rep. Cathy McMorris Rodgers, & Noah Phillips, FTC must leave privacy legislating to Congress, Wash. Examiner (Sept. 29, 2021), https://www.washingtonexaminer.com/ opinion/op-eds/ftc-must-leave-privacy-legislatingto-congress. Substance aside, businesses and consumers need confidence to plan around new rules. As the recent—and perhaps future—debate about net neutrality rules has demonstrated, agency rules are subject to disruptive swings that undermine such confidence. 22 The Commission itself acknowledges the importance of flexibility in issuing the Final Rule. See, e.g., Final Rule at 27 (‘‘The Commission, however, believes that the elements provide sufficient flexibilityfor financial institutions to adopt information security programs suited to the size, nature, and complexity of their organization and information systems.’’) 23 See Final Rule; American Council on Education (comment 24, NPRM) at 13–14, https:// www.regulations.gov/comment/FTC-2019-00190024; Wisconsin Bankers Association (comment 37, NPRM) at 1–2, https://www.regulations.gov/ comment/FTC-2019-0019-0037; American Financial Services Association (comment 41, NPRM) at 4, https://www.regulations.gov/comment/FTC-20190019-0041; National Association of Dealer Counsel (comment 44, NPRM) at 1, https:// www.regulations.gov/comment/FTC-2019-00190044; National Automobile Dealers Association (comment 46, NPRM) at 11, https:// www.regulations.gov/comment/FTC-2019-00190046; National Independent Automobile Dealers Association, (comment 48, NPRM) at 3, https:// www.regulations.gov/comment/FTC-2019-00190048; Gusto and others (comment 11, Workshop) at 2–4, https://www.regulations.gov/comment/FTC2019-0019-0011; National Pawnbrokers Association (comment 3, NPRM) at 2, https:// www.regulations.gov/comment/FTC-2019-00190032; See also Remarks of James Crifasi, Safeguards Workshop, supra note 10, Tr. at 72–74, https:// www.ftc.gov/system/files/documents/public_events/ 1567141/transcript-glb-safeguards-workshopfull.pdf (study showing that compliance costs are unaffordable for small businesses). VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 Advocacy stated its belief that the Commission itself does not appear to understand fully the economic impact of the proposed changes to the Safeguards Rule.24 The burden of these new rules may also reduce competition and innovation, as smaller firms less able to absorb the financial costs cede ground to larger firms better equipped to handle new regulatory mandates.25 Security itself may also suffer. A series of specific rules can incentivize companies to move from a thoughtful assessment of risk and precautions to a check-the-box exercise to ensure that they are complying with regulatory mandates—in other words, from a focus on real security to an emphasis on rule compliance.26 One commenter cited data 24 Small Business Administration Office of Advocacy (comment 28, NPRM) at 3–4, https:// www.regulations.gov/comment/FTC-2019-00190028 (‘‘An agency cannot consider alternatives that minimize any significant economic impact if the agency does not know what the economic impact of the proposed action is.’’). 25 See CTIA (comment 34, NPRM), https:// www.regulations.gov/comment/FTC-2019-00190034 (noting the need for more study on the costs to competition); U.S. Chamber of Commerce (comment 33, NPRM) at 4, https:// www.regulations.gov/comment/FTC-2019-00190033 (‘‘Some private organizations can absorb the added costs, while others cannot.’’). See also Christine S. Wilson, Remarks at the Future of Privacy Forum, A Defining Moment for Privacy: The Time is Ripe for Federal Privacy Legislation 13 (Feb. 6, 2020), https://www.ftc.gov/system/files/ documents/public_statements/1566337/ commissioner_wilson_privacy_forum_speech_0206-2020.pdf (‘‘Importantly, the legislative framework should also consider competition. Regulations, by their nature, will impact markets and competition. GDPR may have lessons to teach us in this regard. Research indicates that GDPR may have decreased venture capital investment and entrenched dominant players in the digital advertising market.’’); Noah Joshua Phillips, Prepared Remarks at internet Governance Forum USA, Keep It: Maintaining Competition in the Privacy Debate (July 27, 2018), https://www.ftc.gov/ system/files/documents/public_statements/ 1395934/phillips_-_internet_governance_forum_727-18.pdf (discussing the competition impacts of new privacy rules). 26 See U.S. Chamber of Commerce (comment 33, NPRM), https://www.regulations.gov/comment/ FTC-2019-0019-0033; Consumer Data Industry Association (comment 36, NPRM), https:// www.regulations.gov/comment/FTC-2019-00190036; Global Privacy Alliance (comment 38, NPRM), https://www.regulations.gov/comment/ FTC/2019-0019-0038. While some parts of the rule, such as encryption requirements, allow security officials to make a written determination that a different precaution is appropriate, it seems unlikely that any individual security official will risk liability to make such a determination and the specific requirements here will likely become the default rule. American Council on Education (comment 24, NPRM) at 12, https:// www.regulations.gov/comment/FTC-2019-00190024 (‘‘In the absence of a clear delineation by the Commission of what alternatives an institutional information security executive might approve that the Commission considers reasonably equivalent, and assurance that they are reasonably applicable in our contexts, that pressure release valve in the requirement seems unlikely to release much pressure.’’); Software Information & Industry Association (comment 29, NPRM) at 3, https:// www.regulations.gov/comment/FTC-2019-00190056 (‘‘The mere threat of a per se law violation PO 00000 Frm 00043 Fmt 4701 Sfmt 4700 70313 demonstrating that when security personnel are busy with compliance and regulatory response, they have less time to focus on a firm’s actual security needs.27 Further, without the flexibility to prioritize, finite resources may be diverted to areas of lower risk but higher regulatory scrutiny; 28 commenters noted the irony of mandating a risk assessment and then ordering firms to prioritize specified precautions ahead of the risks and needs counseled by that assessment.29 And potentially innovative security practices that address changing threats and needs may be discouraged.30 As will chill these approvals except in the most ironclad circumstances, thereby potentially thwarting industry-wide adoption of new and better security standards.’’); New York Insurance Association (comment 31, NPRM), https:// www.regulations.gov/comment/FTC-2019-00190031 (‘‘This runs the risk that companies might feel compelled to encrypt all consumer data regardless of whether the CISO’s compensating controls would be second guessed in the event a company were to lose unencrypted customer information.’’); Mortgage Bankers Association (comment 26, NPRM) at 4, https://www.regulations.gov/comment/FTC2019-0019-0026 (noting the obligation to prepare an incident response plan had ‘‘the potential to cripple small businesses under the pressure of repeatedly checking the boxes for potential harmless events.’’). 27 Bank Policy Institute (comment 39, NPRM) at 6, https://www.regulations.gov/comment/FTC-20190019-0039 (‘‘When the sector surveyed its information security teams in late 2016, CISOs reported that approximately 40% of their cyber team’s time was spent on compliance related matters, not on cybersecurity. Due to one framework issuance, in particular, the reconciliation process delayed one firm’s implementation of a security event monitoring tool intended to better detect and respond to cyberattacks by 3–6 months. With respect to another issuance, another firm stated that 91 internal meetings were held to determine how that issuance aligned with its program and in gathering data for eventual regulatory requests.’’). 28 See U.S. Chamber of Commerce (comment 33, NPRM) at 4, https://www.regulations.gov/comment/ FTC-2019-0019-0033 (‘‘the proposed requirements would increasingly divert company resources toward compliance and away from risk management activities that are tailored to businesses’ unique security needs.’’); Software Information & Industry Association (comment 29, NPRM) at 3, https://www.regulations.gov/comment/ FTC-2019-0019-0056 (‘‘The effect of a prescriptive approach in this enforcement structure is to place companies in the position of forced compliance with potentially unnecessary or inapplicable requirements without the appropriate process for these covered entities to explain to a supervisory authority why it is unnecessary.’’); American Financial Services Association (comment 41, NPRM), https://www.regulations.gov/comment/ FTC-2019-0019-0041. In some cases, asking too much of small businesses for whom all this is a substantial undertaking may lead them to fail at even the basic protections. Safeguards Workshop, supra note 10, Tr. at 118–19 (July 13, 2020), https:// www.ftc.gov/system/files/documents/public_events/ 1567141/transcript-glb-safeguards-workshopfull.pdf. 29 See Bank Policy Institute (comment 39, NPRM), https://www.regulations.gov/comment/FTC-20190019-0039; Money Services Round Table (comment 53, NPRM), https://www.regulations.gov/comment/ FTC-2019-0019-0053. 30 See Consumer Data Industry Association (comment 36, NPRM) at 7–8, https:// www.regulations.gov/comment/FTC-2019-0019- E:\FR\FM\09DER3.SGM Continued 09DER3 70314 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations one commenter noted, ‘‘[e]ven today’s best practices will be overtaken by future changes in both technology and the capabilities of threat actors,’’ 31 and these proscriptive rules lose the ‘‘self-modernizing’’ nature of flexible requirements,32 locking in place the primacy of current practices.33 The reduction in flexibility and imposition of these costs must be justified by a significant reduction in risk or some other substantial consumer benefit. But the record provides scant support for these tradeoffs. Or as one commenter put it: [A]s with many of these requirements, we do not take issue with the notion that there is merit to this step [requiring monitoring], and that many financial institutions will implement some version of this control. However, by making this an explicit, standalone requirement, the Commission is enshrining costs and efforts that will be khammond on DSKJM1Z7X2PROD with RULES3 0036 (minimization requirement can impact innovative uses more broadly). 31 See Cisco Systems Inc. (comment 51, NPRM) at 3, https://www.regulations.gov/comment/FTC-20190019-0051 (noting also in the context of multi-factor authentication that there will come a time when it is no longer the ‘‘appropriate baseline’’ and ‘‘covered entities could find themselves in full compliance with the rule as long as they use access control technology no less protective than MFA as defined in the Proposed Amendments.’’). 32 National Automobile Dealers Association (comment 46, NPRM), https://www.regulations.gov/ comment/FTC-2019-0019-0046. 33 See CTIA (comment 34, NPRM) at 3–5, https:// www.regulations.gov/comment/FTC-2019-00190034 (flexibility in the rule allowed it to keep up with evolving threats, whereas new rule could limit innovation); HITRUST Alliance (comment 18, NPRM), https://www.regulations.gov/comment/ FTC-2019-0019-0018 (expressing concern about creating outdated requirements); The American Financial Services Association (comment 41, NPRM), https://www.regulations.gov/comment/ FTC-2019-0019-0041. VerDate Sep<11>2014 18:18 Dec 08, 2021 Jkt 256001 extensive and will likely not be needed in all circumstances.34 The Rules Involve the FTC in the Internal Governance Decisions of Covered Firms The specifics of the proposals also raise issues, as we expressed in 2019, with regard to mandating the appropriate level of board engagement,35 hiring and training requirements,36 and program accountability structures.37 We wrote then, and remain concerned now, that the Commission is substituting its own judgement about governance decisions for those of private companies covered by this Rule. In certain extraordinary cases involving clear evidence of management failure, we have imposed prescriptive governance obligations on respondents.38 Those rare and 34 National Automobile Dealers Association (comment 46, NPRM) https://www.regulations.gov/ comment/FTC-2019-0019-0046 (arguing that the Commission needs additional study into the costs and benefits); See also Consumer Data Industry Association (comment 36, NPRM), https:// www.regulations.gov/comment/FTC-2019-00190036 (benefits of new rule not justified by tradeoffs). 35 American Council on Education (comment 24, NPRM) at 16, https://www.regulations.gov/ comment/FTC-2019-0019-0024; National Automobile Dealers Association (comment 46, NPRM) at 41, https://www.regulations.gov/ comment/FTC-2019-0019-0046. 36 U.S. Chamber of Commerce (comment 33, NPRM) at 12, https://www.regulations.gov/ comment/FTC-2019-0019-0033; National Automobile Dealers Association (comment 46, NPRM) at 34–36, https://www.regulations.gov/ comment/FTC-2019-0019-0046. 37 See Final Rule. See also American Council on Education (comment 24, NPRM) at 14, https:// www.regulations.gov/comment/FTC-2019-00190024 (critiquing the intrusion on personnel practices). 38 U.S. v. Facebook, Inc., Civ. Action No. 19–cv– 2184 (D.D.C. July 24, 2019), https://www.ftc.gov/ PO 00000 Frm 00044 Fmt 4701 Sfmt 9990 egregious instances cannot justify a similar approach in a broad rulemaking absent a real record of widespread corporate mismanagement or failure at the senior management level. The Commission has elected to proceed with most of these governance requirements, forcing the hand of management and shifting their priorities to avoid the risk of regulatory action,39 without clear evidence of their need or efficacy. Conclusion Regularly reviewing our rules to ensure that they address the current environment is an important part of the FTC’s regular process. But rules have far-reaching and frequently unintended impacts in the real world; when imposing additional legal obligations in the rulemaking context, we must do so with great care. The amended Safeguards Rule replaces a rule that has worked well for 20 years, a rule that took a principle-based approach in order to provide financial institutions flexibility to determine the appropriate and realistic security safeguards for their organizations. The record before us at best fails to convince that the changes are necessary and at worst raises concern about the substantial costs and risks in imposing these amendments. Accordingly, we dissent. [FR Doc. 2021–25736 Filed 12–8–21; 8:45 am] BILLING CODE 6750–01–P enforcement/cases-proceedings/092-3184/facebookinc. 39 These governance rules may not even promote security. See Consumer Data Industry Association (comment 36, NPRM), https://www.regulations.gov/ comment/FTC-2019-0019-0036 (arguing that the annual reporting will become a checkbox exercise). E:\FR\FM\09DER3.SGM 09DER3

Agencies

[Federal Register Volume 86, Number 234 (Thursday, December 9, 2021)]
[Rules and Regulations]
[Pages 70272-70314]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25736]



[[Page 70271]]

Vol. 86

Thursday,

No. 234

December 9, 2021

Part III





Federal Trade Commission





-----------------------------------------------------------------------





16 CFR Part 314





Standards for Safeguarding Customer Information; Final Rule

Federal Register / Vol. 86 , No. 234 / Thursday, December 9, 2021 / 
Rules and Regulations

[[Page 70272]]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 314

RIN 3084-AB35


Standards for Safeguarding Customer Information

AGENCY: Federal Trade Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is 
issuing a final rule (``Final Rule'') to amend the Standards for 
Safeguarding Customer Information (``Safeguards Rule'' or ``Rule''). 
The Final Rule contains five main modifications to the existing Rule. 
First, it adds provisions designed to provide covered financial 
institutions with more guidance on how to develop and implement 
specific aspects of an overall information security program, such as 
access controls, authentication, and encryption. Second, it adds 
provisions designed to improve the accountability of financial 
institutions' information security programs, such as by requiring 
periodic reports to boards of directors or governing bodies. Third, it 
exempts financial institutions that collect less customer information 
from certain requirements. Fourth, it expands the definition of 
``financial institution'' to include entities engaged in activities the 
Federal Reserve Board determines to be incidental to financial 
activities. This change adds ``finders''--companies that bring together 
buyers and sellers of a product or service--within the scope of the 
Rule. Finally, the Final Rule defines several terms and provides 
related examples in the Rule itself rather than incorporates them from 
the Privacy of Consumer Financial Information Rule (``Privacy Rule'').

DATES: 
    Effective date: This rule is effective January 10, 2022.
    Applicability date: The provisions set forth in Sec.  314.5 are 
applicable beginning December 9, 2022.

FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773), 
Katherine McCarron (202-326-2333), or Robin Wetherill (202-326-2220), 
Division of Privacy and Identity Protection, Bureau of Consumer 
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 
Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Background

    Congress enacted the Gramm Leach Bliley Act (``GLB'' or ``GLBA'') 
in 1999.\1\ The GLBA provides a framework for regulating the privacy 
and data security practices of a broad range of financial institutions. 
Among other things, the GLBA requires financial institutions to provide 
customers with information about the institutions' privacy practices 
and about their opt-out rights, and to implement security safeguards 
for customer information.
---------------------------------------------------------------------------

    \1\ Pubic Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------

    Subtitle A of Title V of the GLBA required the Commission and other 
Federal agencies to establish standards for financial institutions 
relating to administrative, technical, and physical safeguards for 
certain information.\2\ Pursuant to the Act's directive, the Commission 
promulgated the Safeguards Rule (16 CFR part 314) in 2002. The 
Safeguards Rule became effective on May 23, 2003.
---------------------------------------------------------------------------

    \2\ See 15 U.S.C. 6801(b), 15 U.S.C. 6805(b)(2).
---------------------------------------------------------------------------

    The current Safeguards Rule requires a financial institution to 
develop, implement, and maintain a comprehensive information security 
program that consists of the administrative, technical, and physical 
safeguards the financial institution uses to access, collect, 
distribute, process, protect, store, use, transmit, dispose of, or 
otherwise handle customer information.\3\ The information security 
program must be written in one or more readily accessible parts.\4\ The 
safeguards set forth in the program must be appropriate to the size and 
complexity of the financial institution, the nature and scope of its 
activities, and the sensitivity of any customer information at 
issue.\5\ The safeguards must also be reasonably designed to ensure the 
security and confidentiality of customer information, protect against 
any anticipated threats or hazards to the security or integrity of the 
information, and protect against unauthorized access to or use of such 
information that could result in substantial harm or inconvenience to 
any customer.\6\
---------------------------------------------------------------------------

    \3\ 16 CFR 314.2(c).
    \4\ 16 CFR 314.3(a).
    \5\ 16 CFR 314.3(a), (b).
    \6\ 16 CFR 314.3(a), (b).
---------------------------------------------------------------------------

    In order to develop, implement, and maintain its information 
security program, a financial institution must identify reasonably 
foreseeable internal and external risks to the security, 
confidentiality, and integrity of customer information that could 
result in the unauthorized disclosure, misuse, alteration, destruction, 
or other compromise of such information.\7\ The financial institution 
must then design and implement safeguards to control the risks 
identified through the risk assessment, and must regularly test or 
otherwise monitor the effectiveness of the safeguards' key controls, 
systems, and procedures.\8\ The Rule also requires the financial 
institution to evaluate and adjust its information security program in 
light of the results of this testing and monitoring, any material 
changes in its operations or business arrangements, or any other 
circumstances it knows or has reason to know may have a material impact 
on its information security program.\9\ The financial institution must 
also designate an employee or employees to coordinate the information 
security program.\10\
---------------------------------------------------------------------------

    \7\ 16 CFR 314.4(b).
    \8\ 16 CFR 314.4(c).
    \9\ 16 CFR 314.4(e).
    \10\ 16 CFR 314.4(a).
---------------------------------------------------------------------------

    Finally, the current Safeguards Rule requires financial 
institutions to take reasonable steps to select and retain service 
providers capable of maintaining appropriate safeguards for customer 
information and require those service providers by contract to 
implement and maintain such safeguards.\11\
---------------------------------------------------------------------------

    \11\ 16 CFR 314.4(d).
---------------------------------------------------------------------------

II. Regulatory Review of the Safeguards Rule

    On September 7, 2016, the Commission solicited comments on the 
Safeguards Rule as part of its periodic review of its rules and 
guides.\12\ The Commission sought comment on a number of general 
issues, including the economic impact and benefits of the Rule; 
possible conflicts between the Rule and state, local, or other Federal 
laws or regulations; and the effect on the Rule of any technological, 
economic, or other industry changes. The Commission received 28 
comments from individuals and entities representing a wide range of 
viewpoints.\13\ Most commenters agreed there is a continuing need for 
the Rule and it benefits consumers and competition.\14\
---------------------------------------------------------------------------

    \12\ Safeguards Rule, Request for Comment, 81 FR 61632 (Sept. 7, 
2016).
    \13\ The 28 public comments received prior to March 15, 2019, 
are posted at: https://www.ftc.gov/policy/public-comments/initiative-674.
    \14\ See, e.g., Mortgage Bankers Association (comment 39, NPRM); 
National Automobile Dealers Association (Comment 40, NPRM); Data & 
Marketing Association (comment 38, NPRM); Electronic Transactions 
Association (comment 24, NPRM); State Privacy & Security Coalition 
(comment 26, NPRM).
---------------------------------------------------------------------------

    On April 4, 2019, the Commission issued a notice of proposed 
rulemaking (NPRM) setting forth proposed amendments to the Safeguards 
Rule (the ``Proposed Rule'').\15\ In response, the Commission received 
49 comments from various interested parties

[[Page 70273]]

including industry groups, consumer groups, and individual 
consumers.\16\ On July 13, 2020, the Commission held a workshop 
concerning the proposed changes and conducted panels with information 
security experts discussing subjects related to the Proposed Rule.\17\ 
The Commission received 11 comments following the workshop.\18\ After 
reviewing the initial comments to the Proposed Rule, conducting the 
workshop, and then reviewing the comments received following the 
workshop, the Commission now issues final amendments to the Safeguards 
Rule.
---------------------------------------------------------------------------

    \15\ FTC Notice of Proposed Rulemaking, 84 FR 13158 (April 4, 
2019).
    \16\ The 49 relevant public comments received on or after March 
15, 2019, can be found at Regulations.gov. See FTC Seeks Comment on 
Proposed Amendments to Safeguards and Privacy Rules, 16 CFR part 
314, Project No. P145407, https://www.regulations.gov/docket/FTC-2019-0019/document.
    \17\ See FTC, Information Security and Financial Institutions: 
An FTC Workshop to Examine Safeguards Rule Tr. (July 13, 2020), 
https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf [hereinafter Safeguards 
Workshop Tr.].
    \18\ The 11 relevant public comments relating to the subject 
matter of the July 13, 2020, workshop can be found at https://www.regulations.gov/document/FTC-2020-0038-0001. This document cites 
comments using the last name of the individual submitter or the name 
of the organization, followed by the number based on the last two 
digits of the comment ID number.
---------------------------------------------------------------------------

III. Overview of Final Rule

    As noted above, the Final Rule modifies the current Rule in five 
primary ways. First, the Final Rule amends the current Rule to include 
more detailed requirements for the development and establishment of the 
information security program required under the Rule. For example, 
while the current Rule requires financial institutions to undertake a 
risk assessment and develop and implement safeguards to address the 
identified risks, the Final Rule sets forth specific criteria for what 
the risk assessment must include, and requires the risk assessment be 
set forth in writing. As to particular safeguards, the Final Rule 
requires that they address access controls, data inventory and 
classification, encryption, secure development practices, 
authentication, information disposal procedures, change management, 
testing, and incident response. And while the Final Rule retains the 
requirement from the current Rule that financial institutions provide 
employee training and appropriate oversight of service providers, it 
adds mechanisms designed to ensure such training and oversight are 
effective. Although the Final Rule has more specific requirements than 
the current Rule, it still provides financial institutions the 
flexibility to design an information security program appropriate to 
the size and complexity of the financial institution, the nature and 
scope of its activities, and the sensitivity of any customer 
information at issue.
    Second, the Final Rule adds requirements designed to improve 
accountability of financial institutions' information security 
programs. For example, while the current Rule allows a financial 
institution to designate one or more employees to be responsible for 
the information security program, the Final Rule requires the 
designation of a single Qualified Individual. The Final Rule also 
requires periodic reports to boards of directors or governing bodies, 
which will provide senior management with better awareness of their 
financial institutions' information security programs, making it more 
likely the programs will receive the required resources and be able to 
protect consumer information.
    Third, recognizing the impact of the additional requirements on 
small businesses, the Final Rule exempts financial institutions that 
collect information on fewer than 5,000 consumers from the requirements 
of a written risk assessment, incident response plan, and annual 
reporting to the Board of Directors.
    Fourth, the Final Rule expands the definition of ``financial 
institution'' to include entities engaged in activities the Federal 
Reserve Board determines to be incidental to financial activities. This 
change brings ``finders''--companies that bring together buyers and 
sellers of a product or service--within the scope of the Rule. Finders 
often collect and maintain very sensitive consumer financial 
information, and this change will require them to comply with the 
Safeguards Rule's requirements to protect that information. This change 
will also bring the Rule into harmony with other Federal agencies' 
Safeguards Rules, which include activities incidental to financial 
activities in their definition of financial institution.
    Finally, the Final Rule includes several definitions and related 
examples, including of ``financial institution,'' in the Rule itself 
rather than incorporate them from a related FTC rule, the Privacy of 
Consumer Financial Information Rule, 16 CFR part 313. This will make 
the rule more self-contained and will allow readers to understand its 
requirements without referencing the Privacy Rule.

IV. Section-by-Section Analysis

General Comments

    The Commission received 49 comments in response to the NPRM for the 
Proposed Rule, from a diverse set of stakeholders, including industry 
groups, individual businesses, consumer advocacy groups, academics, 
information security experts, government agencies, and individual 
consumers. It also hosted a workshop on the Proposed Rule, which 
included approximately 20 security experts. Some of the comments simply 
expressed general support \19\ or general disapproval \20\ of the 
Proposed Rule. Many, however, offered detailed responses to specific 
proposals in the NPRM. In general, industry groups were opposed to most 
or all of the Proposed Rule, and consumer advocacy groups, academics, 
and security experts were generally in favor of the amendments. The 
comments and workshop record are discussed in the following Section-by-
Section analysis.
---------------------------------------------------------------------------

    \19\ See Encore Capital Group (comment 25, NPRM); Justine 
Bykowski (comment 12, NPRM); ``Peggy from Bloomington, MN'' (comment 
13, NPRM); ``Anonymous'' (comment 20, NPRM).
    \20\ ``Jane Q. Citizen'' (comment 14, NPRM).
---------------------------------------------------------------------------

Sec. 314.1: Purpose and Scope

    The Purpose and Scope section of the current Rule generally states 
the Rule implements the Gramm-Leach-Bliley Act and applies to the 
handling of customer information by financial institutions over which 
the FTC has jurisdiction. In its NPRM, the Commission proposed adding a 
definition of ``financial institution'' modeled on the definition 
included in the Commission's Privacy Rule (16 CFR part 313) and a 
series of examples providing guidance on what constitutes a financial 
institution under the Commission's jurisdiction. Other than expanding 
the definition of ``financial institution'' as discussed below, the new 
language was not meant to reflect a substantive change to the 
Safeguards Rule; rather, it was meant to allow the Rule to be read on 
its own, without reference to the Privacy Rule.\21\ The Commission 
received no comments that addressed this section specifically, and

[[Page 70274]]

the Commission adopts the language of the Proposed Rule in the Final 
Rule.\22\
---------------------------------------------------------------------------

    \21\ In a separate final rule, published elsewhere in this issue 
of the Federal Register, the Commission is amending the Privacy Rule 
to reflect changes made by the Dodd-Frank Act, limiting that rule to 
certain auto dealers. Through that proceeding, the Commission is 
also removing examples of financial institutions from the Privacy 
Rule that are no longer covered under the rule in the wake of these 
changes.
    \22\ Several commenters addressed the change to the definition 
of ``financial institution.'' Those comments are addressed in the 
discussion of the definition of ``financial institution'' below.
---------------------------------------------------------------------------

Sec. 314.2: Definitions

    The Proposed Rule added a number of definitions to Sec.  314.2. The 
Proposed Rule also retained paragraph (a), which states terms used in 
the Safeguards Rule have the same meaning as set forth in the Privacy 
Rule.
    The American Council on Education (ACE) suggested all terms from 
the Privacy Rule, such as ``consumer,'' ``customer,'' and ``customer 
information,'' be included in the Final Rule in order to make the Final 
Rule easier for regulated entities to understand.\23\ On the other 
hand, HITRUST recommended no definitions from the Privacy Rule be 
duplicated in the Safeguards Rule, reasoning that in the event of a 
need to amend the terms, it would require the amendment of two rules 
rather than one.\24\
---------------------------------------------------------------------------

    \23\ American Council on Education (comment 24, NPRM), at 7.
    \24\ HITRUST, (comment 18, NPRM), at 2.
---------------------------------------------------------------------------

    The Commission is persuaded including all terms from the Privacy 
Rule within the Safeguards Rule will improve clarity and ease of use. 
Accordingly, the Commission has determined to delete paragraph (a), 
since it is no longer necessary to state all terms in the Safeguards 
Rule have the same meaning as in the Privacy Rule. It also adds the 
Privacy Rule definitions of ``consumer,'' ``customer,'' ``customer 
relationship,'' ``financial product or service,'' ``nonpublic personal 
information,'' ``personally identifiable financial information,'' 
``publicly available information,'' and ``you'' to the definitions in 
the Final Rule. No substantive change to these definitions is intended.
Authorized User
    The Proposed Rule added a definition for the term ``authorized 
user'' as paragraph (b). Proposed paragraph (b) defined an authorized 
user of an information system as any employee, contractor, agent or 
other person that participates in your business operations and is 
authorized to access and use any of your information systems and data. 
This term was used in Sec.  314.4(c)(10) of the Proposed Rule, which 
required financial institutions to implement policies to monitor the 
activity of ``authorized users'' and detect unauthorized access to 
customer information.
    The Commission received one comment on this proposed definition 
from the National Automobile Dealers Association (NADA), which 
suggested the term ``authorized user'' was used inconsistently and was 
too vague.\25\ NADA pointed out while ``authorized user'' is a defined 
term, the term ``authorized individual'' was used in proposed Sec.  
313.4(c)(1) (addressing access controls for information systems) and 
(c)(3) (addressing access controls for physical data). NADA also argued 
the inclusion of ``other person that participates in the business 
operations of an entity'' within the definition of ``authorized user'' 
was unclear and created ambiguity in its application.\26\
---------------------------------------------------------------------------

    \25\ National Automobile Dealers Association (comment 46, NPRM), 
at 11-12.
    \26\ National Automobile Dealers Association (comment 46, NPRM), 
at 11-12.
---------------------------------------------------------------------------

    The Commission agrees with NADA's points, and, in response, 
modifies the Final Rule in two ways. First, the Final Rule replaces the 
term ``authorized individual'' with ``authorized user'' in Sec.  
313.4(c)(1). As described further below, because the Final Rule 
combines Sec.  313.4(c)(3) with Sec.  313.4(c)(1), there is no need to 
make a corresponding change to that section.
    Second, because the Commission agrees the ambiguities in the 
definition of ``authorized user'' from the Proposed Rule could create 
confusion, it makes several changes to the definition. It deletes the 
phrase ``other person that participates in the business operations of 
an entity.'' The Commission agrees this phrase was vague. The 
Commission had intended it to cover any person the financial 
institution allows to access information systems or data, including, 
for example, ``customers'' of the financial institutions. For the 
purpose of controlling authorized access and detecting unauthorized 
access (which is where the definition of ``authorized user'' appears), 
financial institutions should monitor anomalous patterns of usage of 
their systems, not only by employees and agents, but also by customers 
and other persons authorized to access systems or data. To clarify this 
point, the Commission adds ``customer or other person'' to the 
definition of ``authorized users.''
    The Commission intends that the definition of ``authorized users'' 
should include anyone who the financial institution authorizes to 
access an information system or data, regardless of whether that user 
actually uses the data. Thus, for clarity, the Commission has deleted 
the requirement that the authorized user be authorized to use the 
information system or data. Finally, the definition of authorized user 
should include users who can access both ``information systems and 
data'' and users authorized to access either information systems or 
data. Accordingly, for clarification purposes, the Commission modifies 
the definition of authorized user in the Final Rule as any employee, 
contractor, agent, customer or other person that is authorized to 
access any of your information systems or data.
Security Event
    In proposed paragraph (c), the Commission defined security event as 
an event resulting in unauthorized access to, or disruption or misuse 
of, an information system or information stored on such information 
system. This term was used in provisions requiring financial 
institutions to establish a written incident response plan designed to 
respond to security events. It also appeared in the provision requiring 
the coordinator of a financial institution's information security 
program to provide an annual report to the financial institution's 
governing body; the required report must identify all security events 
that took place that year.
    Commenters expressed three main concerns with this definition. The 
first relates to whether the term ``security event'' should be expanded 
to instances in which there is unauthorized access to, or disruption or 
misuse of, information in physical form, as opposed to electronic form. 
The Proposed Rule used the term ``security event'' instead of 
``cybersecurity event'' to clarify that an information security program 
encompasses information in both digital and physical forms and that 
unauthorized access to paper files, for example, would also be a 
security event under the Rule. The Money Services Round Table (MSRT), 
however, noted despite the use of the more general ``security'' in the 
defined term, the definition itself is limited to events involving 
information systems.\27\ The Commission agrees this creates a 
contradiction. Accordingly, the Final Rule includes the compromise of 
customer information in physical form in the definition of ``security 
event.''
---------------------------------------------------------------------------

    \27\ Money Services Round Table (comment 53, NPRM), at 5 n.14.
---------------------------------------------------------------------------

    Second, some industry groups argued a ``security event'' should 
occur only when there is ``unauthorized access'' to an information 
system, not in cases in which there has been a ``disruption or misuse'' 
of such systems (e.g., a ransomware attack).\28\ These

[[Page 70275]]

commenters argued the disruption or misuse of information systems is 
not directly related to the protection of customer information and is, 
therefore, outside the Commission's statutory authority.\29\ The 
Commission disagrees. Requiring a financial institution to protect 
against disruption and misuse of its information system is within the 
Commission's authority under the GLBA, which directed the Commission to 
promulgate a rule that required financial institutions to ``to protect 
against any anticipated threats or hazards to the security or 
integrity'' of customer information. A disruption or misuse of an 
information system will be, in many cases, a threat to the 
``integrity'' of customer information. In addition, disruption or 
misuse may also indicate the existence of a security weakness that 
could be exploited to gain unauthorized access to customer information. 
For example, an event in which ransomware placed on a system is used to 
encrypt customer information, rendering it useless, raises the 
possibility similar software could have been used to exfiltrate 
customer information. Accordingly, the Final Rule retains the inclusion 
of ``misuse or disruption'' within the definition of ``security 
event.''
---------------------------------------------------------------------------

    \28\ National Independent Automobile Dealers Association 
(comment 48, NPRM), at 4; National Automobile Dealers Association 
(comment 46, NPRM), at 12-13; Consumer Data Industry Association 
(comment 36, NPRM), at 3-4.
    \29\ National Independent Automobile Dealers Association 
(comment 48, NPRM), at 4; National Automobile Dealers Association 
(comment 46, NPRM), at 12-13.
---------------------------------------------------------------------------

    Third, several commenters suggested the definition of ``security 
event'' be limited to events in which there is a risk of consumer harm 
or some other negative effect.\30\ Similarly, some commenters argued 
the definition should exclude events that involve encrypted information 
in which the encryption key was not compromised or when there is 
evidence the information accessed has not been misused.\31\ The 
Commission declines to narrow the provision in this manner. It believes 
a financial institution should still engage in its incident response 
procedures to determine whether the event indicates a weakness that 
could endanger customer information and to respond accordingly. The 
financial institution can then take the appropriate steps in response. 
Further, Sec.  314.4(h) of the Final Rule, which sets forth the 
requirement for an incident response plan, requires the incident 
response plan be designed to respond only to security events 
``materially affecting the confidentiality, integrity, or availability 
of customer information,'' limiting the impact of the definition of 
``security event.''
---------------------------------------------------------------------------

    \30\ HITRUST (comment 18, NPRM), at 3; American Council on 
Education (comment 24, NPRM), at 7; Mortgage Bankers Association 
(comment 26, NPRM), at 4-5; Consumer Data Industry Association 
(comment 36, NPRM), at 3-4; National Automobile Dealers Association 
(comment 46, NPRM), at 12-13; National Independent Automobile 
Dealers Association (comment 48, NPRM), at 4.
    \31\ Mortgage Bankers Association (comment 48, NPRM), at 4-5; 
National Automobile Dealers Association (comment 46, NPRM), at 12-
13; National Independent Automobile Dealers Association (comment 48, 
NPRM) at 4; American Council on Education (comment 24, NPRM), at 7.
---------------------------------------------------------------------------

    Accordingly, the Final Rule defines security event as an event 
resulting in unauthorized access to, or disruption or misuse of, an 
information system, information stored on such information system, or 
customer information held in physical form. The Proposed Rule placed 
this definition as paragraph (c), out of alphabetical order. The Final 
Rule adopts it as paragraph (p), placing it in alphabetical order with 
the other definitions in Sec.  314.2.
Encryption
    Proposed paragraph (e) defined encryption as the transformation of 
data into a form that results in a low probability of assigning meaning 
without the use of a protective process or key. This term was used in 
proposed Sec.  314.4(c)(4), which generally required financial 
institutions to encrypt customer information. This definition was 
intended to define the process of encryption while not requiring any 
particular technology or technique for achieving the protection 
provided by encryption.
    NADA argued this definition should be made more flexible by adding 
an alternative so it would read ``the transformation of data into a 
form that results in a low probability of assigning meaning without the 
use of a protective process or key or securing information by another 
method that renders the data elements unreadable or unusable'' 
(emphasis added).\32\ On the other hand, others argued the Proposed 
Rule's definition did not sufficiently protect customer 
information.\33\ For example, the Princeton University Center for 
Information Technology Policy (``Princeton Center'') suggested the Rule 
should be changed ``to clarify that encryption must be consistent with 
current cryptographic standards and accompanied by appropriate 
safeguards for cryptographic key material.'' \34\ Similarly, ACE argued 
the definition should include ``the transformation of data in 
accordance with industry standards.'' \35\
---------------------------------------------------------------------------

    \32\ National Automobile Dealers Association (comment 46, NPRM), 
at 13.
    \33\ American Council on Education (comment 24, NPRM), at 7; 
Princeton University Center for Information Technology Policy 
(comment 54, NPRM), at 4.
    \34\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 4.
    \35\ American Council on Education (comment 24, NPRM), at 7.
---------------------------------------------------------------------------

    The Commission agrees the proposed definition should be tethered to 
some technical standard, without being too prescriptive about what that 
standard is. Under the proposed definition, as well as NADA's proposed 
definition, financial institutions could have claimed they were 
``encrypting'' data if they were aggregating it, scrambling it, or 
redacting it in a way that made it possible to re-identify the data 
through, for example, the application of common algorithms or programs. 
The Commission does not believe this would have provided consumers with 
sufficient protection. The Commission also agrees with the commenters 
who stated the definition should signal that encryption should be 
cryptographically based.
    Accordingly, the Final Rule defines encryption as the 
transformation of data into a form that results in a low probability of 
assigning meaning without the use of a protective process or key, 
consistent with current cryptographic standards and accompanied by 
appropriate safeguards for cryptographic key material. This definition 
does not require any specific process or technology to perform the 
encryption but does require that whatever process is used be 
sufficiently robust to prevent the deciphering of the information in 
most circumstances.
Financial Institution
Incidental Activity
    The Proposed Rule made one substantive change to the definition of 
``financial institution'' it incorporated from the Privacy Rule. The 
change was designed to include entities ``significantly engaged in 
activities that are incidental to [] financial activity'' as defined by 
the Bank Holding Company Act. This proposed change brought only one 
activity into the definition that was not covered before: the act of 
``finding'' as defined in 12 CFR 225.86(d)(1). The proposed revision to 
paragraph (f) added an example of a financial institution acting as a 
finder by ``bringing together one or more buyers and sellers of any 
product or service for transactions that the parties themselves 
negotiate and consummate.'' This example used the language set forth in 
12 CFR 225.86(d)(1), which defines ``finding'' as an activity 
incidental to a financial activity under the Bank Holding Company Act. 
The Commission

[[Page 70276]]

adopts this proposal without modification.
    The change to the definition of ``financial institution'' brings it 
into harmony with other agencies' GLB rules.\36\ The change is 
supported by the language of the Gramm-Leach-Bliley Act.\37\ The Act 
defines a ``financial institution'' as any institution ``the business 
of which is engaging in financial activities as described in section 
1843(k) of title 12.'' \38\ That section, in turn, describes activities 
that are financial in nature as those the Board has determined ``to be 
financial in nature or incidental to such financial activity.'' \39\ 
The Final Rule's definition mirrors this language. The change will not 
lead to a significant expansion of the Rule coverage as it expands the 
definition only to include entities engaged in activity incidental to 
financial activity, as determined by the Federal Reserve Board. The 
Board has determined only one activity to be incidental to financial 
activity--``acting as a finder.'' \40\
---------------------------------------------------------------------------

    \36\ See 12 CFR 1016.3(l) (defining ``financial institution'' 
for entities regulated by agencies other than the FTC). See also 17 
CFR 248.3(n) (defining ``financial institution'' to include ``any 
institution the business of which is . . . incidental to . . . 
financial activities'' for Security and Exchange Commission's rule 
implementing GLBA's safeguard provisions.).
    \37\ 15 U.S.C. 6801 et seq.
    \38\ 15 U.S.C. 6809(3).
    \39\ 12 U.S.C. 1843(k).
    \40\ 12 CFR 225.86.
---------------------------------------------------------------------------

    Several commenters who addressed this issue supported the inclusion 
of activities incidental to financial activities.\41\ Other commenters 
expressed concern the proposed change in the definition would expand 
the Rule's coverage to businesses that should not be considered 
financial institutions.\42\ They argued the definition of the term 
``finder'' is too broad and companies that connect buyers and sellers 
in non-financial contexts would be swept inappropriately into the 
definition of ``financial institution.'' The Association of National 
Advertisers argued advertising agencies could be considered ``finders'' 
because they play a role in connecting buyers and sellers.\43\
---------------------------------------------------------------------------

    \41\ Electronic Privacy Information Center (comment 55, NPRM), 
at 9; Independent Community Bankers of America (comment 35, NPRM), 
at 3; National Automobile Dealers Association (comment 46, NPRM), at 
13-16.
    \42\ Association of National Advertisers (comment, Workshop), at 
4-5; internet Association (comment, Workshop), at 4-5; see also 
Anonymous (comment 15, NPRM) (questioning whether any governing body 
would oversee any future determinations by the Federal Reserve Board 
that activities are incidental to financial activity).
    \43\ Association of National Advertisers (comment 5, Workshop), 
at 5.
---------------------------------------------------------------------------

    In response, the Commission notes the Federal Reserve Board 
describes acting as a finder as ``bringing together one or more buyers 
and sellers of any product or service for transactions that the parties 
themselves negotiate and consummate.'' \44\ The Board sets forth 
several activities within the scope of acting as a finder, such as 
``[i]dentifying potential parties, making inquiries as to interest, 
introducing and referring potential parties to each other, [] arranging 
contacts between and meetings of interested parties'' and ``[c]onveying 
between interested parties expressions of interest, bids, offers, 
orders and confirmations relating to a transaction.'' \45\
---------------------------------------------------------------------------

    \44\ 12 CFR 225.86 (d).
    \45\ 12 CFR 225.86 (d)(1)(i).
---------------------------------------------------------------------------

    Although this language is somewhat broad, its scope is 
significantly limited in the context of the Safeguards Rule. First, the 
Safeguards Rule applies only to transactions ``for personal, family, or 
household purposes.'' \46\ Therefore, only finding services involving 
consumer transactions will be covered. Second, the Safeguards Rule 
applies only to the information of customers, which are consumers with 
which a financial institution has a continuing relationship.\47\ 
Therefore, it will not apply to finders that have only isolated 
interactions with consumers and do not receive information from other 
financial institutions about those institutions' customers. This 
significantly narrows the types of finders that will have obligations 
under the Rule, excluding, the Commission believes, most advertising 
agencies and similar businesses that generally do not have continuing 
relationships with consumers who are using their services for personal 
or household purposes.
---------------------------------------------------------------------------

    \46\ See Final Rule 16 CFR 314.2(b)(1).
    \47\ 16 CFR 314.1; Final Rule 16 CFR 314.2(c).
---------------------------------------------------------------------------

    The Commission believes entities that perform finding services for 
consumers with whom they have an ongoing relationship are properly 
considered ``financial institutions'' for purposes of the Rule. 
Accordingly, the Commission adopts the changes to the definition of 
``financial institution'' as proposed.
Other Changes to Definition of ``Financial Institutions''
    Other commenters suggested modifying the definition of ``financial 
institution'' \48\ in different ways. The Electronic Privacy 
Information Center (EPIC) argued the definition should be expanded by 
treating more activities as financial activities.\49\ EPIC pointed out 
information shared with social media companies, retailers, apps, and 
devices generally is not covered under the Safeguards Rule. The 
Commission understands the concern that many businesses fall outside 
the coverage of the Safeguards Rule, despite handling sensitive 
consumer information, but the Commission's authority to regulate 
activity under the Safeguards and Privacy Rules is established by the 
GLBA. The Rule's application is limited to financial institutions as 
defined by that statute and cannot be extended beyond that 
definition.\50\ The institutions discussed by EPIC, however, are still 
covered by the FTC Act's prohibition against deceptive or unfair 
conduct, including with respect to their use and protection of consumer 
information.\51\
---------------------------------------------------------------------------

    \48\ National Pawnbrokers Association (comment 32, NPRM), at 5-6 
(arguing that transaction-reporting vendors be included in 
definition); National Consumer Law Center and others (comment 58, 
NPRM), at 5 (arguing that consumer reporting agencies be included 
explicitly in the definition); see also American Escrow Association 
(comment, Workshop), at 2-3 (requesting that the Rule specifically 
set out the duties of real estate settlement operations and other 
businesses that handle but do not maintain sensitive information); 
Beverly Enterprises, LLC (comment 3, NPRM), at 3-4 (requesting that 
the Rule specifically set out duties related to online 
notarizations); Yangxue Li (comment 5, NPRM) (asking whether Rule 
would set forth specific guidelines for different industries); 
Slobadon Raybolka (comment 17, NPRM) (suggesting that companies that 
perform online background checks be covered by the rule); The 
Clearing House (comment 49, NPRM) (suggesting a separate set of more 
stringent rules for fintech companies).
    \49\ Electronic Privacy Information Center (comment 55, NPRM), 
at 9.
    \50\ See 15 U.S.C. 6801 (requiring agencies to promulgate Rule 
establishing standards for financial institutions); 15 U.S.C. 
6809(3) (defining ``financial institutions'' as an ``institution the 
business of which is engaging in financial activities as described'' 
in the Bank Holding Company Act).
    \51\ In the Matter of Facebook, Inc., Docket No. C-4365 (Apr. 
28, 2020); FTC v. Wyndham Worldwide Corporation, 799 F.3d 236 (3d 
Cir. 2015); FTC v. D-Link Systems, Inc., Case No. 3:17-cv-00039-JD 
(N.D. Cal. July 2, 2019); In the Matter of Twitter, Inc., Docket No. 
C-4316 (Mar. 11, 2011).
---------------------------------------------------------------------------

    The National Federation of Independent Business (NFIB) argued 
individuals and sole proprietors should be excluded from the definition 
of ``financial institution'' because an individual cannot be an 
``institution.'' \52\ When the Privacy Rule was promulgated in 2000, 
commenters also suggested the definition should exclude sole 
proprietors.\53\ The Commission noted there was no basis to exclude 
sole proprietors and ``[w]hether or not a

[[Page 70277]]

commercial enterprise is operated by a single individual is not 
determinative'' of whether the enterprise is a financial institution. 
The Commission has not changed its position on this matter and declines 
to make this change to the definition of ``financial institution.''
---------------------------------------------------------------------------

    \52\ National Federation of Independent Business (comment 16, 
NPRM), at 2-3.
    \53\ Privacy Rule, Final Rule, 65 FR 33645 (May 24, 2000) at 
33656.
---------------------------------------------------------------------------

    The Final Rule adopts this definition as proposed without change.
Information Security Program
    Paragraph (i) of the Final Rule adopts the existing Rule's 
paragraph (c) and does not alter the definition of ``information 
security program.'' The Commission received no comments on this 
definition, and accordingly, adopts the current definition in the Final 
Rule.
Information System
    Proposed paragraph (h) defined information system as a discrete set 
of electronic information resources organized for the collection, 
processing, maintenance, use, sharing, dissemination or disposition of 
electronic information, as well as any specialized system such as 
industrial/process controls systems, telephone switching and private 
branch exchange systems, and environmental control systems. The term 
``information system'' was used throughout the proposed amendments to 
designate the systems that must be covered by the information security 
program.
    The MSRT suggested this definition was too narrow in some respects 
and too broad in others.\54\ It argued the definition of ``information 
system'' was too narrow because it did not include physical systems or 
employees and would exclude them from some of the provisions of the 
Rule. Specifically, the MSRT argued that based on this definition, the 
penetration tests required by Sec.  314.4(d)(2) would not be required 
to test ``potential human vulnerabilities'' such as social engineering 
or phishing.\55\ The Commission does not agree. Penetration testing, as 
defined by the Final Rule, is a process through which testers ``attempt 
to circumvent or defeat the security features of an information 
system.'' \56\ One way such security features are tested is through 
social engineering and phishing.\57\ The fact that the testing involves 
employees with access to the information system, rather than just the 
system itself, does not exclude such tests from the definition of 
``penetration testing.'' Attempted social engineering and phishing are 
important parts of testing the security of information systems and 
would not be excluded by this definition.
---------------------------------------------------------------------------

    \54\ Money Services Round Table (comment 53, NPRM), at 5-6.
    \55\ Id. at 5.
    \56\ Final Rule Sec.  314.2(j).
    \57\ Indeed, Workshop participant Scott Wallace noted, in 
conducting penetration testing, ``the first thing [he does]'' is 
generally to ``prepare for the phishing campaign.'' Remarks of Scott 
Wallace, Safeguards Workshop Tr., supra note 17, at 131-32.
---------------------------------------------------------------------------

    The MSRT also argued the definition was too broad, and was joined 
by other commenters in this concern.\58\ These commenters shared a 
concern the proposed definition would include systems that are in no 
way connected to customer information and would require financial 
institutions to include all systems in their possession, regardless of 
their involvement with customer information. The Commission agrees the 
definition should be limited to those systems that either contain 
customer information or are connected to systems that contain customer 
information, and adds that limitation to the Final Rule. The Rule does 
not limit the definition to only those systems that contain customer 
information, because a common source of data breaches is a 
vulnerability in a connected system that an attacker exploits to gain 
access to the company's network and move within the network to obtain 
access to the system containing sensitive information.\59\ Accordingly, 
the definition of information system in the Final Rule is modified to a 
discrete set of electronic information resources organized for the 
collection, processing, maintenance, use, sharing, dissemination or 
disposition of electronic information containing customer information 
or any such system connected to a system containing customer 
information, as well as any specialized system such as industrial/
process controls systems, telephone switching and private branch 
exchange systems, and environmental controls systems, that contains 
customer information or that is connected to a system that contains 
customer information.
---------------------------------------------------------------------------

    \58\ Money Services Round Table (comment 53, NPRM), at 5; 
Consumer Data Industry Association (comment 36, NPRM), at 4; 
American Council on Education (comment 24, NPRM), at 7-8.
    \59\ See Remarks of Serge Jorgensen, Safeguards Workshop Tr., 
supra note 17, at 58-59 (noting cybersecurity attacks can take 
advantage of systems that are connected to the systems in which 
sensitive information is stored); Remarks of Tom Dugas, Safeguards 
Workshop Tr., supra note 17, at 138 (noting a vulnerability in one 
system can result in the exposure of information maintained in 
another system); see also Remarks of Rocio Baeza, Safeguards 
Workshop Tr., supra note 17, at 106-07 (noting the heightened 
importance of encryption in a context where numerous systems are 
connected); Remarks of James Crifasi, Safeguards Workshop Tr., supra 
note 17, at 107-08 (same).
---------------------------------------------------------------------------

Multi-Factor Authentication
    Proposed paragraph (i) defined multi-factor authentication as 
authentication through verification of at least two of the following 
types of authentication factors: Knowledge factors, such as a password; 
possession factors, such as a token; or inherence factors, such as 
biometric characteristics. This term was used in proposed Sec.  
314.4(c)(6),\60\ which required financial institutions to implement 
multi-factor authentication for individuals accessing networks that 
contain customer information.
---------------------------------------------------------------------------

    \60\ Section 314.4(c)(5) in the Final Rule.
---------------------------------------------------------------------------

    Several commenters argued the definition should explicitly include 
SMS text messages as an acceptable example of a possession factor or 
otherwise to be explicitly allowed.\61\ The Proposed Rule did not 
include SMS text messages as an example of a possession factor.\62\ 
Most commenters who addressed this issue interpreted this exclusion 
from the examples as forbidding financial institutions from using SMS 
text messages as a possession factor for multi-factor authentication. 
That is not the effect of this exclusion, however. The language of the 
definition neither prohibits nor recommends use of SMS text messages. 
Indeed, SMS text messages are not addressed at all. In some cases, use 
of SMS text messages as a factor may be the best solution because of 
its low cost and easy use, if its risks do not outweigh those benefits 
under the circumstances.\63\ In other instances, however, the use of 
SMS text messages may not be a reasonable solution, such as when 
extremely sensitive information can be obtained through the access 
method being controlled, or when a more secure method can be used for a 
comparable price. A financial institution will need to evaluate the 
balance of risks for its situation. If, however, the Commission were to 
explicitly allow use of SMS text messages, this could be considered a 
safe harbor that would not require the company to consider risks 
associated with use of SMS text as a factor in a particular use case. 
Accordingly, the Final Rule does not include SMS text

[[Page 70278]]

messages in the examples of possession factors.
---------------------------------------------------------------------------

    \61\ Electronic Transactions Association (comment 27, NPRM), at 
4; U.S. Chamber of Commerce (comment 33, NPRM), at 9; CTIA (comment 
34, NPRM), at 7-9; Global Privacy Alliance (comment 38, NPRM), at 9; 
National Automobile Dealers Association (comment 46, NPRM), at 29; 
National Independent Automobile Dealers Association (comment 48, 
NPRM), at 6.
    \62\ See, e.g., NIST Special Publication 800-63B, Digital 
Identity Guidelines, 5.1.3.3 (restricting use of verification using 
the Public Switched Telephone Network (SMS or voice) as an ``out-of-
band'' factor for multi-factor authentication).
    \63\ See, e.g., Remarks of Wendy Nather, Safeguards Workshop 
Tr., supra note 17, at 231-32.
---------------------------------------------------------------------------

    The final Rule adopts the proposed definition of ``multi-factor 
authentication'' without change as paragraph (k) of this section.
Penetration Testing
    Proposed paragraph (j) defined penetration testing as a test 
methodology in which assessors attempt to circumvent or defeat the 
security features of an information system by attempting penetration of 
databases or controls from outside or inside your information systems. 
This term was used in proposed Sec.  314.4(d)(2), which required 
financial institutions to continually monitor the effectiveness of 
their safeguards or to engage in annual penetration testing. The 
Commission received no comments concerning this definition. The Final 
Rule adopts the definition from the Proposed Rule as paragraph (m) of 
this section.
Personally Identifiable Financial Information
    To minimize cross-referencing to the Privacy Rule, as noted above, 
the Commission is adding several definitions to the Final Rule. One of 
these definitions is ``personally identifiable financial information,'' 
which is identical to the definition currently contained in the Privacy 
Rule. This term is included within the ambit of ``customer 
information,'' in both the existing Rule and the Final Rule.
    The Princeton Center suggested expanding the definition of 
``personally identifiable financial information'' from the Privacy Rule 
to include ``aggregate information or blind data that does not contain 
personal identifiers such as account numbers, names, or addresses.'' 
\64\ The Princeton Center further suggested clarifying that, for 
information to not be considered ``personally identifiable financial 
information,'' the financial institution must be required to 
demonstrate the information is not ``reasonably linkable'' to 
individuals.
---------------------------------------------------------------------------

    \64\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM) at 9-10.
---------------------------------------------------------------------------

    The Commission does not believe this amendment is necessary. The 
definition of ``personally identifiable financial information'' is 
already a broad one.\65\ It includes not just information associated 
with types of personal information such as a name or address or account 
number, but also information linked to a persistent identifier (``any 
information you collect through an Internet `cookie' (an information 
collecting device from a web server'')).\66\ While there may be some 
merit to limiting the exception for aggregate information or blind data 
to data that cannot be reasonably linkable to an individual, for 
purposes of a rule that can be periodically updated to keep up with 
changing technology, the current approach is more concrete and 
enforceable, and less subject to differences in interpretation.
---------------------------------------------------------------------------

    \65\ See 16 CFR 313.3(o)(1).
    \66\ 16 CFR 313.3(o)(2)(i)(F).
---------------------------------------------------------------------------

Service Provider
    Proposed paragraph (k) adopted the existing Rule's definition and 
does not alter the definition of ``service provider.'' The Commission 
received no comments on this definition and adopts it as paragraph (q) 
of the Final Rule.

Sec. 314.3: Standards for Safeguarding Customer Information

    Proposed Sec.  314.3, which required financial institutions to 
develop an information security program (paragraph (a)) and set forth 
the objectives of the Rule (paragraph (b)), was largely identical to 
the existing Rule. It changed only the requirement that ``safeguards'' 
be based on the elements set forth in Sec.  314.4, by replacing 
``safeguards'' with ``information security program.'' The Commission 
received no comments on this proposal and adopts it without change in 
the Final Rule.

Sec. 314.4: Elements

    Proposed Sec.  314.4 altered the current Rule's required elements 
of an information security program and added several new elements.
General Comments
    The Commission received many comments addressing the new elements, 
both in favor of the changes and opposed to them. The comments in favor 
of the changes generally argued these changes would protect consumers 
by improving the data security of institutions that hold their 
information.\67\ Most of the comments opposed to the proposed elements 
fell into several categories, objecting: (1) The proposed changes were 
too prescriptive and did not allow financial institutions sufficient 
flexibility in managing their information security; (2) the proposed 
amendments would be too expensive for financial institutions, 
particularly smaller institutions, to adopt; and (3) some of the 
requirements should not apply to all customer information but should be 
limited to some subset of especially ``sensitive'' customer 
information. The Commission does not agree with these comments for the 
reasons discussed below, and accordingly, retains the general approach 
of the Proposed Rule in the Final Rule.
---------------------------------------------------------------------------

    \67\ See, e.g., New York Department of Financial Service 
(comment 40, NPRM), at 1 (arguing the Proposed Rule would ``further 
advance efforts to protect financial institutions and consumers from 
cybercriminals.''); Princeton University Center for Information 
Technology Policy (comment 54, NPRM), at 1 (stating the Proposed 
Rule ``would significantly reduce data security risks for the 
customers of financial institutions.''); National Consumer Law 
Center and others (comment 58, NPRM), at 2 (stating requirements of 
Proposed Rule are ``reasonable and common-sense measures that any 
company dealing with large amounts of consumer personal information 
should take.'').
---------------------------------------------------------------------------

Flexibility
    Many industry groups argued the new proposed elements were too 
prescriptive, lacked flexibility, would quickly become outdated, and 
would force financial institutions to engage in activities that would 
not enhance security.\68\ For example, the Electronics Transactions 
Association argued the Proposed Rule would ``limit the ability of 
industry to develop new and innovative approaches to information 
security.'' \69\ Similarly, CTIA commented the Proposed Rule would 
create a ``prescriptive core of requirements that covered businesses 
must follow, irrespective of whether risk assessments show they are 
necessary.'' \70\
---------------------------------------------------------------------------

    \68\ See, e.g., HITRUST (comment 18, NPRM), at 1-2; American 
Council on Education (comment 24, NPRM), at 2-4; Cristian Munarriz 
(comment 21, NPRM); Electronic Transactions Association (comment 27, 
NPRM), at 1-2; National Pawnbrokers Association (comment 32, NPRM), 
at 3; CTIA (comment 34, NPRM), at 5; Consumer Data Industry 
Association (comment 36, NPRM), at 2; Wisconsin Bankers Association 
(comment 37, NPRM), at 1-2; Global Privacy Alliance (comment 38, 
NPRM), at 5-6; Bank Policy Institute (comment 39, NPRM), at 2; 
American Financial Services Association (comment 41, NPRM), at 4; 
National Association of Dealer Counsel (comment 44, NPRM), at 1; ACA 
International, (comment 45, NPRM), at 4; National Automobile Dealers 
Association (comment 46, NPRM), at 11; National Independent 
Automobile Dealers Association (comment 48, NPRM), at 2-3; Money 
Services Round Table (comment 53, NPRM), at 1-4; Software & 
Information Industry Association (comment 56, NPRM), at 1-3; Gusto 
and others (comment 11, Workshop), at 2; Association of National 
Advertisers (comment 5, Workshop), at 1-3; internet Association 
(comment 9, Workshop), at 2-3.
    \69\ Electronic Transactions Association (comment 27, NPRM), at 
1-2.
    \70\ CTIA (comment 34, NPRM), at 5.
---------------------------------------------------------------------------

    The Commission, however, believes the elements provide sufficient 
flexibility for financial institutions to adopt information security 
programs suited to the size, nature, and complexity of their 
organization and information systems. The elements for the information 
security programs set forth in this section are high-level principles 
that set forth basic issues the

[[Page 70279]]

programs must address, and do not prescribe how they will be addressed. 
For example, the requirement that the information security program be 
based on a risk assessment sets forth only three general items the 
assessment must address: (1) Criteria for evaluating risks faced by the 
financial institution; (2) criteria for assessing the security of its 
information systems; and (3) how the identified risks will be 
addressed. Other than meeting these basic requirements, financial 
institutions are free to perform their risk assessments in whatever way 
they choose, using whatever method or approach works best for them, as 
long as the method identifies reasonably foreseeable risks. The other 
elements are similarly flexible. The two elements that are more 
prescriptive, encryption and multi-factor authentication, allow 
financial institutions to adopt alternative solutions when necessary. 
Comments concerning individual elements are addressed separately in the 
more detailed analysis below.
Cost
    Another common theme among the comments from industry groups was 
the proposed information security program elements would be 
prohibitively expensive, especially for smaller businesses.\71\ 
Commenters argued the Proposed Rule would have required financial 
institutions to implement expensive changes to their systems and hire 
highly-compensated professionals to do so.\72\ Industry groups were 
particularly concerned about the requirement that financial 
institutions designate a single qualified individual to coordinate 
their information security programs, arguing this would require hiring 
professionals that were both expensive, with salaries of more than 
$100,000 suggested by some, and in limited supply.\73\ Overall, several 
commenters argued some financial institutions would be unable to afford 
to bring themselves into compliance with the Proposed Rule.\74\
---------------------------------------------------------------------------

    \71\ American Council on Education (comment 24, NPRM), at 13-14; 
Wisconsin Bankers Association (comment 37, NPRM), at 1-2; American 
Financial Services Association (comment 41, NPRM), at 4; National 
Association of Dealer Counsel (comment 44, NPRM), at 1; National 
Automobile Dealers Association (comment 46, NPRM), at 11; National 
Independent Automobile Dealers Association, (comment 48, NPRM), at 
3; Gusto and others (comment 11, Workshop), at 2-4; National 
Pawnbrokers Association (comment 3, NPRM), at 2; see also Remarks of 
James Crifasi, Safeguards Workshop Tr., supra note 17, at 72-74 
(describing study that found compliance would be expensive for 
automobile dealers).
    \72\ See, e.g., Slides Accompanying Remarks of James Crifasi, 
FTC, ``NADA Cost Study: Average Cost Per U.S. Franchised 
Dealership,'' Event Materials, Information Security and Financial 
Institutions: An FTC Workshop to Examine Safeguards Rule (July 13, 
2020) https://www.ftc.gov/system/files/documents/public_events/1567141/slides-glb-workshop.pdf (hereinafter Safeguards Workshop 
Slides), at 25 (estimating an upfront cost of $293,975 per 
dealership, and an recurring annual cost of $276,925); see also 
Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at 
72-75; Remarks of Brian McManamon, Safeguards Workshop Tr., supra 
note 17, at 78 (estimating the average annual salary of a CISO can 
range from $180,000 to upwards of $400,000); Slides Accompanying 
Remarks of Lee Waters, ``Estimated Costs of Proposed Changes,'' 
Safeguards Workshop Slides, at 26 (estimating the annual costs of a 
security program to include: Multi-factor authentication, $50 for 
smart card readers, and $10 each for smart cards; a CISO, either an 
in-house CISO, $180,000, an in-house cybersecurity analyst, $76,000, 
or an outsourced cybersecurity contractor, between $120,000 and 
$240,000; penetration testing, average cost $4,800; and physical 
security, $215,000 for construction, and $10,000 to $20,000 for new 
or upgraded locks); see also Remarks of Lee Waters, Safeguards 
Workshop Tr., supra note 17, at 75-76.
    \73\ See, e.g., Slides Accompanying Remarks of Lee Waters, 
``Estimated Costs of Proposed Changes,'' Safeguards Workshop Slides, 
supra note 72, at 26 (estimating costs of an in-house CISO to be 
$180,000 annually, and an in-house cybersecurity analyst to be 
$76,000 annually; and estimating an outsourced cybersecurity 
contractor would cost between $120,000 to $240,000 annually); see 
also Remarks of Lee Waters, Safeguards Workshop Tr., supra note 17, 
at 75-76; Remarks of Brian McManamon, Safeguards Workshop Tr., supra 
note 17, at 78 (estimating that the average annual salary of a CISO 
can range from $180,000 to upwards of $400,000).
    \74\ See Remarks of Lee Waters, Safeguards Workshop Tr., supra 
note 17, at 119-20 (noting when small businesses have to spend money 
to hire third-party vendors and security experts to comply with 
regulations, that affects consumer prices and small business profit 
margins); Slides Accompanying Remarks of James Crifasi, ``NADA Cost 
Study: Average Cost Per U.S. Franchised Dealership,'' Safeguards 
Workshop Slides, supra note 72, at 25; see also Remarks of James 
Crifasi, supra note 17, at 73 (noting the requirements ``start 
becoming a little bit unaffordable here.'').
---------------------------------------------------------------------------

    The Commission recognizes properly securing information systems can 
be an expensive and technically difficult task. However, the Commission 
believes the additional costs imposed by the Proposed Rule are 
mitigated for several reasons and, ultimately, those costs are 
justified in order to protect customer information as required by the 
GLBA.\75\ First, for almost 20 years, financial institutions have been 
required under the current Safeguards Rule to have information security 
programs in place. The current Safeguards Rule requires financial 
institutions to ``develop, implement, and maintain a comprehensive 
[written] information security program . . . appropriate to [the 
financial institutions'] size and complexity, the nature and scope of 
[their] activities, and the sensitivity of any customer information at 
issue.'' \76\ This comprehensive program must be coordinated by one or 
more individuals and based on a risk assessment.\77\ As such, financial 
institutions complying with the current Rule will not be required to 
establish an information security program from scratch. Instead, they 
can compare their existing programs to the revised Rule, and address 
any gaps. The Commission believes many of the requirements set forth in 
the Final Rule are so fundamental to any information security program 
that the information security programs of many financial institutions 
will already include them if those programs are in compliance with the 
current Safeguards Rule.
---------------------------------------------------------------------------

    \75\ The Small Business Administration's Office of Advocacy 
commented it was concerned the FTC had not gathered sufficient data 
as to either the costs or benefits of the proposed changes for small 
financial institutions. Office of Advocacy, U.S. Small Business 
Administration (comment 28, NPRM), at 3-4. The FTC shares the Office 
of Advocacy's interest in ensuring that regulatory changes have an 
evidentiary basis. Many of the questions on which the FTC sought 
public comment, both in the regulatory review and in the proposed 
Rule context, specifically related to the costs and benefits of 
existing and proposed Rule requirements. Following the initial round 
of commenting, the Commission conducted the FTC Safeguards Workshop 
and solicited additional public comments with the explicit goal of 
gathering additional data relating to the costs and benefits of the 
proposed changes. See Public Workshop Examining Information Security 
for Financial Institutions and Information Related to Changes to the 
Safeguards Rule, 85 FR 13082 (Mar. 6, 2020). As detailed throughout 
this document, the Commission believes there is a strong evidentiary 
basis for the issuance of the final Rule.
    \76\ 16 CFR 314.3.
    \77\ 16 CFR 314.4.
---------------------------------------------------------------------------

    Second, a number of commenters who raised concerns about the costs 
imposed by the Rule believed the Proposed Rule would have required the 
hiring of a highly-compensated expert to serve as a Chief Information 
Security Officer (CISO).\78\ It is correct the Proposed Rule would have 
modified the current requirement of designating an ``employee or 
employees to coordinate your information security program'' by 
requiring the designation of a single qualified individual responsible 
for

[[Page 70280]]

overseeing and implementing the security program. This individual was 
referred to in the Proposed Rule as a Chief Information Security 
Officer or ``CISO.'' As discussed in detail below, the Final Rule does 
not use this term, though the concept is the same: The person 
designated to coordinate the information security program need only be 
``qualified.'' No particular level of education, experience, or 
certification is prescribed by the Rule. Accordingly, financial 
institutions may designate any qualified individual who is appropriate 
for their business. Only if the complexity or size of their information 
systems require the services of an expert will the financial 
institution need to hire such an individual.\79\
---------------------------------------------------------------------------

    \78\ Several speakers at the Safeguards Workshop also raised 
this concern. See, e.g., Slides Accompanying Remarks of James 
Crifasi, ``NADA Cost Study: Average Cost Per U.S. Franchised 
Dealership,'' in Safeguards Workshop Slides, supra note 72, at 25 
(estimating appointing a CISO to increase program accountability 
would be a one-time, up-front cost of $27,500, with a recurring 
annual cost of $51,000); Remarks of James Crifasi, Safeguards 
Workshop Tr., supra note 17, at 72-75; Slides Accompanying Remarks 
of Lee Waters, ``Estimated Costs of Proposed Changes,'' in 
Safeguards Workshop Slides, supra note 72, at 26 (estimating costs 
of an in-house CISO to be $180,000 annually, and an in-house 
cybersecurity analyst to be $76,000 annually; and estimating that an 
outsourced cybersecurity contractor would cost between $120,000 to 
$240,000 annually); Remarks of Lee Waters, Safeguards Workshop Tr., 
supra note 17, at 75-76; Remarks of Brian McManamon, Safeguards 
Workshop Tr., supra note 17, at 78 (estimating that the average 
annual salary of a CISO can range from $180,000 to upwards of 
$400,000).
    \79\ See, e.g., Remarks of Brian McManamon, Safeguards Workshop 
Tr., supra note 17, at 89-90 (noting the size of a financial 
institution and the amount and nature of the information it holds 
factor into an appropriate information security program); see also 
Slides Accompanying Remarks of Rocio Baeza, ``Models for Complying 
to the Safeguards Rule Changes,'' in Safeguards Workshop Slides, 
supra note 72, at 27-28 (describing three different compliance 
models: In-house, outsource, and hybrid, with costs ranging from 
$199 per month to more than $15,000 per month); Remarks of Rocio 
Baeza, Safeguards Workshop Tr., supra note 17, at 81-83 (describing 
three compliance models in more detail).
---------------------------------------------------------------------------

    Finally, the Commission believes while large financial institutions 
may well incur substantial costs to implement complex information 
security programs, there are much more affordable solutions available 
for financial institutions with smaller and simpler information 
systems. For example, there are very low-cost or even free 
vulnerability assessment programs available: ``virtual CISO'' services 
enable a third party to provide security support for many companies, 
splitting the cost of information security professionals among them; 
many applications and hardware have built-in encryption requirements; 
\80\ and there are affordable multi-factor authentication solutions 
aimed at businesses of various sizes.
---------------------------------------------------------------------------

    \80\ See Remarks of Brian McManamon, Safeguards Workshop Tr., 
supra note 17, at 78 (describing virtual CISO services).
---------------------------------------------------------------------------

    Considering these points, although there will undoubtedly be 
expenses involved for some, or even many, financial institutions to 
update their programs, the Commission believes these expenses are 
justified because of the vital importance of protecting customer 
information collected, maintained, and processed by financial 
institutions. Congress recognized the importance of securing consumers' 
sensitive financial information when it passed the GLBA, which required 
the FTC to promulgate the Safeguards Rule. The importance, as well as 
the difficulty, of protecting customer information has only increased 
in the more than twenty years since the passage of the GLBA. The 
Commission believes the amendments to the Safeguards Rule are necessary 
to ensure the purposes of the GLBA are satisfied, and so consumers can 
have confidence financial institutions are providing reasonable 
safeguards to protect their information.
``Sensitive'' Customer Information
    Several industry groups also suggested significant portions of the 
Proposed Rule should not apply to all customer information, but rather 
only to some subset of particularly ``sensitive'' customer information, 
such as account numbers or social security numbers.\81\ These 
commenters generally argued the definition of ``customer information'' 
is too broad, as it will include information the commenters felt is not 
particularly sensitive, such as name and address, and does not justify 
extensive safeguards.\82\
---------------------------------------------------------------------------

    \81\ See, e.g., Electronic Transactions Association (comment 27, 
NPRM), at 2-4; CTIA (comment 34, NPRM), at 10; Global Privacy 
Alliance (comment 38, NPRM), at 7-8; American Financial Services 
Association (comment 41, NPRM), at 5; ACA International (comment 45, 
NPRM), at 13; Money Services Round Table (comment 53, NPRM), at 6-7.
    \82\ See, e.g., Electronic Transactions Association (comment 27, 
NPRM), at 2; Global Privacy Alliance (comment 38, NPRM), at 7.
---------------------------------------------------------------------------

    The Commission does not agree that some portion of customer 
information is not entitled to the protections required by the Final 
Rule. The Safeguards Rule defines ``customer information'' as ``any 
record containing nonpublic personal information'' about a customer 
handled or maintained by or on behalf of a financial institution.\83\ 
The Final Rule defines ``nonpublic personal information'' as 
``personally identifiable financial information,'' but does not include 
information that is ``publicly available.'' Although this definition is 
broad, the Commission believes information covered by it is rightfully 
considered sensitive and should be protected accordingly. The 
businesses regulated by the Safeguards Rule are not just any 
businesses, but are financial institutions and are responsible for 
handling and maintaining financial information that is both important 
to consumers and valuable to attackers who try to obtain the 
information for financial gain. Even the fact that a consumer is a 
customer of a particular financial institution is generally nonpublic 
and can be sensitive. For example, the revelation of a customer 
relationship between a consumer and a particular type of financial 
institution, such as debt collectors or payday lenders, may make those 
customers' information more vulnerable to compromise by facilitating 
social engineering or similar attacks. The nature of the relationship 
between customers and their financial institutions makes all nonpublic 
information held by the financial institution inherently sensitive and 
worthy of the level of protection set forth in the Rule.
---------------------------------------------------------------------------

    \83\ 16 CFR 314.2(b).
---------------------------------------------------------------------------

    Although the Commission believes all customer information should be 
safeguarded by financial institutions and declines to exclude any 
portion of that information from protection under any of the provisions 
of the Rule, it notes the Rule does contemplate financial institutions 
will consider the sensitivity of particular information in designing 
their information security programs and safeguards. The elements 
required by this section are generally flexible enough to allow 
financial institutions to treat various pieces of information 
differently. For example, paragraph (c)(1) requires information 
security programs to include safeguards that address access control of 
customer information. The paragraph requires financial institutions to 
develop measures to ensure only authorized users access customer 
information, but does not prescribe any particular measures that must 
be adopted. When designing these measures, a financial institution may 
design a system in which more sensitive information is protected by 
more stringent access controls. Even in the more specific provisions of 
the Rule, there is flexibility to address the relative sensitivity of 
information. For example, in Sec.  313.4(c)(5)'s requirement that 
customer information be protected by multi-factor authentication, 
financial institutions have flexibility to implement the multi-factor 
authentication depending on the sensitivity of the information. The 
financial institution may select factors such as SMS text messages to 
access less sensitive information, but determine more sensitive 
information should be protected by other, more secure, factors for 
authentication.
Third-Party Standards and Frameworks
    In addition, in the NPRM, the Commission asked whether the 
Safeguards Rule should incorporate outside standards, such as the 
National Institute of Standards and Technology (``NIST'') framework, 
either as required elements of an information security program or as a 
safe harbor that would

[[Page 70281]]

treat compliance with such a standard as compliance with the Safeguards 
Rule. Some commenters advocated for the adoption of an outside standard 
into the Safeguards Rule.\84\ Cisco Systems, Inc. suggested the 
Safeguards Rule should be connected to NIST guidance, arguing this 
would allow the Rule to evolve as NIST's guidance evolves.\85\ An 
anonymous commenter suggested the Rule should comply with 
``international standard ISO/IEC 27001.'' \86\ The National Consumer 
Law Center argued certain financial institutions with particularly 
sensitive customer information should be required to comply with 
guidelines issued by NIST and the Federal Financial Institutions 
Examination Council (FFIEC).\87\ Other commenters acknowledged the 
value of outside standards but were opposed to the Rule requiring 
compliance with them.\88\
---------------------------------------------------------------------------

    \84\ Cisco Systems, Inc. (comment 51, NPRM), at 4; National 
Consumer Law Center and others (comment 58), at 2; Anonymous 
(comment 2, Workshop).
    \85\ Cisco Systems, Inc. (Comment 51, NPRM), at 4.
    \86\ Anonymous (comment 2, Workshop). The ISO/IEC 27001 standard 
is an information security standard issued by the International 
Organization for Standardization. See ISO/IEC 27001 Information 
Security Management, ISO, https://www.iso.org/isoiec-27001-information-security.html (last accessed 15 Dec. 2020).
    \87\ National Consumer Law Center and others (comment 58, NPRM), 
at 2.
    \88\ HITRUST (comment 18, NPRM), at 2; see also Consumer Reports 
(comment 52, NPRM), at 6-7 (discouraging the adoption of outside 
standards as a safe harbor for companies).
---------------------------------------------------------------------------

    Some commenters suggested while compliance with outside standards 
should not be required, compliance should serve as a ``safe harbor'' 
for compliance with the Rule.\89\ On the other hand, Consumer Reports 
noted while such standards can be helpful guidance, they should not be 
a safe harbor for compliance with the Rule because financial 
institutions must take steps to ensure they are responding to changing 
information security threats regardless of the requirements of an 
outside framework.\90\
---------------------------------------------------------------------------

    \89\ Mortgage Bankers Association (comment 26, NPRM), at 2 
(suggesting Rule be modified so financial institutions that use the 
NIST Cybersecurity Framework would be in de facto compliance with 
the Rule); see also National Pawnbrokers Association (comment 32, 
NPRM), at 6-7 (advocating for the adoption of safe harbors for small 
financial institutions without detailing what should be required to 
qualify for the safe harbor).
    \90\ Consumer Reports (comment 52, NPRM), at 6-7.
---------------------------------------------------------------------------

    The Commission declines to change the Rule to incorporate or 
reference a particular security standard or framework for a variety of 
reasons. First, it is not clear the more detailed frameworks would 
apply well to financial institutions of various sizes and industries. 
In addition, mandating companies follow a particular security standard 
or framework would reduce the flexibility built into the Rule. 
Similarly, the Commission declines to make compliance with an outside 
standard a safe harbor for the Rule. In such a scenario, the use of 
safe harbors would not greatly enhance regulatory stability or 
predictability for financial institutions because the Commission would 
be required to actively monitor whether those standards continued to 
provide equivalent protections for Safeguards compliance and modify the 
Rule if a standard became inadequate. In addition, in investigating 
possible violations of the Rule, the Commission would be required to 
independently verify whether the financial institution had in fact 
complied with the outside framework, which would require substantial 
effort and expense on the part of the Commission and the target of the 
investigation.
Specific Elements
    In addition to these generally applicable comments, commenters 
addressed many of the individual elements set forth by this section. 
These elements are discussed in more detail below.
Paragraph (a)--Designation of a Single Qualified Individual
    Proposed paragraph (a) changed the current requirement that 
institutions designate an ``employee or employees to coordinate your 
information security program'' to instead require the financial 
institution to designate ``a qualified individual responsible for 
overseeing and implementing your information security program and 
enforcing your information security program.'' \91\ This individual was 
referenced in the Proposed Rule as a Chief Information Security Officer 
or ``CISO.''
---------------------------------------------------------------------------

    \91\ Section 314.4(a).
---------------------------------------------------------------------------

    The notice of proposed rulemaking for the Proposed Rule emphasized 
the use of the term ``CISO'' was for clarity in the Proposed Rule.\92\ 
Despite the use of the term ``CISO,'' the Proposed Rule did not require 
financial institutions to actually grant that title to the designated 
individual. Commenters that responded to this proposal, however, 
generally assumed the person designated to coordinate and oversee a 
financial institution's information security program would be required 
to have the qualifications, duties, responsibilities, and accompanying 
pay of a CISO as that position is generally understood in the 
information security field.\93\ The position of CISO is generally 
limited to large companies with fairly complex information security 
systems, so the salary of this position is often very high.\94\ 
Accordingly, many commenters argued hiring a CISO would be 
prohibitively expensive for many financial institutions.\95\ 
Additionally, commenters argued the hiring of such an in-demand 
professional would be difficult because of a general shortage of such 
professionals available for hiring.\96\
---------------------------------------------------------------------------

    \92\ 84 FR 13165.
    \93\ U.S. Chamber of Commerce (comment 33, NPRM), at 10; 
National Automobile Dealers Association (comment 46), at 17-19; 
National Independent Automobile Dealers Association (comment 48, 
NPRM), at 5; ACA International (Comment 45, NPRM), at 8.
    \94\ See. e.g., Brian McManamon, Safeguards Workshop Tr., supra 
note 17, at 78 (estimating the average annual salary of a CISO can 
range from $180,000 to upwards of $400,000).
    \95\ National Automobile Dealers Association (comment 46, NPRM), 
at 17-19; National Independent Automobile Dealers Association 
(comment 48, NPRM), at 5; U.S. Chamber of Commerce (comment 33, 
NPRM), at 10; ACA International (comment 45, NPRM), at 8.
    \96\ National Automobile Dealers Association (comment 46, NPRM), 
at 18-19; U.S. Chamber of Commerce (comment 33, NPRM), at 10; ACA 
International (comment 45, NPRM), at 8.
---------------------------------------------------------------------------

    By using the term ``CISO,'' the Commission did not intend to 
require all financial institutions hire a highly qualified professional 
with an extremely high salary, regardless of the financial 
institutions' size or complexity. The Proposed Rule required only that 
financial institutions designate a ``qualified individual'' to oversee 
and enforce their information security program, without specifying any 
particular level of experience, education, or compensation, or 
requiring any particular duties outside of overseeing the financial 
institution's information security program and other requirements 
specifically set forth in the Rule.\97\ The use of the term ``CISO'' in 
the Proposed Rule, however, caused confusion about the requirements of 
this section. Accordingly, the Final Rule replaces the term ``CISO'' 
with ``Qualified Individual'' to refer to the individual designated 
under this section of the Rule.
---------------------------------------------------------------------------

    \97\ 84 FR 13175.
---------------------------------------------------------------------------

    The use of the term ``Qualified Individual'' is meant to clarify 
the only requirement for this designated individual is that he or she 
be qualified to oversee and enforce the financial institution's 
information security program. What qualifications are necessary will 
depend upon the size and complexity of a financial institution's 
information system and the volume and sensitivity of the customer 
information the financial institution

[[Page 70282]]

possesses or processes. The Qualified Individual of a financial 
institution with a very small and simple information system will need 
less training and expertise than a Qualified Individual for a financial 
institution with a large, complex information system. The exact 
qualifications will depend on the nature of the financial institution's 
information system. Each financial institution will need to evaluate 
its own information security needs and designate an individual with 
appropriate qualifications to meet those needs.
    The Commission believes, in many cases, financial institutions' 
current coordinators, whether their own employees or third-party 
contractors, may be qualified for this role.\98\ Because the current 
Safeguards Rule requires financial institutions to designate an 
``employee or employees to coordinate your information security 
program,'' financial institutions in compliance with that Rule will 
already have one or more information security coordinators. Although 
the current Rule does not expressly require that these coordinators be 
qualified for that position, the current Rule requires a financial 
institution to maintain ``appropriate'' safeguards, regularly test 
those safeguards, and evaluate and adjust the information security 
program in light of that testing.\99\ In order to effectively comply 
with these ongoing requirements, a financial institution's coordinator 
must have some level of information security training and knowledge 
and, therefore, will likely be an appropriate Qualified Individual 
under the Final Rule. Accordingly, in many cases this amendment to the 
Rule will not require any additional hiring expenses.
---------------------------------------------------------------------------

    \98\ Remarks of James Crifasi, Safeguards Workshop Tr., supra 
note 17, at 74 (stating car dealerships can rely on existing staff 
for this role); Remarks of Lee Waters, Safeguards Workshop Tr., 
supra note 17, at 78-79 (stating any dealership with any IT staff at 
all would have someone who could assume the role of ``qualified 
individual,'' perhaps requiring some additional research or outside 
help); Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 
17, at 81-82 (stating companies may use an existing employee for the 
role and ``for any areas where there may be skill gaps, that can be 
supplemented with either certifications or some type of 
education.'').
    \99\ 16 CFR 314.4.
---------------------------------------------------------------------------

    In addition to explicitly requiring that the information security 
program coordinator be qualified for the role, the Commission proposed 
to require the designation of a single employee, as opposed to the 
multiple coordinators allowed by the existing Rule. Some commenters 
objected to this proposal on the grounds that it would interfere with 
financial institutions' flexibility in organizing their information 
security personnel.\100\ For example, the Consumer Data Industry 
Association (``CDIA'') commented the designation of a single 
coordinator would interfere with financial institutions' ability to 
organize their program ``to share responsibilities among different 
personnel with different strengths.'' \101\ Similarly, ACA 
International argued this requirement would prevent financial 
institutions from having multiple staff members share responsibilities 
for information security programs.\102\
---------------------------------------------------------------------------

    \100\ National Independent Automobile Dealers Association 
(comment 48, NPRM), at 5; Consumer Data Industry Association 
(comment 36, NPRM), at 5; National Association of Dealer Counsel 
(comment 44, NPRM), at 2; ACA International (comment 45, NPRM), at 
7-8; Money Services Round Table (comment 53, NPRM), at 10; Gusto and 
others (Comment 11, Workshop), at 2; see also Remarks of James 
Crifasi, Safeguards Workshop TR, supra note 17, at 74 (stating 
``when we're talking about a small and medium business [. . .] we 
really need to see that `qualified individual' be a mix of folks'').
    \101\ Consumer Data Industry Association (comment 36, NPRM), at 
5.
    \102\ ACA International (comment 45, NPRM), at 7-8. NPA raised 
similar concerns. National Pawnbrokers Association (comment 3, 
Workshop), at 2.
---------------------------------------------------------------------------

    Other commenters argued the designation of a single individual as 
the coordinator of the information security program provides no proven 
benefits over the use of multiple coordinators.\103\ Similarly, NADA 
argued that, while the appointment of a single qualified individual 
might improve accountability, improving accountability does not improve 
security.\104\ On the other hand, a group of consumer and advocacy 
groups including the National Consumer Law Center (``NCLC'') argued 
appointing a single individual as the coordinator of the information 
security program can increase security and prevent security events 
based on lack of accountability and poor coordination.\105\
---------------------------------------------------------------------------

    \103\ Consumer Data Industry Association (comment 36, NPRM), at 
5; National Automobile Dealers Association (comment 46, NPRM), at 
19; ACA International (comment 45, NPRM), at 8.
    \104\ National Automobile Dealers Association (comment 46, 
NPRM), at 19.
    \105\ National Consumer Law Center and others (comment 58, 
NPRM), at 3 (arguing that a clear line of reporting with a single 
responsible individual could have prevented the Equifax consumer 
data breach).
---------------------------------------------------------------------------

    The Commission retains the requirement to designate a single 
qualified individual, because it believes there are clear benefits to 
the designation of a single coordinator. Designating a single 
coordinator to oversee an information security program clarifies lines 
of reporting in enforcing the program, can avoid gaps in responsibility 
in managing data security, and improve communication.\106\
---------------------------------------------------------------------------

    \106\ Remarks of Adrienne Allen, Safeguards Workshop Tr., supra 
note 17, at 182-84 (stating that without a single responsible 
individual, information security staff ``can fall into traps of each 
relying on someone else to make a hard call . . . [In a program 
without a single coordinator] issues can sometimes fall through the 
cracks.''); Remarks of Michele Norin, Safeguards Workshop Tr., supra 
note 17, at 184-85 (``I think it's extremely important to have a 
person in front of the information security program. I think that 
there are so many components to understand, to manage, to keep an 
eye on. I think it's difficult to do that if it's part of someone 
else's job. And so I found that it's extremely helpful to have a 
person in charge of that program just from a pure basic management 
perspective and understanding perspective.'').
---------------------------------------------------------------------------

    The Commission disagrees with the commenter who stated improved 
accountability does not lead to improved security. The goal of 
improving accountability is to ensure information security staff and 
financial institution management give the necessary attention and 
resources to information security. In addition, an individual that has 
clear responsibility for the strength of a financial institution's 
information security program will be accountable to improve the program 
and ensure it protects customer information.\107\
---------------------------------------------------------------------------

    \107\ See, e.g., Federal Trade Commission Staff Comment on the 
Preliminary Draft for the NIST Privacy Framework: A Tool for 
Improving Privacy through Enterprise Risk Management (Oct. 24, 
2019), at 12-14 (suggesting NIST clarify that one person should be 
in charge of the program). https://www.ftc.gov/system/files/documents/advocacy_documents/ftc-staff-comment-preliminary-draft-nist-privacy-framework/p205400nistprivacyframeworkcomment.pdf.
---------------------------------------------------------------------------

    The major breach that occurred at national consumer reporting 
agency Equifax in 2017 demonstrates the importance of clear lines of 
reporting and accountability in management of information security 
programs. The U.S. House Committee on Oversight and Government Reform 
issued a report on the breach that identified Equifax's organization as 
one of the major causes of the breach.\108\ The report indicated 
Equifax's division of responsibility for information security between 
two individuals that reported to two different company officers 
contributed to failures of communication, oversight, and enforcement 
that led to millions of consumers' data being compromised.\109\ 
Increasing accountability for individuals and organizations can 
directly lead to improved security for customer information.
---------------------------------------------------------------------------

    \108\ U.S. House, Committee on Oversight and Government Reform, 
Majority Staff Report, The Equifax Data Breach, at 55-62, 115th 
Congress (Dec. 2018).
    \109\ Id.
---------------------------------------------------------------------------

    Finally, the Commission does not believe the requirement to 
designate a single Qualified Individual would

[[Page 70283]]

prevent the approach of having multiple people responsible for 
different aspects of the program, as some commenters asserted. While 
the Qualified Individual appointed as the coordinator of the 
information security program would have ultimate responsibility for 
overseeing and managing the information security program, financial 
institutions may still assign particular duties and responsibilities to 
other staff members.\110\ A financial institution may organize its 
personnel in teams or share decision making between individuals. 
Moreover, the Rule does not require this be the Qualified Individual's 
sole job--he or she may have other duties. The Rule requires only that 
one individual assume the ultimate responsibility for overseeing and 
enforcing the program.
---------------------------------------------------------------------------

    \110\ See Remarks of Adrienne Allen, Safeguards Workshop Tr., 
supra note 17, at 189-90 (noting that, even where there is a single 
point person, decision makers rarely operate ``in a vacuum.'').
---------------------------------------------------------------------------

    Accordingly, the Final Rule requires designation of a single 
Qualified Individual, as proposed, but no longer uses the term 
``CISO.''
Third-Party Coordinators
    The Proposed Rule stated that the Qualified Individual would not 
need to be an employee of the financial institution, but could be an 
employee of an affiliate or a service provider. This change was 
intended to accommodate financial institutions that may prefer to 
retain an outside expert, lack the resources to employ a qualified 
person to oversee a program, or decide to pool resources with 
affiliates to share staff to manage information security. The Proposed 
Rule required, however, that to the extent a financial institution used 
a service provider or affiliate, the financial institution must still: 
(1) Retain responsibility for compliance with the Rule; (2) designate a 
senior member of its personnel to be responsible for direction and 
oversight of the Qualified Individual; and (3) require the service 
provider or affiliate to maintain an information security program that 
protects the financial institution in accordance with the Rule.
    The Commission received one comment on this aspect of the 
provision. NADA argued that, because a senior member of a financial 
institution's personnel must be responsible for the oversight of a 
third-party Qualified Individual, the supervising individual would need 
to be an expert in information security, and the financial institution 
would still be required to hire an expensive employee to supervise the 
third-party Qualified Individual.\111\ The Rule, however, does not 
require individuals responsible for overseeing third-party Qualified 
Individuals to be information security experts themselves. The senior 
personnel that oversees the third-party Qualified Individual is charged 
with supervising and monitoring the third-party so the financial 
institution is aware of its data security needs and the safeguards 
being used to protect its information systems. This person does not 
need to be qualified to coordinate the information security program him 
or herself. Technical staff are frequently supervised by employees or 
officers with limited technical expertise.\112\ The Rule requires only 
the same responsibilities a supervisor would have in overseeing an in-
house information security coordinator of a financial institution. 
Accordingly, the Commission adopts the proposed paragraph without 
modification.
---------------------------------------------------------------------------

    \111\ National Automobile Dealers Association (comment 46, 
NPRM), at 18.
    \112\ See Remarks of James Crifasi, Safeguards Workshop Tr., 
supra note 17, at 79-80 (stating that, in his work as a third-party 
information security service provider, he is often overseen by 
executives without technical backgrounds); see also Remarks of Rocio 
Baeza, Safeguards Workshop Tr., supra note 17, at 105-06 (noting 
distinction in how executives and technical staff may understand 
their organizations' use of encryption); Remarks of Karthik 
Rangarajan, Safeguards Workshop Tr., supra note 17, at 196 
(discussing challenges inherent in discussing technical issues with 
board members who lack a technical background)and at 211 (noting 
organizations can successfully manage their relationships with 
third-party service providers without ``becom[ing] experts'' in the 
services provided).
---------------------------------------------------------------------------

Proposed Paragraph (b)
    The NPRM proposed amending paragraph (b) to clarify a financial 
institution must base its information security program on the findings 
of its risk assessment by adding an explicit statement that financial 
institutions' ``information security program [shall be based] on a risk 
assessment.'' \113\ In addition, the Proposed Rule removed existing 
Sec.  314.4(b)'s requirement that the risk assessment must include 
consideration of specific risks \114\ because these specific risks are 
set forth elsewhere in the Proposed Rule.\115\ The Commission received 
no comments on this paragraph and adopts paragraph (b) as proposed.
---------------------------------------------------------------------------

    \113\ Proposed 16 CFR 314.4(b).
    \114\ Proposed 16 CFR 314.4(b)(1), (2), and (3).
    \115\ See, e.g., Proposed 16 CFR 314.4(c)(2) and (10) and (e).
---------------------------------------------------------------------------

Written Risk Assessment
    Paragraph (b)(1) of the Proposed Rule required the risk assessment 
be written and include: (1) Criteria for the evaluation and 
categorization of identified security risks or threats the financial 
institution faces; (2) criteria for the assessment of the 
confidentiality, integrity, and availability of the financial 
institution's information systems and customer information, including 
the adequacy of the existing controls in the context of the identified 
risks or threats to the financial institution; and (3) requirements 
describing how identified risks will be mitigated or accepted based on 
the risk assessment and how the information security program will 
address the financial institution's risks. Commenters raised several 
concerns about the Proposed Rule's provisions on risk assessment, none 
of which merit changes to the Proposed Rule.
    First, some commenters objected to the level of specificity of the 
Proposed Rule, with some arguing the requirements were too specific, 
and others arguing the requirements were not specific enough. With 
respect to the Proposed Rule being too specific, commenters such as ACA 
and U.S. Chamber of Commerce argued it removed financial institutions' 
flexibility in performing risk assessments.\116\ The U.S. Chamber of 
Commerce contended, because the criteria are too specific, a risk 
assessment performed using them would not be ``sufficiently risk 
based.'' \117\ CDIA expressed concern it was unclear ``what level of 
specificity is required'' in the written risk assessment and if 
detailed risk assessments are required, they ``could themselves become 
a roadmap for a security breach.'' \118\
---------------------------------------------------------------------------

    \116\ ACA International (comment 45, NPRM), at 12; U.S. Chamber 
of Commerce (comment 33, NPRM), at 10.
    \117\ U.S. Chamber of Commerce (comment 33, NPRM), at 10.
    \118\ Consumer Data Industry Association (comment 36, NPRM), at 
5.
---------------------------------------------------------------------------

    In contrast, several other commenters recommended the Rule set 
forth more specific criteria for risk assessments. Inpher suggested the 
Commission add a requirement that risk assessments require financial 
institutions to examine ``technologies that are deployed by [financial 
institutions'] information security systems, and evaluate the 
feasibility'' of adopting ``privacy enhancing technologies'' that would 
better address vulnerabilities and thwart threats.\119\ Inpher also 
recommended the Rule require financial institutions to conduct privacy 
impact assessments with ``specific guidelines to review internal data 
protection standards and adherence to fair information

[[Page 70284]]

principles.'' \120\ The Princeton Center suggested the Rule require 
risk assessments to include threat modeling and adopt the concept of 
defense in depth.\121\ HALOCK Security Labs recommended the Rule 
specifically require ``a) That risk assessments should evaluate the 
likelihood of magnitudes of harm that result from threats and errors, 
b) That risk assessments should explicitly estimate foreseeable harm to 
consumers as well as to the covered financial institutions, c) That 
risk mitigating controls are commensurate with the risks they address, 
[and] d) That risk assessments estimate likelihoods and impacts using 
available data.'' \122\
---------------------------------------------------------------------------

    \119\ Inpher, Inc. (comment 50, NPRM), at 4.
    \120\ Id.
    \121\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 2.
    \122\ HALOCK Security Labs (comment 4, Workshop) at 2. See Rocio 
Baeza (comment 12, Workshop) at 2-3 (suggesting a detailed list of 
requirements for the risk assessment).
---------------------------------------------------------------------------

    The Commission believes the Proposed Rule's provisions on risk 
assessment strike the right balance between specificity and 
flexibility. The amendments provide only a high-level list of criteria 
the risk assessment must address. They essentially require that the 
financial institution identify and evaluate risks to its systems, 
evaluate the adequacy of its existing controls for addressing these 
risks, and identify how these risks can be mitigated. These are core 
requirements of any risk-assessment.\123\ The Rule does not require any 
specific methodology or approach for performing the assessment. 
Financial institutions are free to perform the risk assessment using 
the method most suitable for their organization as long as that method 
meets the general requirements set forth in the Rule. \124\ And while 
the Commission agrees the additional requirements suggested by some 
commenters may be beneficial in many, or even most, risk assessments, 
it believes a more flexible requirement will better allow financial 
institutions to find the risk assessment method that best fits their 
organization and will better accommodate changes in recommended 
approaches in the future.
---------------------------------------------------------------------------

    \123\ See, e.g., Remarks of Chris Cronin, Safeguards Workshop 
Tr., supra note 17, at 25 (stating that evaluating the likelihoods 
and impacts of potential security risks and evaluating existing 
controls is an important component of a risk assessment); Remarks of 
Serge Jorgensen, Safeguards Workshop Tr., supra note 17, at 29-30 
(emphasizing the importance of risk assessments as tools for 
adjusting existing security measures to account for both current and 
future security threats); Nat. Inst. of Sci. & Tech., U.S. Dept. of 
Com., Special Publication 800-30 Rev. 1, Guide for Conducting Risk 
Assessments 1 (2012) (describing the purpose of risk assessments as 
the identification of and prioritization of risk in order to inform 
decision making and risk response).
    \124\ ACA International further argued because risk assessment 
criteria are generally understood, they do not need to be included 
in the Final Rule. ACA International (comment 45, NPRM). The 
Commission believes it is helpful to be clear about the criteria the 
risk assessment must contain, even if those criteria are commonly 
understood.
---------------------------------------------------------------------------

    In response to CDIA's concern about the risk assessment providing a 
roadmap for bad actors, certainly, the written risk assessment will 
include details about a financial institution's systems that could 
assist an attacker if obtained by the attacker. Accordingly, the risk 
assessment should be protected as any other sensitive information would 
be. The Commission does not view this concern as a reason not to create 
such a document. Indeed, the concern would apply to any written 
document that provides information regarding a financial institution's 
information security procedures, from a network diagram to written 
security code.
    Second, some commenters argued implementing the risk-assessment 
provision as proposed would be too expensive and difficult for 
financial institutions.\125\ For example, NADA argued the contemplated 
risk assessment would be very costly because the criteria set out in 
paragraph (b)(1) are ``well outside the scope of expertise of anyone 
but the most sophisticated IT professionals.'' \126\ In response, 
although the Commission declines to modify the provision, it addresses 
NADA's concern in Sec.  314.6 by exempting financial institutions that 
maintain information concerning fewer than 5,000 consumers from the 
specific requirements of paragraph (b)(1), and from the requirement to 
memorialize the risk assessment in writing. For those financial 
institutions that do not qualify for this exemption, the Commission 
believes they will be able to perform the required risk assessment in a 
manner that is practical and affordable for their institution. There 
are many resources available to financial institutions to aid in risk 
assessment, including service providers that can assist institutions of 
various sizes.\127\
---------------------------------------------------------------------------

    \125\ National Association of Dealer Counsel (comment 44, NPRM), 
at 3; National Automobile Dealers Association (comment 46, NPRM), at 
20.
    \126\ National Automobile Dealers Association (comment 46, 
NPRM), at 20.
    \127\ See, e.g., Slides Accompanying Remarks of Rocio Baeza, in 
Safeguards Workshop Slides, supra note 72, at 27-28 (describing 
three different compliance models: In-house, outsource, and hybrid, 
with costs ranging from $199 per month to more than $15,000 per 
month); Slides Accompanying the Remarks of Brian McManamon, ``Sample 
Pricing,'' in Safeguards Workshop Slides, supra note 72, at 29 
(estimating the cost of cybersecurity services based on number of 
endpoints: $2K-$5K per month for 25-250 endpoints; $5K-$15K for 250-
750 endpoints; $15K-$30K for 750-1,000 endpoints; and $30K-$50K for 
1,500-2,500 endpoints); see also Remarks of Brian McManamon, 
Safeguards Workshop Tr., supra note 17, at 83-85.
---------------------------------------------------------------------------

    While acknowledging there will be some cost to conducting a risk 
assessment, the Commission believes a properly conducted risk 
assessment is an essential part of a financial institution's 
information security program. The entire Safeguards Rule, both as it 
currently exists and as amended, requires that the information security 
program be based on a risk assessment. An information security program 
cannot properly guard against risks to customer information if those 
risks have not been identified and assessed.\128\ The Commission 
believes this requirement properly emphasizes the importance of robust 
risk assessments, while providing financial institutions sufficient 
flexibility in performing these assessments. Finally, the Commission 
notes, because the current Rule also requires that a risk assessment be 
performed, financial institutions that have complied with the current 
Rule have already conducted a risk assessment. And, even if that risk 
assessment was not memorialized in writing, the work conducted for that 
risk assessment should be useful in performing future risk assessments.
---------------------------------------------------------------------------

    \128\ See Remarks of Chris Cronin, Safeguards Workshop Tr., 
supra note 17, at 48-49 (noting all information security frameworks 
and guidelines are based on risk analysis).
---------------------------------------------------------------------------

    Third, NADA objected to the requirement that the risk assessment 
describe how each identified risk will be ``mitigated or accepted,'' 
arguing it is not clear when it is appropriate to ``accept a risk.'' 
\129\ NADA argued that documenting a decision to accept a risk would 
``create a record that can be distorted and second guessed after the 
fact,'' and ``context is lost when it is written and reviewed after an 
incident has occurred.'' \130\ The Rule does not require a financial 
institution to mitigate every risk identified, no matter how remote or 
insignificant. Instead, the Rule allows a financial institution to 
accept a risk, if its assessment of the risk reveals that the chance it 
will produce a security event is very small, if the consequences of the 
risk are minimal, or the cost of mitigating the risk far outweighs the 
benefit. In those cases, the financial institution may choose to accept 
the risk. A financial institution concerned that its decision to accept 
a risk will later be questioned may choose to set forth whatever 
context or

[[Page 70285]]

explanation it sees fit in the written assessment.
---------------------------------------------------------------------------

    \129\ National Automobile Dealers Association (comment 46, NPRM) 
at 20.
    \130\ Id.
---------------------------------------------------------------------------

    Finally, while several commenters supported the idea of conducting 
``periodic'' risk assessments as required by the Proposed Rule,\131\ 
NADA objected it is unclear how often financial institutions need to 
conduct risk assessments under this section. \132\ In order to be 
effective, a risk assessment must be subject to periodic reevaluation 
to adapt to changes in both financial institutions' information systems 
and changes in threats to the security of those systems. The Commission 
declines, however, to set forth a specific schedule for risk 
assessments. The Commission believes it would not be appropriate to set 
forth an inflexible schedule for periodic risk assessments because each 
financial institution must set its own schedule based on the needs and 
resources of its institution.
---------------------------------------------------------------------------

    \131\ Inpher, Inc. (comment 50, NPRM), at 3; Global Privacy 
Alliance (comment 38, NPRM), at 11.
    \132\ National Automobile Dealers Association (comment 46, 
NPRM), at 20.
---------------------------------------------------------------------------

    The Final Rule adopts Sec.  314.4(b) as proposed.
Paragraph (c)
    Proposed paragraph (c) retained the existing Rule's requirement for 
financial institutions to design and implement safeguards to control 
the risks identified in the risk assessment. In addition, it added more 
detailed requirements for what the safeguards must address (e.g., 
access controls, data inventory, disposal, change management, 
monitoring). These specific requirements represent elements of an 
information security program that the Commission views as essential and 
should be addressed by all financial institutions.\133\
---------------------------------------------------------------------------

    \133\ NADA disagreed with the Commission's statement in the NPRM 
for the Proposed Rule that ``most financial institutions already 
implement'' the specific requirements in paragraph (c), stating that 
many financial institutions ``do not currently implement some or all 
of these measures.'' National Automobile Dealers Association 
(comment 46, NPRM), at 20. The Commission continues to believe most 
financial institutions institute some form of most of these 
measures, such as access control, secure disposal, and monitoring 
authorized users, based on its enforcement and business outreach 
experience. While NADA's statement that some financial institutions 
implement none of the measures may be true, this underlines the 
necessity of making these elements explicit requirements under the 
Rule, as these elements are necessary for a reasonable information 
security program for all financial institutions. Indeed, a financial 
institution that utilizes none of these elements and exercises no 
access control, no secure disposal procedures, and does not monitor 
users of its systems is unlikely to be in compliance with the 
current Rule.
---------------------------------------------------------------------------

    As a preliminary matter, Global Privacy Alliance (GPA) argued all 
of these elements should be made optional and financial institutions 
should be required only to take these elements ``into consideration'' 
when designing their information security programs.\134\ While the 
Commission agrees it is important that the Rule allow financial 
institutions flexibility in designing their information security 
programs, these elements are such important parts of information 
security that each program must address them. For example, an 
information security program that has no access controls or does not 
contain any measures to monitor the activities of users on the systems 
cannot be said to be protecting the financial institution's systems. 
The Final Rule, therefore, continues to require each information 
security program to contain safeguards that address these elements, 
with modifications described below.
---------------------------------------------------------------------------

    \134\ Global Privacy Alliance (comment 38, NPRM), at 6.
---------------------------------------------------------------------------

Access Controls
    Proposed paragraph (c)(1) required financial institutions to 
``place access controls on information systems, including controls to 
authenticate and permit access only to authorized individuals to 
protect against the unauthorized acquisition of customer information 
and to periodically review such access controls.''
    Commenters suggested a number of modifications to this provision. 
First, GPA argued this provision should require controls on access to 
information, rather than on information systems.\135\ Second, several 
commenters suggested adding further safeguards to the ``access 
control'' requirement. For example, the Princeton Center argued the 
Rule should adopt the ``Principle of Least Privilege,'' a principle 
that no user should have access greater than is necessary for 
legitimate business purposes.\136\ Reynolds and Reynolds Company 
(Reynolds) suggested the Rule clarify that financial institutions must 
``vet, control, and monitor user access to sensitive information.'' 
\137\ Consumer Reports argued paragraph (c)(1) should be amended to 
control access not just to authorized users, but to further limit 
access to when such access is reasonably necessary.\138\ ACE argued 
that any requirement for physical access control allow financial 
institutions to determine which locations should have restricted 
access, rather than limiting physical access to every building and 
office within, say, a college campus.\139\ Finally, some commenters 
argued the proposed language was too vague,\140\ particularly as it 
applied to vendor-supplied services.\141\
---------------------------------------------------------------------------

    \135\ Global Privacy Alliance (comment 38, NPRM), at 9-10.
    \136\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 4-5.
    \137\ Reynolds and Reynolds Company (comment 7, Workshop), at 7.
    \138\ Consumer Reports (comment 52, NPRM), at 7.
    \139\ American Council on Education (comment 24, NPRM), at 10.
    \140\ National Automobile Dealers Association (comment 46, 
NPRM), at 23; National Independent Automobile Dealers Association 
(comment 48, NPRM), at 5; American Council on Education (comment 24, 
NPRM), at 10;
    \141\ National Independent Automobile Dealers Association 
(comment 48, NPRM), at 5; American Council on Education (comment 24, 
NPRM), at 10.
---------------------------------------------------------------------------

    In response to the comments, the Commission makes a number of 
changes to this provision in the Final Rule. First, the Commission 
clarifies that the Rule requires access controls, not just for 
information systems, but for all customer information, whether it is 
housed in information systems or in physical locations. To streamline 
the Rule, the Final Rule combines the separate physical access controls 
requirement found in proposed paragraph (c)(3) with this paragraph. 
Physical access controls will generally be most important in situations 
in which sensitive customer information is kept in physical form (such 
as hard-copy loan applications, or printed consumer reports). It may 
also require physical restrictions to access machines that contain 
customer information (e.g., locked doors and/or key card access to a 
computer lab).\142\ The Commission declines to make any changes in 
response to ACE's concern that every physical location will need to be 
protected--as the Rule states, physical controls must be implemented to 
protect unauthorized access to customer information. Where no customer 
information exists, the Rule would not require physical controls.
---------------------------------------------------------------------------

    \142\ NIADA suggested instituting physical access controls would 
cost a dealership $215,000 because each computer would need to have 
its own lockable cubicle and there would need to be lockable offices 
for all desks. See Remarks of Lee Waters, Safeguards Workshop Tr., 
supra note 17, at 76. As originally promulgated, the Rule already 
requires financial institutions implement ``physical safeguards that 
are appropriate to your size and complexity.'' 16 CFR 314.3. The 
Final Rule's requirement is consistent with that longstanding 
requirement. If computers have technical safeguards preventing 
unauthorized users from accessing customer information, they usually 
will not need to be in a lockable area, particularly if they are not 
generally left unattended and are not likely to be stolen. 
Similarly, desks would need to be in lockable offices only if they 
contain accessible paper records. A lockable file cabinet may be a 
more economical solution.
---------------------------------------------------------------------------

    Second, the Commission agrees with the commenters who advocated 
that the Rule implement the principle of least privilege. The 
Commission does not believe it is appropriate, for example, for larger 
companies to give all

[[Page 70286]]

employees and service providers access to all customer information. 
Such overbroad access could create additional harm in the event of an 
intruder gaining access to a system by impersonating an employee or 
service provider. Accordingly, the Commission clarifies this in the 
Final Rule by adding a requirement that not only must a financial 
institution implement access controls, but it should also restrict 
access only to customer information needed to perform a specific 
function.
    As to the suggestion the Commission impose monitoring requirements 
for access, that requirement exists in paragraph (c)(8). And as to the 
suggestion the requirement is too vague as to service providers, the 
Commission believes the Final Rule is clear: When a vendor accesses the 
financial institution's data or information systems, the financial 
institution must ensure appropriate access controls are in place. 
Separately, under paragraph (f), the financial institution must 
reasonably oversee the vendor's safeguards, which would necessarily 
include access controls for the vendor's system.
    Finally, as to the suggestion the provision is vague generally, as 
discussed above, the Final Rule seeks to preserve flexibility in its 
provisions, both so that financial institutions can design programs 
appropriate for their systems and so that changes in technology or 
security practices will not render the Rule obsolete. The Commission 
believes maintaining less prescriptive requirements is the best way to 
achieve the goal of flexibility and protecting customer 
information.\143\
---------------------------------------------------------------------------

    \143\ NPA expressed concern about the effect of the Rule on 
pawnbrokers who the commenter stated are required by law to allow 
law enforcement access to their physical records. National 
Pawnbrokers Association (comment 32, NPRM), at 7. Nothing in the 
Rule conflicts with any such requirements. Law enforcement 
appropriately accessing customer information under a law that 
requires that access would be considered authorized use under those 
circumstances.
---------------------------------------------------------------------------

    Accordingly, the Commission combines paragraphs (c)(1) and (3) from 
the Proposed Rule into revised paragraph (c)(1) of the Final Rule, 
which requires implementing and periodically reviewing access controls 
on customer information, including technical and, as appropriate, 
physical controls to (1) authenticate and permit access only to 
authorized users to protect against the unauthorized acquisition of 
customer information and (2) limit authorized users' access only to 
customer information that they need to perform their duties and 
functions, or, in the case of customers, to access their own 
information.\144\
---------------------------------------------------------------------------

    \144\ As noted above, the Commission is also changing the term 
``authorized individuals'' to ``authorized users.''
---------------------------------------------------------------------------

System Inventory
    In the NPRM, the Commission proposed to require the financial 
institution to ``[i]dentify and manage the data, personnel, devices, 
systems, and facilities that enable [the financial institution] to 
achieve business purposes in accordance with their relative importance 
to business objectives and [the financial institution's] risk 
strategy.'' \145\ This requirement was designed to ensure the financial 
institution inventoried the data in its possession, inventoried the 
systems on which that data is collected, stored, or transmitted, and 
had a full understanding of the relevant portions of its information 
systems and their relative importance.\146\ The Commission retains this 
provision in the Final Rule without modification.
---------------------------------------------------------------------------

    \145\ Proposed 16 CFR 314.4(c)(2).
    \146\ See, e.g., Complaint at 11, FTC v. Wyndham Worldwide 
Corp., No. CV 2:12-cv-01365-SPL (D. Ariz. June 26, 2012) (alleging 
company failed to provide reasonable security by, among other 
things, failing to inventory computers connected to its network).
---------------------------------------------------------------------------

    Commenters raised two general objections to this provision. First, 
some commenters argued it was too vague and that it was not clear how 
such an inventory should be conducted or what systems should be 
included.\147\ The Commission believes the language provides effective 
guidance while still allowing a variety of approaches by financial 
institutions in identifying systems involved in their businesses. This 
provision requires a financial institution to identify all ``data, 
personnel, devices, systems, and facilities'' that are a part of its 
business and to determine their importance to the financial 
institution. This inventory of systems must include all systems that 
are a part of the business so the financial institution can locate all 
customer information it controls, the systems connected to that 
information, and how they are connected. This inventory forms the basis 
of an information security program because a system cannot be protected 
if the financial institution does not understand its structure or know 
what data is stored in its systems.
---------------------------------------------------------------------------

    \147\ National Automobile Dealers Association (comment 46, 
NPRM), at 23-24; American Financial Services Association (comment 
41, NPRM), at 5; American Council on Education (comment 24, NPRM), 
at 10.
---------------------------------------------------------------------------

    Second, ACE suggested the scope of this provision should be limited 
to systems ``directly related to the privacy and security of `customer 
information.' '' \148\ The Commission declines to make this change 
because the purpose of this provision is to allow financial 
institutions to obtain a clear picture of their systems and to identify 
where customer information is kept and how it can be accessed. An 
inventory must examine all systems in order to identify all systems 
that contain customer information or are connected to systems that do. 
If a financial institution does not first examine all systems and 
instead limits the inventory to systems it considers to be directly 
related to security, it could give an incomplete picture of the 
financial institution's systems and could result in some customer 
information or ways to connect to that information being 
overlooked.\149\
---------------------------------------------------------------------------

    \148\ American Council on Education (comment 24, NPRM), at 10.
    \149\ Another commenter criticized proposed paragraph (c)(2) 
because some financial institutions ``have no control'' over which 
networks they transmit customer information. National Pawnbrokers 
Association (comment 32, NPRM), at 7. Paragraph (c)(2) does not 
require a financial system to identify all networks over which it 
may transmit customer information. See also, infra, this document's 
discussion of NPA's comments on Sec.  314.4(f) of the Final Rule, 
noting financial institutions are generally not required to oversee 
other entities' service providers over which they have no control.
---------------------------------------------------------------------------

    The Commission adopts paragraph (c)(2) of the Proposed Rule as 
final, without modifications.
Access to Physical Location
    Proposed paragraph (c)(3) would have required that financial 
institutions restrict access to physical locations containing customer 
information only to authorized individuals. The Final Rule combines 
this section with proposed paragraph (c)(1) in order to eliminate 
redundancy and clarify that access controls must consider both 
electronic and physical access.
Encryption
    Proposed paragraph (c)(4) required financial institutions to 
encrypt all customer information, both in transit over external 
networks and at rest. The Proposed Rule allowed financial institutions 
to use alternative means to protect customer information, subject to 
review and approval by the financial institution's Qualified 
Individual.
    Several commenters supported the inclusion of an encryption 
requirement.\150\ In fact, some suggested

[[Page 70287]]

the Proposed Rule did not go far enough in requiring encryption. Inpher 
suggested the Rule should require encryption of customer information 
when in use, in addition to when in transit or at rest.\151\ The 
Princeton Center suggested requiring encryption of data while in 
transit over internal networks, in addition to requiring it for 
external networks, noting the blurring of the distinction between 
internal and external networks.\152\
---------------------------------------------------------------------------

    \150\ Inpher, Inc. (comment 50, NPRM), at 4; Princeton 
University Center for Information Technology Policy (comment 54, 
NPRM), at 3; Electronic Privacy Information Center (comment 55, 
NPRM), at 8; National Consumer Law Center and others (comment 58, 
NPRM), at 3.
    \151\ Inpher, Inc. (comment 50, NPRM), at 4.
    \152\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 3.
---------------------------------------------------------------------------

    In contrast, others argued encryption could be too expensive and 
technically challenging for some financial institutions and should not 
be required in all cases.\153\ Indeed, GPA argued the Rule should not 
require encryption at all, financial institutions should be free to 
adopt other protective measures for customer information, and the Rule 
should allow financial institutions to ``determine the controls that 
are most appropriate for protecting the sensitive information that they 
handle.'' \154\ Similarly, some commenters argued financial 
institutions should be required to encrypt customer information only 
when the risk to the customer information justifies it.\155\ Others 
suggested encryption in more limited circumstances, such as on systems 
``to which unauthorized individuals may have access,'' \156\ for 
sensitive data,\157\ or for data in transit.\158\ The Mortgage Bankers 
Association argued encryption at rest is unnecessary because customer 
information at rest in a financial institution's system is sufficiently 
protected by controlling access to the system.\159\ Two commenters 
stated guidelines issued by the Federal Financial Institutions 
Examination Council (FFIEC) do not require most banks to encrypt data 
at rest, unless the institution's risk assessment indicates such 
encryption is necessary.\160\
---------------------------------------------------------------------------

    \153\ National Pawnbrokers Association (comment 32, NPRM), at 3; 
U.S. Chamber of Commerce (comment 33, NPRM), at 11; CTIA (comment 
34, NPRM) at 10; Wisconsin Bankers Association (comment 37, NPRM), 
at 2.
    \154\ Global Privacy Alliance (comment 38, NPRM), at 7-8.
    \155\ Bank Policy Institute (comment 39, NPRM), at 14; Mortgage 
Bankers Association (comment 26, NPRM), at 6; Global Privacy 
Alliance (comment 38, NPRM), at 7-8.
    \156\ Bank Policy Institute (comment 39, NPRM), at 14.
    \157\ U.S. Chamber of Commerce (comment 33, NPRM), at 11; 
American Financial Services Association (comment 41, NPRM), at 5; 
ACA International (comment 45, NPRM), at 13; CTIA (comment 34, 
NPRM), at 10.
    \158\ Mortgage Bankers Association (comment 26, NPRM), at 6; 
Wisconsin Bankers Association (comment 37, NPRM), at 2; American 
Financial Services Association (comment 41, NPRM), at 5; Ken 
Shaurette (comment 19, NPRM), (suggesting the Commission consider 
whether ``databases, applications and operating systems are prepared 
to fully support full encryption without significant performance 
impact or ability to continue to function.''); National Automobile 
Dealers Association (comment 46, NPRM), at 25-26 (arguing the terms 
``at rest'' and ``in transit'' are unclear).
    \159\ Mortgage Bankers Association (comment 26, NPRM), at 6.
    \160\ Wisconsin Bankers Association (comment 37, NPRM), at 2 
(discussing FFIEC Information Technology Booklet); American 
Financial Services Association (comment 41, NPRM), at 5 (discussing 
FFIEC Cybersecurity Assessment Tool).
---------------------------------------------------------------------------

    The Commission declines to modify the encryption requirement from 
the Proposed Rule. As to the comments that suggest the requirement 
should be relaxed, the Commission notes there are numerous free or low 
cost encryption solutions available to financial institutions, 
particularly for data in transit,\161\ that make encryption a feasible 
solution in most situations. For data at rest, encryption is now 
cheaper, more flexible, and easier than ever before.\162\ In many 
cases, widely used software and hardware have built-in encryption 
capabilities.\163\
---------------------------------------------------------------------------

    \161\ See Remarks of Matthew Green, Safeguards Workshop Tr, 
supra note 17, at 225 (noting website usage of encryption is above 
80 percent; ``Let's Encrypt'' provides free TLS certificates; and 
costs have gone down to the point that if a financial institution is 
not using TLS encryption for data in motion, it is making an unusual 
decision outside the norm); Remarks of Rocio Baeza, Safeguards 
Workshop Tr., supra note 17, at 106 (``[T]he encryption of data in 
transit has been standard. There's no pushback with that.''); see 
also National Pawnbrokers Association (comment 3, Workshop), at 2 
(``[I]n states that allow us to use technology for the receipt of 
information from consumer customers and software to print our pawn 
tickets and store information, we believe our members have access 
through their software providers to protections that comply with the 
Safeguards Rule.'').
    \162\ See Remarks of Wendy Nather, Safeguards Workshop Tr., 
supra note 17, at 267 (``we have a lot more options, a lot more 
technologies today than we did before that are making both of these 
solutions, both encryption and MFA, easier to use, more flexible, in 
some cases cheaper, and we should be encouraging their adoption 
wherever possible.''); Remarks of Matthew Green, Safeguards Workshop 
Tr., supra note 17, at 265-66 (``I think that we're in a great time 
when we've reached the point where we can actually mandate that 
encryption be used. I mean, years ago--I've been in this field for 
15, you know, 20 years now, I guess. And, you know, encryption used 
to be this exotic thing that was very, very difficult to use, very 
expensive and not really feasible for securing information security 
systems. And we've reached the point where now it is something 
that's come to be and we can actually build well. So I'm really 
happy about that.'').
    \163\ See Remarks of Randy Marchany, Safeguards Workshop Tr., 
supra note 17, at 229-30 (noting encryption is already built into 
the Microsoft Office environment and a number of Microsoft products, 
such as Spreadsheets, Excel, Docs, and PowerPoint, support that 
encryption feature). Other applications that have encryption built 
in include database applications; app platforms iOS and Android; and 
development frameworks for web applications on banking sites.
---------------------------------------------------------------------------

    In response to the argument that the Rule should not require 
encryption at rest because FFIEC guidelines do not require it, the 
Commission notes the Safeguards Rule is very different from the 
guidelines issued by the FFIEC. The depository financial institutions 
regulated by the banking agencies are subject to regular examinations 
by their regulator. The guidelines created by the FFIEC are designed to 
be used by the examiner, as part of those examinations, to evaluate the 
security of the financial institution; the examiner thus has a direct 
role in regularly verifying the financial institution has taken 
appropriate steps to protect its customer information. In contrast, the 
Safeguards Rule regulates covered financial institutions directly and 
must be usable by those entities to determine appropriate information 
security without any interaction between the financial institution and 
the Commission. The Commission does not have the ability to examine 
each financial institution and work with that institution to ensure 
their information security is appropriate. Therefore, a requirement 
that institutions encrypt information by default is appropriate for the 
Safeguards Rule, as the Commission believes encryption of customer 
information at rest is appropriate in most cases.
    Finally, while some commenters suggested eliminating the encryption 
requirement for certain types of data (e.g., non-sensitive) or certain 
categories of data (e.g., data at rest), the Commission notes, as 
discussed in more detail above, the fact that an individual is a 
customer of a financial institution alone may be sensitive. In any 
event, the Rule provides financial institutions with flexibility to 
adopt alternatives to encryption with the approval of the Qualified 
Individual.
    Similarly, the Commission declines to extend the encryption 
requirement to data in use or to data transmitted over internal 
networks, as some commenters suggested. The Commission does not believe 
the technology that would encrypt data while in use (as opposed to in 
transit or at rest) has been adopted widely enough at this time to 
justify mandating its use by all financial institutions under the FTC's 
jurisdiction. As to encryption of data transmitted over internal 
networks, the Commission acknowledges, due to changes in network design 
and the growth of cloud and mobile computing, the distinction between 
internal and external networks is less clear than it once was. However, 
the Commission believes requiring all financial institutions to encrypt 
all communications over internal networks would be unduly burdensome at 
this

[[Page 70288]]

time. There remain significant costs and technical hurdles to 
encrypting transmissions on internal networks that would not be 
reasonable to impose on all financial institutions, especially smaller 
institutions with simpler systems that might realize less benefit from 
this approach. While the Commission encourages financial institutions 
to consider whether it would be appropriate for them to encrypt the 
transmission of customer information over internal networks, it 
declines to require this for all financial institutions.\164\
---------------------------------------------------------------------------

    \164\ The Commission believes transmissions of customer 
information to remote users or to cloud service providers should be 
treated as external transmissions, as those transmissions are sent 
out of the financial institution's systems.
---------------------------------------------------------------------------

    Commenters pointed to three additional concerns about encryption, 
none of which the Commission finds persuasive. First, the Bank Policy 
Institute commented the encryption requirement would in fact weaken 
security by blocking surveillance of the information by the financial 
institution and requiring the ``broad distribution'' of encryption 
keys.\165\ The Commission does not believe an encryption requirement 
would weaken security. Encryption is almost universally recommended by 
security experts and included in most security standards.\166\ Further, 
new tools have been developed to address the issue the Bank Policy 
Institute has raised. Many financial institutions have monitoring tools 
on the edge of their networks to monitor data leaving the network. It 
used to be the case these network monitoring tools could not see the 
content of encrypted data as it left the corporate network and was 
transmitted to the internet. However, there are now tools available 
that can see the data as it departs the network, even if the data is 
encrypted.\167\ Any marginal security costs of encryption are far 
outweighed by the benefits of rendering customer information 
unreadable.
---------------------------------------------------------------------------

    \165\ Bank Policy Institute (comment 39, NPRM), at 13-14.
    \166\ See, e.g., Payment Card Industry (PCI) Data Security 
Standard Requirements and Security Assessment Procedures Version 
3.2.1, PCI Security Standards Council (May 2018), https://www.pcisecuritystandards.org/document_library (last accessed 30 Nov. 
2020) (Requirement 4 encrypt transmission of cardholder data across 
open, public networks).
    \167\ See, e.g., Encrypted Traffic Management, Broadcom Inc., 
https://www.broadcom.com/products/cyber-security/network/encrypted-traffic-management (last accessed 30 Nov. 2020); SSL Visibility, F5, 
Inc., https://www.f5.com/solutions/application-security/ssl-visibility (last accessed 30 Nov. 2020).
---------------------------------------------------------------------------

    Second, some commenters argued financial institutions should be 
able to implement alternatives to encryption without obtaining approval 
from the Qualified Individual.\168\ The New York Insurance Association 
expressed concern financial institutions might feel they need to 
encrypt all customer information because of the risk that the 
alternative controls approved by the Qualified Individual would be 
``second guessed'' in the event unencrypted data is compromised.\169\ 
The Commission, however, believes this concern is a core element of 
information security based on risk assessment. Every aspect of an 
information security program is based on the judgment of the financial 
institution and its staff. The Qualified Individual's decision 
concerning alternate controls, like other decisions by the financial 
institution and its staff, will be subject to review in any enforcement 
action to determine whether the decision was appropriate. If the 
Qualified Individual is not required to make a formal decision, it is 
much more likely a decision not to encrypt information will be made 
even if there is no compensating control, or even made without the 
Qualified Individual's knowledge.
---------------------------------------------------------------------------

    \168\ Bank Policy Institute (comment 39, NPRM), at 14; New York 
Insurance Association (comment 31, NPRM), at 1.
    \169\ New York Insurance Association (comment 31, NPRM) at 1.
---------------------------------------------------------------------------

    Third, the National Pawnbrokers Association (``NPA'') expressed 
concern that if pawnbrokers are required to encrypt customer 
information they may fall out of compliance with state and local 
regulations concerning transaction reporting.\170\ NPA stated 
pawnbrokers are often required by state or local law to report every 
pawn transaction, along with nonpublic personally identifiable consumer 
information, to law enforcement, and the agencies that receive this 
information ``prefer to take this information electronically and in 
unencrypted forms.'' \171\ The Commission believes if transmitting the 
information in unencrypted form is a preference of the agencies and not 
a requirement, then pawnbrokers can comply with both the Safeguards 
Rule and these laws by encrypting any transmissions that include 
customer information. If there are cases where a required transmission 
of customer information cannot be encrypted for technical reasons, then 
the pawnbroker's Qualified Individual will need to work with the law 
enforcement agency to implement alternative compensating controls to 
ensure the customer information remains secure during these 
transmissions.\172\
---------------------------------------------------------------------------

    \170\ National Pawnbrokers Association (comment 3, Workshop), at 
2-3.
    \171\ Id. at 2.
    \172\ NADA suggested it is not clear how the encryption 
requirement will apply to customer information held on a service 
provider's system or on the systems of the subcontractors of the 
service provider. National Automobile Dealers Association (comment 
46, NPRM), at 21-22. The Commission believes the Final Rule lays out 
a financial institution's obligations in this situation: It requires 
customer information be encrypted unless infeasible. Section 
314.4(e), in turn, requires financial institutions to require 
service providers to implement and maintain appropriate safeguards 
by contract and to periodically assess the continued adequacy of 
those measures. A financial institution that uses a service provider 
to store and process customer information must require that service 
provider to encrypt that information and periodically determine 
whether it continues to do so. If it is infeasible for the service 
provider to meet these requirements then the financial institution's 
Qualified Individual must work with the service provider to develop 
compensating controls or cease doing business with the service 
provider.
---------------------------------------------------------------------------

    The Final Rule adopts this paragraph as paragraph (c)(3) without 
revision.
Secure Development Practices
    Proposed paragraph (c)(5) required financial institutions to 
``[a]dopt secure development practices for in-house developed 
applications utilized'' for ``transmitting, accessing, or storing 
customer information.'' In this paragraph, the Commission proposed 
requiring financial institutions to address the security of software 
they develop to handle customer information, as distinct from the 
security of their networks that contain customer information.\173\ In 
addition, the Proposed Rule required ``procedures for evaluating, 
assessing, or testing the security of externally developed applications 
[financial institutions] utilize to transmit, access, or store customer 
information.'' This provision required financial institutions to take 
steps to verify that applications they use to handle customer 
information are secure.\174\
---------------------------------------------------------------------------

    \173\ See, e.g., Complaint, FTC v. D-Link Systems, Inc., No. 
3:17-CV-00039-JD (N.D. Cal. March 20, 2017) (alleging company failed 
to provide reasonable security when it failed to adequately test the 
software on its devices).
    \174\ See, e.g., Complaint, Lenovo, FTC No. 152-3134 (January 2, 
2018) (alleging company failed to provide reasonable security by 
failing to properly assess and address security risks caused by 
third-party software).
---------------------------------------------------------------------------

    Some commenters argued evaluating the security of externally 
developed software would be too expensive or impractical for some 
financial institutions,\175\ while others raised different concerns. 
The American Council on Education suggested, in cases in which a 
financial institution cannot obtain access to a software provider's 
code or technical

[[Page 70289]]

infrastructure, then evaluating the security of its software is 
infeasible.\176\ NADA further suggested in order to evaluate the 
security of software, financial institutions would need to hire an 
expensive IT professional.\177\
---------------------------------------------------------------------------

    \175\ American Council on Education (comment 24, NPRM), at 11; 
National Automobile Dealers Association (comment 46, NPRM), at 26-
27.
    \176\ American Council on Education (comment 24, NPRM), at 11.
    \177\ National Automobile Dealers Association (comment 46, 
NPRM), at 26-27.
---------------------------------------------------------------------------

    The Commission does not agree with these assertions. Evaluating the 
security of software does not require access to the source code of that 
software or access to the provider's infrastructure. For example, a 
provider can supply the steps it took to ensure the software was 
secure, whether it uses encryption to transmit information, and the 
results of any testing it conducted. In addition, there are third party 
services that assess software. An institution can also set up automated 
searches regarding vulnerabilities, patches, and updates to software 
listed on the financial institution's inventory. The exact nature of 
the evaluation required will depend on the size of the financial 
institution and the amount and sensitivity of customer information 
associated with the software. If the software will be used to handle 
large amounts of extremely sensitive information, then a more thorough 
evaluation will be warranted. Likewise, the nature of the software used 
will also affect the evaluation. Software that has been thoroughly 
tested by third parties may need little more than a review of the test 
results, while software that has not been widely used and tested will 
require closer examination.
    The Commission adopts proposed paragraph (c)(5) as paragraph (c)(4) 
of the Final Rule.
Multi-Factor Authentication
    Proposed paragraph (c)(6) required financial institutions to 
``implement multi-factor authentication for any individual accessing 
customer information'' or ``internal networks that contain customer 
information.'' \178\ The Proposed Rule would have allowed financial 
institutions to adopt a method other than multi-factor authentication 
that offers reasonably equivalent or more secure access controls with 
the written permission of its Qualified Individual. In the Final Rule, 
the Commission retains the general requirements of proposed paragraph 
(c)(6) as paragraph (c)(5), with some modifications described below.
---------------------------------------------------------------------------

    \178\ Proposed 16 CFR 314.4(c)(6).
---------------------------------------------------------------------------

    Although several commenters expressed support for including a 
multi-factor authentication requirement in the Final Rule,\179\ others 
opposed such a requirement. For example, ACE argued a blanket 
requirement mandating multi-factor authentication for all institutions 
of all sizes and complexities is not the best solution.\180\ The 
National Independent Automobile Dealers Association (NIADA) commented 
the costs of multi-factor authentication would be too high for some 
financial institutions because it would need to be built into their 
information systems from scratch.\181\ NIADA also argued adopting 
multi-factor authentication would disrupt a financial institution's 
activities as employees had to ``jump through multiple hoops to log 
in.'' \182\ Cisco Systems, Inc. argued that while multi-factor 
authentication is an effective safeguard, it should not be specifically 
required by the Rule because, while it is currently good security 
practice, in the future multi-factor authentication may become 
outdated, and that allowing financial institutions to satisfy the Rule 
in this way could result in inadequate protection.\183\
---------------------------------------------------------------------------

    \179\ Justine Bykowski (comment 12, NPRM); Princeton University 
Center for Information Technology Policy (comment 54, NPRM), at 6-7; 
Electronic Privacy Information Center (comment 55, NPRM), at 8; 
National Consumer Law Center and others (comment 58, NPRM), at 2; 
see also Remarks of Wendy Nather, Safeguards Workshop Tr., supra 
note 17, at 240-41 (discussing the security poverty line).
    \180\ American Council on Education (comment 24, NPRM), at 11-
12.
    \181\ National Independent Automobile Dealers Association 
(comment 48, NPRM), at 6; see also Ken Shaurette (comment 19, NPRM) 
(questioning whether multi-factor authentication is appropriate for 
all financial institutions).
    \182\ National Independent Automobile Dealers Association 
(comment 48, NPRM), at 6.
    \183\ Cisco Systems, Inc. (comment 51, NPRM), at 2-4.
---------------------------------------------------------------------------

    Other commenters did not dispute the benefits of multi-factor 
authentication generally, but argued the Rule should limit the multi-
factor authentication requirement. Some of these commenters stated the 
Rule should only require multi-factor authentication when the financial 
institution's risk assessment justifies it.\184\ Others argued there 
should be a distinction between internal access and external access. 
For example, some commenters argued the Rule should not require multi-
factor authentication when a user accesses customer information from an 
internal network,\185\ because there are other controls on internal 
access that make multi-factor authentication unnecessary.\186\ Another 
commenter stated requiring multi-factor authentication when a customer 
accesses their information from an external network could create 
problems for some institutions.\187\ Finally, the Princeton Center 
argued the Rule should be amended to clarify that multi-factor 
authentication should be required for internal and external 
networks.\188\
---------------------------------------------------------------------------

    \184\ Bank Policy Institute (comment 39, NPRM), at 11-13; Global 
Privacy Alliance (comment 38, NPRM), at 8.
    \185\ Electronic Transactions Association (comment 27, NPRM), at 
3 n.1; U.S. Chamber of Commerce (comment 33, NPRM), at 11; CTIA 
(comment 34, NPRM), at 11; Global Privacy Alliance (comment 38, 
NPRM), at 8; Bank Policy Institute (comment 39, NPRM), at 12; 
National Automobile Dealers Association (comment 46, NPRM), at 28; 
National Independent Automobile Dealers Association (comment 48, 
NPRM), at 6; New York Insurance Association (comment 31, NPRM), at 
1.
    \186\ CTIA (comment 34, NPRM), at 11; Electronic Transactions 
Association (comment 27, NPRM), at 3 n.1; U.S. Chamber of Commerce 
(comment 33, NPRM), at 11.
    \187\ American Council on Education (comment 24, NPRM), at 11.
    \188\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 6-7; see also Remarks of Brian 
McManamon, Safeguards Workshop Tr., supra note 17, at 102 (stating 
his company TECH LOCK supports requiring multi-factor authentication 
for users connecting from internal networks).
---------------------------------------------------------------------------

    Finally, CTIA took issue with the proposed requirement that the 
Qualified Individual be permitted to approve ``reasonably equivalent or 
more secure'' controls if multi-factor authentication is not feasible, 
suggesting instead that Qualified Individuals be permitted to approve 
``effective alternative compensating controls.'' \189\
---------------------------------------------------------------------------

    \189\ CTIA (comment 34, NPRM), at 11-12; see also Electronic 
Transactions Association (comment 27, NPRM) at 3 (suggesting use of 
the term ``alternative compensating controls'').
---------------------------------------------------------------------------

    The Commission disagrees with the commenters who stated the Rule 
should not include a multi-factor authentication requirement. As to 
costs, many affordable multi-factor authentication solutions are 
available in the marketplace.\190\ Most financial institutions will be 
able to find a solution that is both affordable and workable for their 
organization. In the cases when that it is not possible, the

[[Page 70290]]

Rule allows financial institutions to adopt reasonably equivalent 
controls.\191\
---------------------------------------------------------------------------

    \190\ See, e.g., Slides Accompanying Remarks of Brian McManamon, 
``MFA/2FA Pricing (Duo),'' in Safeguards Workshop Slides, supra note 
72, at 30 (setting forth prices for multi-factor/two-factor services 
from Duo, including free services for up to ten users); Remarks of 
Brian McManamon, Safeguards Workshop Tr., supra note 17, at 102-03; 
Slides Accompanying Remarks of Lee Waters, ``Estimated Costs of 
Proposed Changes,'' in Safeguards Workshop Slides, supra note 72, at 
26 estimating costs of MFA to be $50 for smartcard or fingerprint 
readers, and $10 each per smartcard); Slides Accompanying Remarks of 
Wendy Nather, ``Authentication Methods by Industry,'' in Safeguards 
Workshop Slides, supra note 72, at 37 (chart showing the use of MFA 
solutions such as Duo Push, phone call, mobile passcode, SMS 
passcode, hardware token, Yubikey passcode, and U2F token in 
industries such as financial services and higher education); Remarks 
of Wendy Nather, Safeguards Workshop Tr., supra note 17, at 233-34.
    \191\ See also Remarks of James Crifasi, Safeguards Workshop 
Tr., supra note 17, at 103-04 (noting even where legacy systems do 
not support multi-factor authentication, alternative measures can be 
used and ``it's things that can easily be done.'')
---------------------------------------------------------------------------

    As to potential disruptions requiring multi-factor authentication 
may cause, the Commission notes that many organizations, both financial 
institutions and otherwise, currently require employees to use multi-
factor authentication without major disruption.\192\ Many multi-factor 
authentication systems are available that do not materially increase 
the time it takes to log into a system as compared to the use of only a 
password.\193\ In short, multi-factor authentication is an extremely 
effective way to prevent unauthorized access to a financial 
institution's information system,\194\ and its benefits generally 
outweigh any increased time it takes to log into a system. In those 
situations when the need for quick access outweighs the security 
benefits of multi-factor authentication, the Rule allows the use of 
reasonably equivalent controls.
---------------------------------------------------------------------------

    \192\ See, e.g., Remarks of Randy Marchany, Safeguards Workshop 
Tr., supra note 17, at 236-38 (describing how Virginia Tech 
implemented multi-factor authentication in 2016 for its more than 
156,000 users); Slides Accompanying Remarks of Wendy Nather, 
``Authentication Methods by Industry,'' in Safeguards Workshop 
Slides, supra note 72, at 37 demonstrating the types of multi-factor 
authentication used by health care, financial services, higher 
education and the Federal Government); Remarks of Wendy Nather, 
Safeguards Workshop Tr., supra note 17, at 233-35.
    \193\ See Remarks of Wendy Nather, Safeguards Workshop Tr., 
supra note 17, at 234 (describing how a phone call to a landline is 
popular in some segments).
    \194\ See, e.g., Remarks of Matthew Green, Safeguards Workshop 
Tr., supra note 17, at 266 (explaining passwords are not enough of 
an authentication feature but when MFA is used and deployed, the 
defenders can win against attackers); id. at 239 (describing how 
because smart phones have modern secure hardware processors, 
biometric sensors and readers built in, increasingly consumers can 
get the security they need through the devices they already have by 
storing cryptographic authentication keys on the devices and then 
using the phone to activate them).
---------------------------------------------------------------------------

    Finally, although the Commission agrees the Rule should not lock 
financial institutions into using outmoded or obsolete technologies, 
the basic structure of using multiple factors to identify a user is 
unlikely to be rendered obsolete in the near future. The Rule's 
definition of multi-factor authentication addresses only this principle 
and does not require any particular technology or technique to achieve 
it. This should allow it to accommodate most changes in information 
security practices. In the event of an unforeseen change to the 
information security environment that would discount the value of 
multi-factor authentication, the Commission will adjust the Rule 
accordingly.\195\
---------------------------------------------------------------------------

    \195\ The Mortgage Bankers Association expressed concern the 
Proposed Rule would not allow the use of a single-sign on process, 
where a user is given access to multiple applications with the use 
of one set of credentials. Mortgage Bankers Association (comment 26, 
NPRM), at 7. The Commission does not view the Rule as preventing 
such a system, if the user has used multi-factor authentication to 
access the system and the system is designed to ensure any user of a 
given application has been subjected to multi-factor authentication.
---------------------------------------------------------------------------

    The Commission agrees with the commenter who stated multi-factor 
authentication is justified both when external users, such as 
customers, and internal users, such as employees, access an information 
system. Multi-factor authentication can prevent many attacks focused on 
using stolen passwords from both employees and customers to access 
customer information. Other common attacks on information systems, such 
as social engineering or brute force password attacks, target employee 
credentials and use those credentials to get access to an information 
system.\196\ These attacks can usually be stopped through the use of 
multi-factor authentication. Accordingly, the Final Rule requires 
multi-factor authentication whenever any individual--employee, customer 
or otherwise--accesses an information system. If a financial 
institution determines it is not the best solution for its information 
system, it may adopt reasonably equivalent controls with the approval 
of the Qualified Individual.
---------------------------------------------------------------------------

    \196\ See Remarks of Pablo Molina, Safeguards Workshop Tr., 
supra note 17, at 30 (mentioning ``phishing,'' or social 
engineering, as a common type of cybersecurity attack); Remarks of 
Lee Waters, Safeguards Workshop, supra note 17, at 91 (same); 
Remarks of Michele Norin, Safeguards Workshop Tr., supra note 17, at 
179 (same); see also Cyber Div., Fed. Bureau of Investigation, 
Private Industry Notification No. 20200303-001, Cyber Criminals 
Conduct Business Email Compromise through Exploitation of Cloud-
Based Email Services, Costing U.S. Businesses Over Two Billion 
Dollars, (March 2020), https://www.ic3.gov/media/news/2020/200707-4.pdf, at 1-2, (last accessed 1 Dec. 2020) (``Between January 2014 
and October 2019, the Internet Crime Complaint Center (IC3) received 
complaints totaling over $2.1 billion in actual losses from 
[Business Email Compromise (``BEC'')] scams targeting the largest 
[cloud-based email] platforms. Losses from BEC scams overall have 
increased every year since IC3 began tracking the scam in 2013 and 
have been reported in all 50 states and in 177 countries.'').
---------------------------------------------------------------------------

    The Commission recognizes the language of the Proposed Rule may 
have created some confusion by its use of the term ``internal 
networks'' to define the systems affected by the multi-factor 
authentication requirement, instead of the term ``information systems'' 
as used other places in the Rule.\197\ In addition, the Commission 
agrees with commenters that argued separating the multi-factor 
authentication into two sentences created confusion.\198\ Accordingly, 
the Commission modifies paragraph (c)(5) of the Final Rule, which was 
proposed as paragraph (c)(6), to require financial institutions to 
``[i]mplement multi-factor authentication for any individual accessing 
any information system, unless your Qualified Individual has approved 
in writing the use of reasonably equivalent or more secure access 
controls.''
---------------------------------------------------------------------------

    \197\ Consumer Data Industry Association (comment 36, NPRM), at 
6-7; Cisco Systems, Inc. (comment 51, NPRM), at 3-4.
    \198\ Bank Policy Institute (comment 39, NPRM), at 11.
---------------------------------------------------------------------------

    Finally, the Commission declines to adopt CTIA's proposed 
alternative that would allow Qualified Individuals to approve 
``effective alternative compensating controls,'' even if they are not 
``reasonably equivalent or more secure'' than multi-factor 
authentication. Given the important role multi-factor authentication 
has in access control, any alternative measure should provide at least 
as much protection as multi-factor authentication.\199\
---------------------------------------------------------------------------

    \199\ NADA argued, for financial institutions that have 
appointed a third party to act as their information security 
coordinator, this provision would require the institution to turn 
over decisionmaking to someone ``with no stake in the business 
outcome.'' National Automobile Dealers Association (comment 46, 
NPRM), at 29-30. This concern misinterprets the role of the 
Qualified Individual. Whether the Qualified Individual is inside the 
company or at a third-party company, that individual will report to 
and be supervised by senior management of a financial institution 
(unless the Qualified Individual is the head of the financial 
institution). If a Qualified Individual recommends a safeguard that 
would not be practical for the business, the financial institution 
is not required to adopt this safeguard but can use an alternative 
adequate safeguard that will be functional. Indeed, when it comes to 
third parties, the Rule specifically requires someone in the 
financial institution direct and oversee the third party.
---------------------------------------------------------------------------

Audit Trails
    Proposed paragraph (c)(7) required information security programs to 
include audit trails designed to detect and respond to security 
events.\200\ Audit trails are chronological logs that show who has 
accessed an information system and what activities the user engaged in 
during a given period.\201\
---------------------------------------------------------------------------

    \200\ Proposed 16 CFR 314.4(c)(7).
    \201\ See Information Technology Laboratory Computer Security 
Resource Center, Glossary, National Institute of Standards and 
Technology, https://csrc.nist.gov/glossary/term/audit-trail (last 
accessed Dec. 2, 2020).
---------------------------------------------------------------------------

    Some commenters supported this requirement.\202\ The Princeton 
Center noted audit trails are ``crucial to designing effective security 
measures

[[Page 70291]]

that allow institutions to detect and respond to security incidents.'' 
\203\ It also stated audit trails ``help understand who has accessed 
the system and what activities the user has engaged in.'' \204\
---------------------------------------------------------------------------

    \202\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 8; Electronic Privacy Information 
Center (comment 55, NPRM), at 8.
    \203\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 8.
    \204\ Id.
---------------------------------------------------------------------------

    Other commenters argued this requirement imposed unclear 
obligations or would not improve security.\205\ For example, GPA 
commented the Proposed Rule conflated the use of logs to reconstruct 
past events and the active use of logs to monitor user activity.\206\ 
The American Financial Services Association argued adding logging 
capabilities to some legacy systems would be expensive and 
difficult.\207\ Another commenter argued the increased use of cloud 
storage would mean that financial institutions might not have access to 
any audit trails.\208\ In addition, NADA argued it did not believe 
maintenance of logs would increase security but would instead create 
records that could be sought by parties ``seeking to place blame'' for 
breaches.\209\
---------------------------------------------------------------------------

    \205\ National Automobile Dealers Association (comment 46, 
NPRM), at 30-31; National Independent Automobile Dealers Association 
(comment 48, NPRM), at 6; American Financial Services Association 
(comment 41, NPRM), at 6; Global Privacy Alliance (comment 38, 
NPRM), at 11.
    \206\ Global Privacy Alliance (comment 38, NPRM), at 11.
    \207\ American Financial Services Association (comment 41, 
NPRM), at 6.
    \208\ American Council of Education (comment 24, NPRM), at 12.
    \209\ National Automobile Dealers Association (comment 46, 
NPRM), at 30-31.
---------------------------------------------------------------------------

    The Commission believes logging user activity is a crucial 
component of information security because in the event of a security 
event it allows financial institutions to understand what was accessed 
and when. However, the term ``audit trails'' may have been unclear in 
this context. In order to clarify that logging user activity is a part 
of the user monitoring process, the Final Rule does not include 
paragraph (c)(7) of the Proposed Rule and instead modifies the user 
monitoring provision to include a requirement to log user 
activity.\210\ By putting the ``monitoring'' and ``logging'' 
requirements together, the Final Rule provides greater clarity on the 
comment raised by the GPA: Financial institutions are expected to use 
logging to ``monitor'' active users and reconstruct past events.
---------------------------------------------------------------------------

    \210\ See Final Rule, 16 CFR 314.4(c)(8).
---------------------------------------------------------------------------

Disposal Procedures
    Proposed paragraph (c)(8) required financial institutions to 
develop procedures for the secure disposal of customer information that 
is no longer necessary for their business operations or other 
legitimate business purposes.\211\ The Proposed Rule allowed the 
retention of information when retaining the information is required by 
law or where targeted disposal is not feasible.
---------------------------------------------------------------------------

    \211\ Proposed 16 CFR 314.4(c)(8).
---------------------------------------------------------------------------

    Some commenters supported the inclusion of a disposal requirement 
as proposed or suggested that the disposal requirements should be 
strengthened.\212\ Consumer Reports argued financial institutions 
should be required to dispose of customer information when it is no 
longer needed for the business purpose for which it was gathered.\213\ 
The Princeton Center suggested the Rule require disposal after a set 
period unless the company can demonstrate a current need for the data 
and that financial institutions periodically review their data 
practices to minimize their data retention.\214\
---------------------------------------------------------------------------

    \212\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 8; Electronic Privacy Information 
Center (comment 55, NPRM), at 8; Consumer Reports (comment 52, 
NPRM), at 7.
    \213\ Consumer Reports (comment 52, NPRM), at 7-8.
    \214\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 8-9.
---------------------------------------------------------------------------

    Several other commenters opposed the disposal requirement as set 
forth in the Proposed Rule. Some argued the requirement to dispose of 
information goes beyond the Commission's authority under the GLB 
Act.\215\ NADA argued the GLB Act does not ``contain[ ] any authority 
to require financial institutions to delete any information'' and a 
requirement to have procedures to delete information for which a 
company has no legitimate business purpose would constitute a ``new 
privacy regime.'' \216\ The American Financial Services Association 
(AFSA) stated the requirement was too prescriptive and the Rule should 
allow financial institutions to retain information as long as that 
retention complies with the retention policy created by the financial 
institution.\217\ AFSA further argued the proposed requirement exceeds 
the Federal banking standards, pointing to the FFIEC Cybersecurity 
Assessment Tool, which sets disposal of records ``according to 
documented requirements and within expected time frames'' as a baseline 
requirement for access and data management.\218\
---------------------------------------------------------------------------

    \215\ National Automobile Dealers Association (comment 46, 
NPRM), at 31; National Independent Automobile Dealers Association 
(comment 48, NPRM), at 6.
    \216\ National Automobile Dealers Association (comment 46, 
NPRM), at 31-32.
    \217\ American Financial Service Association (comment 41, NPRM), 
at 6.
    \218\ Cybersecurity Assessment Tool, FFIEC, https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017_Cybersecurity_Maturity_June2.pdf at 37 (last 
visited December 3, 2020).
---------------------------------------------------------------------------

    Yet other commenters suggested modifying the requirement. NADA 
argued that if there was to be a disposal requirement, then it should 
be modeled after the Disposal Rule, which requires businesses to 
properly dispose of consumer reports, but does not have an explicit 
requirement to dispose of information on any particular schedule.\219\ 
ACE suggested modifying the Proposed Rule to require disposal of 
information only where there is no longer any ``legitimate purpose'' 
rather than any ``legitimate business purpose.'' \220\ It argued in 
some cases a financial institution may have legitimate purposes for 
retaining information that are not readily defined as ``business'' 
purposes, such as the retention of data by educational institutions for 
institutional research or student analytics.\221\
---------------------------------------------------------------------------

    \219\ National Automobile Dealers Association (comment 46, 
NPRM), at 32.
    \220\ American Council on Education (comment 24, NPRM), at 12.
    \221\ Id.
---------------------------------------------------------------------------

    The Commission believes requiring the disposal of customer 
information for which the financial information has no legitimate 
business purpose is within the authority granted by the GLB Act to 
protect the security of customer information. The disposal of records, 
both physical and digital, can result in exposure of customer 
information if not performed properly.\222\ Similarly, if records are 
retained when they are no longer necessary, there is a risk those 
records will be subject to unauthorized access. The risk of 
unauthorized access may be reasonable where the retention of data 
provides some benefit. In situations where the information is no longer 
needed for a legitimate business purpose, though, the risk to the 
customer information becomes unreasonable because the retention is no 
longer benefiting the customer or financial institution. Disposing of 
unneeded customer information, therefore, is a vital part of protecting 
customer information and serves the purpose of the GLB Act.\223\
---------------------------------------------------------------------------

    \222\ See, e.g., Complaint, Rite Aid Corp., FTC No. 072-3121 
(November 22, 2010) (alleging company failed to provide reasonable 
data security when it failed to implement policies and procedures to 
dispose securely of personal information).
    \223\ As to the Princeton Center's suggestion financial 
institutions periodically review their disposal practices (Princeton 
University Center for Information Technology Policy (comment 54, 
NPRM), at 8-9), the Commission believes this requirement is already 
encompassed in the requirement contained in Sec.  314.4(g) to 
periodically review their safeguards overall.

---------------------------------------------------------------------------

[[Page 70292]]

    The Commission disagrees with commenters who suggested narrowing 
the disposal requirement or doing away with it altogether. As noted 
above, although no disposal requirement appears in FFIEC guidelines, 
those guidelines represent a different regulatory approach and are not 
an appropriate model for the Safeguards Rule.
    Finally, as to setting retention periods or narrowing the 
legitimate business purposes for which financial institutions may 
retain customer information, the Commission recognizes financial 
institutions need some flexibility. Whereas customers may want to, for 
example, access and transfer older data in some circumstances, in other 
circumstances, retaining such data would not be consistent with any 
legitimate business purpose. The Commission believes the Princeton 
Center's recommendation that companies be required to delete 
information after a set period unless the information is still needed 
for a legitimate business purpose properly balances the needs of 
financial institutions with the need to protect customer information. 
Thus, the Commission modifies proposed paragraph (c)(6) to require the 
deletion of customer information two years after the last time the 
information is used in connection with providing a product or service 
to the customer unless the information is required for a legitimate 
business purpose as paragraph (c)(6)(i) of the Final Rule. In addition, 
paragraph (c)(6)(ii) of the Final Rule requires financial institutions 
to periodically review their policies to minimize the unnecessary 
retention of information.
Change Management
    Proposed paragraph (c)(9) required financial institutions to adopt 
procedures for change management.\224\ Change management procedures 
govern the addition, removal, or modification of elements of an 
information system.\225\ This paragraph required financial institutions 
to develop procedures to assess the security of devices, networks, and 
other items to be added to their information system, or the effect of 
removing such items or otherwise modifying the information system. For 
example, a financial institution that adds additional servers or other 
machines to its information system would need to evaluate the security 
of the new devices and the effect of adding them to the existing 
network.
---------------------------------------------------------------------------

    \224\ Proposed 16 CFR 314.4(c)(9).
    \225\ See, e.g., Change Management, Rutgers OIT Information 
Security Office, https://rusecure.rutgers.edu/content/change-management (last accessed 1 Dec. 2020).
---------------------------------------------------------------------------

    Some commenters supported this requirement,\226\ while others 
stated it was too broad and would impose unnecessary burdens on 
financial institutions.\227\ In particular, NADA argued financial 
institutions that have not made changes in their systems ``for some 
time'' should not be required to create procedures for change 
management.\228\ ACE argued including a change management requirement 
is unnecessary because such a requirement is ``generally incorporated 
into an organization's IT operations'' for non-security purposes and 
the security considerations of those changes will be considered as part 
of those procedures.\229\
---------------------------------------------------------------------------

    \226\ Electronic Privacy Information Center (comment 55, NPRM), 
at 8; National Consumer Law Center and others, (comment 58, NPRM) at 
3.
    \227\ American Council on Education (comment 24, NPRM), at 12-
13; National Automobile Dealers Association (comment 46, NPRM), at 
33.
    \228\ National Automobile Dealers Association (comment 46, 
NPRM), at 32-33.
    \229\ American Council on Education (comment 24, NPRM), at 12.
---------------------------------------------------------------------------

    Alterations to an information system or network introduce 
heightened risk of cybersecurity incidents; \230\ thus, it is important 
to expressly require change management to be a part of an information 
security program. The Commission agrees with ACE that many financial 
institutions will already have change management procedures in place. 
If those procedures adequately consider security issues involved in the 
change, then they may satisfy this requirement.
---------------------------------------------------------------------------

    \230\ See Remarks of Rocio Baeza, Safeguards Workshop Tr., supra 
note 17, at 95 (``[E]very time there is a change to any of these 
[network] environments, that is creating additional risk.''); 
Remarks of Scott Wallace, Safeguards Workshop Tr., supra note 17, at 
147-48 (giving an example of an incident in which network changes 
led to the exposure of sensitive information); Remarks of Matthew 
Green, Safeguards Workshop Tr., supra note 17, at 252 (noting it is 
``a little dangerous'' to make ``major changes'' to an information 
system at a time of heightened stress).
---------------------------------------------------------------------------

    As to the comment a financial institution that has not made changes 
to its environment in some time should not be required to have change 
management processes, the Commission disagrees. Few information systems 
can remain unchanged for a significant period of time, given the 
changing technical requirements for business and security. Indeed, NADA 
acknowledges financial institutions will need to ``adapt[] their 
programs to keep up with changes in data security.'' \231\ For this 
reason, all financial institutions must have procedures for when the 
changes occur. As with all of the requirements of the Rule, though, the 
exact nature of these procedures will vary depending on the size, 
complexity and nature of the information system. A simple system may 
have equally simple change management procedures.
---------------------------------------------------------------------------

    \231\ National Automobile Dealers Association (comment 46, 
NPRM), at 33 n.96.
---------------------------------------------------------------------------

    The Commission adopts this proposed paragraph as paragraph (c)(7) 
of the Final Rule without change.
System Monitoring
    Proposed paragraph (c)(10) required financial institutions to 
implement policies and procedures designed ``to monitor the activity of 
authorized users and detect unauthorized access or use of, or tampering 
with, customer information by such users.'' \232\ The Proposed Rule 
required financial institutions to take steps to monitor those users 
and their activities related to customer information in a manner 
adapted to the financial institution's particular operations and needs.
---------------------------------------------------------------------------

    \232\ Proposed 16 CFR 314.4(c)(10).
---------------------------------------------------------------------------

    NADA stated this requirement would create unnecessary expense 
because it would require financial institutions to ``continually 
monitor all authorized use'' and would mean ``yet more new employees or 
third-party IT consultants.'' \233\ The Commission disagrees, however, 
noting that monitoring of system use can be automated.\234\ There is no 
requirement a separate staff member would be required to exclusively 
monitor system use.
---------------------------------------------------------------------------

    \233\ National Automobile Dealer Association (comment 46, NPRM), 
at 33.
    \234\ See Remarks of Nicholas Weaver, Safeguards Workshop Tr., 
supra note 17, at 124-25.
---------------------------------------------------------------------------

    In addition, one commenter stated monitoring the use of paper files 
is impossible and should be excluded from this provision.\235\ The 
Commission acknowledges monitoring of paper records is qualitatively 
different than the monitoring of electronic records. This requirement 
goes hand in hand with limiting access to documents, whether electronic 
or paper. For example, if an institution has a file room and access to 
the room is limited to particular employees (e.g., the payroll office), 
the institution should have measures in place to ensure those access 
controls are in fact being utilized (e.g., sign in with front desk, 
logging of key card access, security camera).
---------------------------------------------------------------------------

    \235\ American Financial Services Association (comment 41, 
NPRM), at 6.
---------------------------------------------------------------------------

    As discussed above, this paragraph is amended to also require the 
logging of user activity, but is otherwise adopted as proposed as 
paragraph (c)(8).

[[Page 70293]]

Proposed Paragraph (d)
    Proposed paragraph (d)(1) retained the current Rule's requirement 
that financial institutions ``[r]egularly test or otherwise monitor the 
effectiveness of the safeguards' key controls, systems, and procedures, 
including those to detect actual and attempted attacks on, or 
intrusions into, information systems.''
    Proposed paragraph (d)(2) provided further detail to this 
requirement by stating the monitoring must take the form of either 
``continuous monitoring'' or ``periodic penetration testing and 
vulnerability assessments.'' The proposal explained continuous 
monitoring is any system that allows real-time, ongoing monitoring of 
an information system's security, including monitoring for security 
threats, misconfigured systems, and other vulnerabilities.\236\ For 
those who elected to engage in periodic penetration testing and 
vulnerability assessment, the proposal required penetration testing at 
least once annually (or more frequently if called for in the financial 
institution's risk assessment) and vulnerability assessments at least 
twice a year.\237\
---------------------------------------------------------------------------

    \236\ Financial institutions that choose the option of 
continuous monitoring would also be satisfying Sec.  314.4(c)(8).
    \237\ Proposed 16 CFR 314.4(d)(1) and (2).
---------------------------------------------------------------------------

    Some commenters thought the proposal went too far in requiring 
continuous monitoring or penetration and vulnerability testing, while 
others thought the proposal did not go far enough. On one hand, ACE 
argued continuous monitoring is too burdensome and difficult for some 
financial institutions,\238\ particularly those with ``highly 
decentralized systems,'' such as colleges and universities, which could 
be required to monitor their entire system.\239\ ACE further suggested 
the Rule should not prescribe any particular testing methodology or 
schedule and should allow financial institutions to develop a testing 
approach appropriate for the financial institution.\240\ The NPA 
commented penetration and vulnerability testing would be too expensive 
for small pawnbrokers with small staffs and a small customer base, 
where their members would be ``likely to notice a penetration of our 
records.'' \241\ One commenter stated the requirements for monitoring 
and testing were ``overlapping and confusing'' and suggested the 
Commission avoid confusion by including continuous monitoring, 
penetration testing, vulnerability scanning, periodic risk assessment 
reviews, and logging as optional components of an information security 
program to be included on an as-needed basis.\242\ Some commenters 
recommended the testing requirement be limited to electronic data and 
exclude monitoring of physical data.\243\ The American Financial 
Services Association argued the testing of physical safeguards required 
by paragraph (d)(1) ``would be impossible.'' \244\ Finally, CTIA 
argued, for entities that choose the approach of penetration and 
vulnerability testing, these tests should be required less 
regularly.\245\
---------------------------------------------------------------------------

    \238\ American Council on Education (comment 24, NPRM), at 13-
14.
    \239\ American Council on Education (comment 24, NPRM), at 13.
    \240\ American Council on Education (comment 24, NPRM), at 14.
    \241\ National Pawnbrokers Association (comment 3, Workshop), at 
2.
    \242\ Global Privacy Alliance (comment 38, NPRM), at 10-11.
    \243\ National Independent Automobile Dealers Association 
(comment 48, NPRM), at 6; American Financial Services Association 
(comment 41, NPRM), at 6.
    \244\ American Financial Services Association (comment 41, 
NPRM), at 6.
    \245\ CTIA (comment 34, NPRM) at 12-13 (arguing penetration 
testing should be required only once every two years and 
vulnerability testing be required only once a year).
---------------------------------------------------------------------------

    On the other hand, the Princeton Center suggested, rather than 
requiring either continuous monitoring or penetration testing, the Rule 
should require both. It noted continuous monitoring is very effective 
at detecting problems with, and threats to, ``off-the-shelf systems'' 
but penetration testing is better at ``for checking the interaction 
between systems, proprietary systems, or subtle security issues.'' 
\246\ Similarly, the MSRT was concerned that the Proposed Rule 
suggested annual penetration testing alone could protect financial 
institutions, rather than serve as a supplement to proper 
monitoring.\247\
---------------------------------------------------------------------------

    \246\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 5.
    \247\ Money Services Round Table (comment 53, NPRM), at 9; see 
also Gusto and others (Comment 11, Workshop), at 2 (arguing 
penetration testing and vulnerability assessments both have their 
weaknesses and financial institutions should develop a testing 
program that it is appropriate for them).
---------------------------------------------------------------------------

    The Commission agrees with commenters who pointed out the 
difficulty of applying certain testing requirements to physical 
safeguards. Although the general testing requirement set forth in 
paragraph (d)(1) should apply to physical safeguards (e.g., testing 
effectiveness of physical locks), the continuous monitoring, 
vulnerability assessment, and penetration testing in paragraph (d)(2) 
is not relevant to information in physical form. Accordingly, the final 
version of paragraph (d)(2) is limited to safeguards on information 
systems.
    The Commission also agrees biannual vulnerability testing may not 
be sufficient to detect new threats. Thus, given the relative ease with 
which vulnerability assessments can be performed, it modifies the Final 
Rule to require financial institutions to perform assessments when 
there is an elevated risk of new vulnerabilities having been introduced 
into their information systems, in addition to the required biannual 
assessments.
    Beyond these modifications, the Commission believes the proposal 
struck the right balance between flexibility and protection of customer 
information, and adopts the proposed provision as final. For commenters 
concerned about costs of testing and continuous monitoring, the 
Commission notes the Rule requires one, not both. Although many 
financial institutions may choose to use both, the Commission agrees 
the costs of requiring both for all financial institutions may not be 
justified. \248\ As to arguments that the testing required by the Rule 
is too frequent and will therefore be too costly, the Commission does 
not agree vulnerability assessments will be costly. Indeed, there are 
resources for free and automated vulnerability assessments.\249\ And 
although the Commission acknowledges penetration testing can be a 
somewhat lengthy and costly process for large or complex systems,\250\ 
a longer period between penetration tests will leave information 
systems vulnerable to attacks that exploit weaknesses normally revealed 
by penetration testing.
---------------------------------------------------------------------------

    \248\ The Commission believes a system for continuous monitoring 
will include some form of vulnerability assessment as part of 
monitoring the information system.
    \249\ Remarks of Frederick Lee, Safeguards Workshop Tr., supra 
note 17, at 139-40.
    \250\ See id. at 129-30 (noting the cost of a penetration test 
can increase significantly depending on the complexity of the system 
to be tested and the scope of the test).
---------------------------------------------------------------------------

    Two other portions of the Final Rule should help financial 
institutions concerned about the costs of monitoring and testing. 
First, because the Commission is limiting the definition of 
``information system'' in the Final Rule, financial institutions will 
be able to limit this provision's application by segmenting their 
network and conducting monitoring or testing only of systems that 
contain customer information or that are connected to such systems. 
Second, this requirement does not apply to those institutions that

[[Page 70294]]

maintain records on fewer than 5,000 individuals. Accordingly, for 
example, it should not apply to businesses small enough for staff to 
personally know a majority of customers.
    Finally, the Commission does not believe the testing requirements 
are duplicative of other provisions of the Final Rule. The provision 
relating to additional risk assessments, Sec.  314.4(b)(2), requires a 
financial institution to reevaluate its risks and to determine if 
safeguards should be modified or added--it does not require testing to 
detect threats and technical vulnerabilities in the existing system. 
Section 313.4(c)(8)'s requirement that financial institutions monitor 
users' activity in an information system is focused on one aspect of 
information security--detecting and preventing unauthorized access and 
use of the system. The requirement of this paragraph, on the other 
hand, is focused on testing the overall effectiveness of a financial 
institution's safeguards. It is broader than paragraph (c)(8)'s 
requirement and is necessary to ensure financial institutions test the 
strength of their safeguards as a whole.
    Accordingly, the Final Rule requires financial institutions to 
perform vulnerability assessments at least once every six months and, 
additionally, whenever there are material changes to their operations 
or business arrangements and whenever there are circumstances they know 
or have reason to know may have a material impact on their information 
security program.
Proposed Paragraph (e)
    Proposed paragraph (e) set forth a requirement that financial 
institutions implement policies and procedures ``to ensure that 
personnel are able to enact [the financial institution's] information 
security program.'' This requirement included four components: (1) 
General employee training; (2) use of qualified information security 
personnel; (3) specific training for information security personnel; 
and (4) verification that security personnel are taking steps to 
maintain current knowledge on security issues.
General Employee Training
    Proposed paragraph (e)(1) required financial institutions to 
provide their personnel with ``security awareness training that is 
updated to reflect risks identified by the risk assessment.'' \251\
---------------------------------------------------------------------------

    \251\ Proposed 16 CFR 314.4(e)(1).
---------------------------------------------------------------------------

    While one commenter specifically supported the inclusion of this 
training requirement,\252\ the U.S. Chamber of Commerce argued the Rule 
should not have any specific training requirements at all.\253\ NADA 
stated the requirement that the training be ``updated to reflect risks 
identified by the risk assessment'' will require companies to develop 
individualized training programs to suit their financial institution 
and that such a process would be expensive and unnecessary because 
``general security awareness'' is generally enough for most financial 
institutions.\254\
---------------------------------------------------------------------------

    \252\ Electronic Privacy Information Center (comment 55, NPRM), 
at 8.
    \253\ U.S. Chamber of Commerce (comment 33, NPRM), at 12; see 
also American Financial Services Association (comment 41, NPRM), at 
6 (stating the Commission should acknowledge that a training program 
for a small financial institution will be different than a program 
for a larger program).
    \254\ National Automobile Dealers Association (comment 46, 
NPRM), at 34.
---------------------------------------------------------------------------

    Given the current Rule includes a similar training requirement and 
training remains a vital part of effective information security, the 
Commission declines to eliminate it. The Commission believes the Final 
Rule's training requirement retains the same flexibility as the 
existing Rule and allows financial institutions to adopt a training 
program appropriate to their organization.
    The Commission disagrees with NADA's concern the requirement to 
update training programs would be too expensive. Without a requirement 
that the training program be updated based on an assessment of risks, 
employees may be subject to the same training year after year, which 
might reflect obsolete threats, as opposed to addressing current ones. 
The Commission interprets this provision to require only that the 
training program be updated as necessary based on changes in the 
financial institution's risk assessment. The provision also gives 
financial institutions the flexibility to use programs provided by a 
third party, if that program is appropriate for the financial 
institution. In order to clarify updates are required only when needed 
by changes in the financial institution or new security threats, 
though, the Final Rule states training programs need to be updated only 
``as necessary.''
Information Security Personnel
    Proposed paragraph (e)(2) required financial institutions to 
``[u]tiliz[e] qualified information security personnel,'' employed 
either by them or by affiliates or service providers, ``sufficient to 
manage [their] information security risks and to perform or oversee the 
information security program.'' \255\ This proposed provision was 
designed to ensure information security personnel used by financial 
institutions are qualified for their positions and information security 
programs are sufficiently staffed.
---------------------------------------------------------------------------

    \255\ Proposed 16 CFR 314.4(e)(2).
---------------------------------------------------------------------------

    Some commenters argued this provision was too vague because it does 
not define what personnel are necessary and what ``qualified'' 
means.\256\ NADA argued hiring additional staff to meet this 
requirement could be prohibitively expensive.\257\
---------------------------------------------------------------------------

    \256\ National Automobile Dealers Association (comment 46, 
NPRM), at 35; National Independent Automobile Dealers Association 
(comment 48, NPRM), at 7.
    \257\ National Automobile Dealers Association (comment 46, 
NPRM), at 35.
---------------------------------------------------------------------------

    As discussed in relation to the appointment of a ``Qualified 
Individual,'' the Commission believes a more specific definition of 
``qualified'' would not be appropriate because each financial 
institution has different needs and different levels of training, 
experience, and expertise will be appropriate for the information 
security staff of each institution. The term ``qualified'' conveys only 
that staff must have the abilities and expertise to perform the duties 
required by the information security program.\258\ The Commission 
declines to include a more prescriptive set of qualification 
requirements in the Final Rule.\259\
---------------------------------------------------------------------------

    \258\ NADA also asks whether this provision would require 
financial institutions to hire more personnel if they do not have 
enough qualified staff. Id. The Final Rule does require the hiring 
of additional personnel if existing personnel are not enough to 
maintain the financial institution's information security program.
    \259\ One commenter, on the other hand, approved of the decision 
not to define ``qualified'' in the Proposed Rule, but argued the 
requirement in its totality was unclear because it did not set forth 
``how the Commission would hold covered entities accountable.'' 
American Council on Education (comment 24, NPRM) at 14. The 
Commission believes the term ``qualified'' provides a clear enough 
requirement to allow a financial institution's compliance to be 
evaluated.
---------------------------------------------------------------------------

    As to the concern about expense, the Commission acknowledges hiring 
employees or retaining third parties to maintain financial 
institutions' information security programs can be a substantial 
expense. But the expense is necessary to effectuate Congressional 
intent that financial institutions implement reasonable safeguards to 
protect customer information. The Rule requires only that a financial 
institution have personnel ``sufficient'' to manage its risk and to 
maintain its information security program. A financial institution is 
required only to have the staff necessary to maintain its information 
security. An information security program that is not properly 
maintained cannot offer the protection it is designed to provide. A 
financial institution that

[[Page 70295]]

does not comply with this requirement, by definition, has insufficient 
staffing, and thus, cannot reasonably protect customer information.
    Although the expense is necessary, the level of expense is 
mitigated by several factors. First, existing financial institutions 
should already have information security personnel (either in the form 
of employees or third-party service providers) qualified to perform the 
duties necessary to maintain reasonable security in order to comply 
with the requirements of the current Rule. Depending on the skills of 
those employees, additional staffing may not be necessary to meet the 
demands of the Final Rule. Second, the required staffing will vary 
greatly based on the size and complexity of the information system. A 
financial institution with an extremely simple system may not require 
even a single full time employee. Finally, the Rule allows the use of 
service providers to meet this requirement. This can significantly 
reduce costs as services exist to share the expense of qualified 
personnel and offer information security support at significantly less 
than the cost of employing a single qualified employee.\260\ The 
Commission continues to believe utilizing qualified and sufficient 
information security personnel is a vital part of any information 
security program and accordingly, adopts proposed paragraph (e)(2) in 
the Final Rule without modification.
---------------------------------------------------------------------------

    \260\ See, e.g., Slides Accompanying Remarks of Rocio Baeza, 
``Models for Complying to the Safeguards Rule Changes,'' in 
Safeguards Workshop Slides, supra note 72, at 27-28 (describing 
three different compliance models: In-house, outsource, and hybrid, 
with costs ranging from $199 per month to more than $15,000 per 
month); see also remarks of Rocio Baeza, Safeguards Workshop Tr., 
supra note 17, at 81-83; slides Accompanying Remarks of Brian 
McManamon, ``Sample Pricing,'' in Safeguards Workshop Slides, supra 
note 72, at 29 (estimating the cost of cybersecurity services based 
on number of endpoints); Remarks of Brian McManamon, Safeguards 
Workshop Tr., supra note 17, at 83-85.
---------------------------------------------------------------------------

Training of Security Personnel
    The Proposed Rule also required financial institutions to 
``[p]rovid[e] information security personnel with security updates and 
training sufficient to address relevant security risks.'' \261\ This is 
separate from paragraph (e)(1)'s requirement to train all personnel 
generally.
---------------------------------------------------------------------------

    \261\ Proposed 16 CFR 314.4(e)(3).
---------------------------------------------------------------------------

    Some commenters argued providing ongoing training could be too 
costly for some financial institutions.\262\ The Commission disagrees. 
Maintaining awareness of emerging threats and vulnerabilities is a 
critical aspect of information security. In order to perform their 
duties, security personnel must be educated on the changing nature of 
threats to the information systems they maintain. There are resources 
that will allow smaller institutions to meet this requirement at little 
or no cost, such as published security updates, online courses, and 
educational publications.\263\ For financial institutions that utilize 
service providers to meet information security needs, the service 
provider is likely to include assurances that provided personnel will 
be trained in current security practices. The Commission views the use 
of such a service provider as meeting this requirement, as the 
financial institution is ``providing'' the service as part of the price 
it pays to the service provider. Thus, the Final Rule adopts paragraph 
(e)(3) as proposed.\264\
---------------------------------------------------------------------------

    \262\ National Automobile Dealers Association (comment 46, 
NPRM), at 35.
    \263\ See, e.g., Federal Trade Commission, Cybersecurity for 
Small Business, https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity (last accessed 1 Dec. 2020); Remarks 
of Kiersten Todt, Safeguards Workshop Tr. at 86-88 (describing the 
resources of the Cyber Readiness Institute).
    \264\ The Clearing House suggested the Rule should require 
background checks on employees. The Clearing House (Comment 49, 
NPRM) at 19.
---------------------------------------------------------------------------

Verification of Current Knowledge
    Proposed paragraph (e)(4) required financial institutions to 
``[v]erify[ ] that key information security personnel take steps to 
maintain current knowledge of changing information security threats and 
countermeasures.'' \265\ This requirement was intended to complement 
the proposed requirement regarding ongoing training of data security 
personnel, by requiring verification such training has taken place.
---------------------------------------------------------------------------

    \265\ Proposed 16 CFR 314.4(e)(4).
---------------------------------------------------------------------------

    NADA argued this requirement should not apply to smaller financial 
institutions, stating the examples set forth in the Proposed Rule would 
be difficult for some smaller financial institutions to perform.\266\ 
The examples provided with the Proposed Rule were that a financial 
institution could: (1) Offer incentives or funds for key personnel to 
undertake continuing education that addresses recent developments, (2) 
include a requirement to stay abreast of security research as part of 
their performance metrics, or (3) conduct an annual assessment of key 
personnel's knowledge of threats related to their information system. 
The Commission believes smaller financial institutions can take 
advantage of any of these methods, particularly ``requiring key 
personnel to undertake continuing education'' as part of that 
personnel's duties. If they outsource responsibility for data security 
to service providers, they can simply include these requirements in 
their contracts.
---------------------------------------------------------------------------

    \266\ National Automobile Dealers Association (comment 46, 
NPRM), at 35-36.
---------------------------------------------------------------------------

    The Commission believes the rapidly changing nature of information 
security mandates this requirement, in order that information security 
leadership can properly supervise the information security program. 
Accordingly, the Final Rule adopts proposed paragraph (e)(4) without 
change.
Proposed Paragraph (f)
    Proposed paragraphs (f)(1) and (2) retained the current Rule's 
requirement, found in existing paragraphs (d)(1) and (2), to oversee 
service providers, and added a paragraph (f)(3), requiring financial 
institutions also periodically assess service providers ``based on the 
risk they present and the continued adequacy of their safeguards.'' 
\267\ The current Rule expressly requires an assessment of service 
providers' safeguards only at the onboarding stage; proposed paragraph 
(f)(3) required financial institutions to monitor their service 
providers on an ongoing basis to ensure they are maintaining adequate 
safeguards to protect customer information they possess or access.\268\
---------------------------------------------------------------------------

    \267\ Proposed 16 CFR 314.4(g).
    \268\ The Clearing House wrote in support of this element of the 
Proposed Rule, noting it would bring the Safeguards Rule's 
provisions relating to service provider oversight into better 
alignment with security guidelines for banks. The Clearing House 
(comment 49, NPRM), at 14.
---------------------------------------------------------------------------

    Several commenters argued it would be costly and difficult for some 
financial institutions to periodically assess their service 
providers.\269\ These commenters were particularly concerned with 
smaller financial institutions' ability to ``monitor'' larger service 
providers.\270\ The Internet Association commented the requirement to 
periodically assess service providers would be too onerous for the 
service providers themselves, arguing the requirement would place 
``service providers under constant surveillance by their financial 
institution clients.'' \271\ HITRUST suggested the Rule should state 
the periodic assessment requirement may be satisfied by requiring 
service providers to obtain and maintain information

[[Page 70296]]

security certifications provided by third parties and based on proper 
information security frameworks.\272\ In contrast, Consumer Reports 
took issue with the Rule requiring only ``assessment'' of service 
providers, and argued financial institutions should be required to 
monitor their service providers for compliance.\273\ Yet other 
commenters expressed confusion over the term ``service provider,'' 
asking whether it would cover national consumer reporting agencies that 
smaller financial institutions would be hard-pressed to assess.\274\
---------------------------------------------------------------------------

    \269\ National Automobile Dealers Association (comment 46, 
NPRM), at 37; National Independent Automobile Dealers Association 
(comment 48, NPRM), at 7; see also Wangyang Shen (comment 3, Privacy 
Rule) (noting difficulty of supervising cloud services).
    \270\ National Automobile Dealers Association (comment 46, 
NPRM), at 22; National Association of Dealer Counsel (comment 44, 
NPRM), at 3.
    \271\ Internet Association (comment 9, Workshop), at 3-4.
    \272\ HITRUST (comment 18, NPRM), at 3-4.
    \273\ Consumer Reports (comment 52, NPRM) at 7.
    \274\ American Financial Services Association (comment 41, 
NPRM), at 7.
---------------------------------------------------------------------------

    The Commission retains the service provider oversight requirement 
from proposed paragraph (f) without modification. Some high profile 
breaches have been caused by service providers' security failures,\275\ 
and the Commission views the regular assessment of the security risks 
of service providers as an important part of maintaining the strength 
of a financial institution's safeguards.
---------------------------------------------------------------------------

    \275\ For example, in 2013, attackers were reportedly able to 
use stolen credentials obtained from a third-party service provider 
to access a customer service database maintained by national 
retailer Target Corporation, resulting in the theft of information 
relating to 41 million customer payment card accounts. Kevin McCoy, 
Target to pay $18.5M for 2013 data breach that affected 41 million 
consumers, USA Today, May 23, 2017, https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/.
---------------------------------------------------------------------------

    The Commission disagrees with the commenters who expressed concerns 
this provision, and particularly the assessment requirement, would 
impose undue costs on financial institutions. The Rule would require 
financial institutions only to assess the risks service providers 
present and evaluate whether they continue to provide the safeguards 
required by contract, which need not include extensive investigation of 
a service provider's systems. In the case of large service providers, 
this oversight may consist of reviewing public reports of insecure 
practices, changes in the services provided, or security failures in 
the services provided. In other circumstances, such as where a large 
company hires a vendor to secure sensitive customer information, 
certifications, reports, or even third-party audits may be appropriate. 
The exact steps required depend both on the size and complexity of the 
financial institution and the nature of the services provided by the 
service provider. For this reason, the Commission declines to adopt the 
suggestion to allow a financial institution to accept an information 
security certification from the service provider to satisfy the service 
provider oversight requirement. The fact that a company maintains an 
information security certification may be a significant part of 
assessing the adequacy of a service provider's safeguards, but the 
Commission declines to prescribe a one-size-fits all approach, given 
the variation in size and complexity of financial institutions and 
their service providers.
    To avoid imposing undue costs on financial institutions, the 
Commission declines to require ongoing monitoring, rather than periodic 
assessment, as recommended by Consumer Reports. The Commission believes 
periodic assessment strikes the right balance between protecting 
consumers and imposing undue costs on financial institutions. The 
Commission acknowledges financial institutions may have limited 
bargaining power in obtaining services from large service providers and 
limited ability to demand access to a service provider's systems. In 
those cases, any sort of hands-on assessment of the provider's systems 
may not be possible.
    As to the concern the assessment requirement will impose undue 
burdens on the service providers themselves, the Commission does not 
believe this concern justifies a modification to the proposed 
requirement. First, the Rule does not require ``constant surveillance'' 
by financial institutions--they are required only to ``periodically 
assess'' the risks presented by service providers. Second, as discussed 
above, the supervision of service providers is a vitally important 
aspect of information security, and while there may be some burdens on 
the service providers associated with being supervised, these are 
necessary burdens. A financial institution must be sure a service 
provider is protecting the information of its customers, and any 
expenses this involves are a necessary part of fulfilling this duty.
    Finally, as to concerns about potential ambiguities in the 
definition of service provider, the amendments preserve the definition 
in the current Rule. Thus, entities subject to this requirement under 
the Final Rule will remain the same as under the existing Rule and may 
include consumer reporting agencies. As discussed above, even larger 
service providers such as national CRAs can be subjected to some form 
of review by financial institutions.\276\
---------------------------------------------------------------------------

    \276\ The National Pawnbrokers Association expressed concern 
they cannot control vendors of local law enforcement agencies to 
whom they are required to provide customer information. National 
Pawnbrokers Association (comment 32, NPRM), at 2. However, the Rule 
does not require financial institutions oversee service providers 
employed by other entities over which they have no control.
---------------------------------------------------------------------------

    The Commission adopts proposed paragraph (f) in the Final Rule 
without modification.
Proposed Paragraph (g)
    Paragraph (g) of the Proposed Rule retained the language of 
existing paragraph (e) in the current Rule, which requires financial 
institutions to evaluate and adjust their information security programs 
in light of the result of testing required by this section, material 
changes to their operations or business arrangements, or any other 
circumstances they know or have reason to know may have a material 
impact on their information security program. The Commission received 
no comments on this paragraph and adopts the language of the Proposed 
Rule.
Proposed Paragraph (h)
    Proposed paragraph (h) required financial institutions to establish 
written incident response plans that addressed (1) the goals of the 
plan; (2) the internal processes for responding to a security event; 
(3) the definition of clear roles, responsibilities and levels of 
decision-making authority; (4) external and internal communications and 
information sharing; (5) identification of requirements for the 
remediation of any identified weaknesses in information systems and 
associated controls; (6) documentation and reporting regarding security 
events and related incident response activities; and (7) the evaluation 
and revision as necessary of the incident response plan following a 
security event.
    Several commenters supported the proposal to require an incident 
response plan.\277\ The Credit Union National Association observed an 
incident response plan ``helps ensure that an entity is prepared in 
case of an incident by planning how it will respond and what is 
required for the response.'' \278\ Consumer Reports noted a rapid 
response to a security event can limit damage caused by the event.\279\ 
The

[[Page 70297]]

Princeton Center commented ``a written incident response plan is an 
essential component of a good security system.'' \280\ HITRUST 
commented incident response plans can help organizations ``to better 
allocate limited resources.'' \281\ The South Carolina Department of 
Consumer Affairs suggested the provision go further by requiring the 
incident response plan include a process for notifying senior 
information security personnel of the event.\282\
---------------------------------------------------------------------------

    \277\ Consumer Reports (comment 52, NPRM), at 6; Princeton 
University Center for Information Technology Policy (comment 54, 
NPRM), at 7; Electronic Privacy Information Center (comment 55, 
NPRM), at 8; Credit Union National Association (comment 30, NPRM), 
at 2; Heartland Credit Union Association (comment 42, NPRM), at 2; 
National Association of Federally-Insured Credit Unions (comment 43, 
NPRM), at 1; HITRUST (comment 18, NPRM), at 2.
    \278\ Credit Union National Association (comment 30, NPRM), at 
2.
    \279\ Consumer Reports (comment 52, NPRM), at 6.
    \280\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 7.
    \281\ HITRUST (comment 18, NPRM), at 2.
    \282\ South Carolina Department of Consumer Affairs (comment 47, 
NPRM), at 2.
---------------------------------------------------------------------------

    Other commenters opposed requiring an incident response plan or 
objected to particular aspects of the requirement. Some commenters 
suggested requiring financial institutions to have incident response 
plans is outside the Commission's authority under the GLB Act.\283\ 
NADA argued the requirement for an incident response plan was overbroad 
in light of the broad definition of security event,\284\ and the 
requirement was vague as to what the plan should include.\285\
---------------------------------------------------------------------------

    \283\ National Automobile Dealer Association (comment 46, NPRM), 
at 38; National Independent Automobile Dealers Association (comment 
48, NPRM), at 7.
    \284\ National Automobile Dealer Association (comment 46, NPRM), 
at 38.
    \285\ National Automobile Dealer Association (comment 46, NPRM), 
at 12, 38-39. NPA also asked for greater detail on what constitutes 
an ``incident.'' National Pawnbroker Association (comment 32, NPRM), 
at 4.
---------------------------------------------------------------------------

    Other commenters argued the requirement was too burdensome. ACE 
argued ``the range of security events that might occur and their 
potential impacts on institutional capacity to recover'' make 
establishing an incident response plan that will allow an institution 
to ``respond to, and recover from, any security event materially 
affecting . . . customer information'' impossible.\286\ The Mortgage 
Bankers Association (``MBA'') suggested ``institutions of smaller sizes 
may not necessarily be capable of addressing all seven of the proposed 
goals.'' \287\ Further, the MBA argued an incident response plan 
requirement had ``the potential to cripple small businesses under the 
pressure of repeatedly checking the boxes for potentially harmless 
events.'' \288\
---------------------------------------------------------------------------

    \286\ American Council on Education (comment 24, NPRM), at 15.
    \287\ Mortgage Bankers Association (comment 26, NPRM), at 4.
    \288\ Mortgage Bankers Association (comment 26, NPRM), at 4.
---------------------------------------------------------------------------

    Finally, some commenters raised questions about what it means for 
customer information to be in a financial institution's ``possession'' 
for purposes of the incident response plan requirement. ACE argued the 
requirement does not adequately account for customer information held 
in cloud storage operated by third parties, asserting such information 
is not technically within the financial institution's possession.\289\ 
ACE suggested the provision should apply to customer information for 
which the financial institution is responsible, instead.\290\ 
Relatedly, the NPA expressed concern pawnbrokers might be subject to 
liability under the Proposed Rule when law enforcement agencies or 
their third-party vendors make public disclosures of customer 
information pawnbrokers are obligated to report.\291\
---------------------------------------------------------------------------

    \289\ American Council on Education (comment 24, NPRM), at 15.
    \290\ Id.
    \291\ National Pawnbroker Association (comment 32, NPRM), at 4.
---------------------------------------------------------------------------

    The Commission retains the requirement for financial institution to 
develop and implement an incident response plan, with one modification 
described below. The Commission believes the creation of an incident 
response plan is directly related to safeguarding customer information 
and is within its authority under the GLBA. The requirement to create 
an incident response plan focuses on preparing financial institutions 
to respond promptly and appropriately to security events, and 
mitigating any weaknesses in their information systems in the process. 
By responding quickly and promptly mitigating weaknesses, financial 
institutions can stop ongoing or future compromise of customer 
information.\292\ A well-organized response to a security event can 
limit the number of consumers affected by an outside attacker by 
promptly identifying the attack and taking steps to stop the attack.
---------------------------------------------------------------------------

    \292\ See Remarks of Serge Jorgenson, Safeguards Workshop Tr., 
supra note 17, at 52 (observing a prompt response to an incident can 
prevent a ``threat actor running around in my environment for days, 
months, years, and able to access anything they want.'').
---------------------------------------------------------------------------

    The Commission disagrees with the commenters who stated this 
requirement was too burdensome. The Final Rule requires incident 
response plans address ``security event[s] materially affecting the 
confidentiality, integrity, or availability of customer information in 
[a financial institution's] control.'' Significantly, the plan must 
address events that ``materially'' affect customer information. Thus, 
the required incident response plan does not require a plan to address 
every security event that may occur. The plan need not include minute 
details or all possible scenarios. Instead, the Rule requires the plan 
to establish a system--for example, by laying out clear lines of 
responsibility, systems for information sharing, and methods for 
evaluating possible solutions--that will facilitate a financial 
institution's response to security events regardless of the nature of 
the event. A detailed approach may be appropriate for some financial 
institutions, such as those with especially complicated systems or 
personnel hierarchies, but the Rule is designed to give financial 
institutions the flexibility needed to develop plans that best suit 
their needs.\293\
---------------------------------------------------------------------------

    \293\ Although the Commission agrees with the South Carolina 
Department of Consumer Affairs that notification of senior personnel 
is valuable, the requirement that the plan address ``the definition 
of clear roles, responsibilities and levels of decision-making 
authority'' will almost always result in communication of decision-
making to senior personnel authorized to make decisions about the 
security response. Coupled with the requirement the Qualified 
Individual report to the board or equivalent body on material events 
affecting security, the Commission does not see the need to make 
this change.
---------------------------------------------------------------------------

    Moreover, the Commission believes the requirement is clear as to 
what an incident response plan should include. The seven listed 
requirements for the incident response plans provide sufficient 
guidance to financial institutions designing incident response plans 
while giving them flexibility to design a plan suited to their 
organization. In addition, there are many resources for designing 
incident response plans available for financial institutions, as well 
as service providers that can assist with the design process.\294\ 
Individual institutions can determine the exact details of the plans.
---------------------------------------------------------------------------

    \294\ See, e.g., FTC, Data Breach Response: A Guide for Business 
(2019), www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business; NIST, Guide for Cybersecurity Event 
Recovery (2016), nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf; Orion Cassetto, Incident Response Plan 101: How 
to Build One, Templates and Examples, Exabeam: Information Security 
Blog (November 21, 2018), www.exabeam.com/incident-response/incident-response-plan/ (last visited December 2, 2020).
---------------------------------------------------------------------------

    To address questions about whether information is in the financial 
institution's ``possession,'' the Commission is revising paragraph (h) 
of the Final Rule to require financial institutions develop incident 
response plans ``designed to promptly respond to, and recover from, any 
security event materially affecting . . . customer information in your 
control.'' (emphasis added) Replacing the term ``possession'' with 
``control'' resolves the questions raised by ACE and the NPA regarding

[[Page 70298]]

whether financial institutions must plan for security events affecting 
data that has been transferred to various kinds of third parties. Where 
a financial institution has voluntarily opted to store its customer 
information in the cloud, to whatever extent the information is no 
longer in the ``possession'' of the financial institution, it is 
certainly within the institution's ``control.'' By contrast, customer 
information that has been obtained by a third party such as a law 
enforcement agency, over whom a financial institution has no authority 
and of whose actions the financial institution has no knowledge, cannot 
fairly be said to be in the financial institution's control. 
Consequently, the financial institution need not account for possible 
disclosures of that information by the third party.\295\
---------------------------------------------------------------------------

    \295\ NADA further argued the incident response plan constitutes 
a de facto consumer notification requirement. National Automobile 
Dealer Association (comment 46, NPRM), at 39. Financial institutions 
have an independent obligation to perform notification as required 
by state law, whether or not they have an incident response plan in 
place. The fact that the Rule requires a plan that sets forth 
procedures for satisfying that requirement does not impose any 
independent notification requirement on the financial institution.
---------------------------------------------------------------------------

Notification of Security Events to the Commission
    The Commission also requested comment on whether the Rule should 
require financial institutions to report security events to the 
Commission. Several commenters supported this requirement.\296\ The 
Princeton University Center for Information Technology Policy noted 
such a reporting requirement would ``provide the Commission with 
valuable information about the scope of the problem and the 
effectiveness of security measures across different entities'' and 
``help the Commission coordinate responses to shared threats.'' \297\ 
The National Association of Federally-Insured Credit Unions argued 
requiring financial institutions to report security events to the 
Commission would provide an ``appropriate incentive for covered 
financial companies to disclose information to consumers and relevant 
regulatory bodies.'' \298\ NAFCU also suggested notification 
requirements are important because they ``ensure independent assessment 
of whether a security incident represents a threat to consumer 
privacy.'' \299\
---------------------------------------------------------------------------

    \296\ Consumer Reports (comment 52, NPRM), at 6; Princeton 
University Center for Information Technology Policy (comment 54, 
NPRM), at 7; Credit Union National Association (comment 30, NPRM), 
at 2; Heartland Credit Union Association (comment 42, NPRM), at 2; 
National Association of Federally-Insured Credit Unions (comment 43, 
NPRM), at 1-2.
    \297\ Princeton University Center for Information Technology 
Policy (comment 54, NPRM), at 7.
    \298\ National Association of Federally-Insured Credit Unions 
(comment 43, NPRM), at 1.
    \299\ National Association of Federally-Insured Credit Unions 
(comment 43, NPRM), at 1-2.
---------------------------------------------------------------------------

    Other commenters opposed the inclusion of a reporting 
requirement.\300\ ACE argued such a requirement ``would simply add 
another layer on top of an already crowded list of federal and state 
law enforcement contacts and state breach reporting requirements.'' 
\301\ ACE also suggested any notification requirement should be limited 
to a more restricted definition of ``security event'' than the 
definition in the Proposed Rule, so financial institutions would only 
be required to report incidents that could lead to consumer harm.\302\
---------------------------------------------------------------------------

    \300\ National Independent Automobile Dealers Association 
(comment 48, NPRM), at 7; American Council on Education (comment 24, 
NPRM), at 15.
    \301\ American Council on Education (comment 24, NPRM), at 15.
    \302\ Id.
---------------------------------------------------------------------------

    The Commission agrees with commenters that stated a requirement 
financial institutions report security events to the Commission would 
have many benefits, including allowing the Commission to identify 
emerging threats and assisting the Commission's enforcement of the 
Rule. In addition, such a requirement would be unlikely to create a 
significant burden on financial institutions because a security event 
that leads to notification to the Commission is very likely to create 
breach notification obligations under various state laws, and the 
financial institution will thus already be engaged in notifying 
consumers and state regulators. The addition of a notification to the 
FTC would not require any significant additional preparation or effort. 
However, because the notice of proposed rulemaking did not set forth a 
detailed proposal for a notification requirement, the Final Rule does 
not include such a requirement. Instead, the Commission is issuing a 
supplemental notice of proposed rulemaking (SNPRM) that proposes adding 
a requirement financial institutions notify the Commission of detected 
security events under certain circumstances.\303\
---------------------------------------------------------------------------

    \303\ Standards for Safeguarding Customer Information, SNPRM, 
published elsewhere in this issue of the Federal Register.
---------------------------------------------------------------------------

Proposed Paragraph (i)
    Proposed paragraph (i) required a financial institution's CISO to 
``report in writing, at least annually, to [the financial 
institution's] board of directors or equivalent governing body'' 
regarding the following information: (1) The overall status of the 
information security program and financial institution's compliance 
with the Safeguards Rule; and (2) material matters related to the 
information security program, addressing issues such as risk 
assessment, risk management and control decisions, service provider 
arrangements, results of testing, security events or violations and 
management's responses thereto, and recommendations for changes in the 
information security program.\304\ For financial institutions that did 
not have a board of directors or equivalent, the proposal required the 
CISO to make the report to a senior officer responsible for the 
financial institution's information security program.
---------------------------------------------------------------------------

    \304\ Proposed 16 CFR 314.4(i).
---------------------------------------------------------------------------

    One commenter supported this requirement.\305\ Additionally, 
several workshop participants emphasized the value of communication 
between information security leaders and corporate boards or their 
equivalent. For example, workshop participant Michele Norin stated it 
is ``important'' for the topic of information security to be discussed 
at the level of the board or senior leadership regularly, and at least 
once per year.\306\ Participant Adrienne Allen agreed annual reporting 
made sense as a requirement, but noted for some financial institutions, 
particularly those with an online presence, even more frequent 
communication could be beneficial.\307\
---------------------------------------------------------------------------

    \305\ Rocio Baeza (comment 12, Workshop), at 3-8 (supporting 
requirement and providing sample report form and compliance 
questionnaire); see also The Clearing House (comment 49, NPRM), at 
15-16 (arguing that Rule should require more involvement from Board 
and senior management).
    \306\ Remarks of Michele Norin, Safeguards Workshop Tr., supra 
note 17, at 194.
    \307\ Remarks of Adrienne Allen, Safeguards Workshop Tr., supra 
note 17, at 199-200.
---------------------------------------------------------------------------

    ACE argued the Proposed Rule created too much emphasis on a single 
annual report and should instead focus on regular reporting to the 
Board or equivalent.\308\ It also expressed concern the report required 
by the Proposed Rule would be too detailed and would not allow the 
Board to see ``the forest for the trees,'' \309\ the requirements for 
the report were too prescriptive, and the requirements focused too much 
on compliance rather than security.\310\ Similarly, NADA argued the 
report would not improve security but would instead create 
``unnecessary liability exposure for the board/leadership of the 
entity.'' \311\ HITRUST suggested

[[Page 70299]]

Qualified Individuals should be able to meet this reporting requirement 
by submitting a report from an information security certification 
program to the Board or equivalent body.\312\
---------------------------------------------------------------------------

    \308\ American Council on Education (comment 24, NPRM), at 16.
    \309\ Id.
    \310\ Id.
    \311\ National Automobile Dealer Association (comment 46, NPRM), 
at 41. NADA also argued the reports by third-party Qualified 
Individuals might not include useful information and were ``more 
likely to be filled with platitudes and/or efforts to `upsell' the 
dealership on additional CISO services.'' Id. at 42. NADA provided 
no support for this claim. The Commission notes such a report would 
not meet the requirements of this provision, and the financial 
institution would be justified in terminating their relationship 
with that provider or, at least, demanding a revised report that did 
meet those requirements.
    \312\ HITRUST (comment 18, NPRM), at 4.
---------------------------------------------------------------------------

    The Commission adopts the proposal as final, with one modification 
discussed below. This provision is intended to ensure the governing 
body of the financial institution is engaged with and informed about 
the state of the financial institution's information security program. 
Likewise, this will create accountability for the Qualified Individual 
by requiring him or her to set forth the status of the information 
security program for the governing body.\313\ This will help financial 
institutions to ensure their information security programs are being 
maintained appropriately and given the necessary resources. Written 
reports will create a record of decisions made and the information upon 
which they were based, which may aid future decision-making.\314\ 
Management involvement in information security programs can improve the 
strength of those programs and help to reduce breaches.\315\
---------------------------------------------------------------------------

    \313\ See Remarks of Karthik Rangarajan, Safeguards Workshop 
Tr., supra note 17, at (``If quarter over quarter, year over year, 
this watermark isn't reducing, then board of directors should be 
able to challenge us and say maybe you're not mapping your risks 
correctly, or vice versa if it's reducing but we're seeing more 
incidents, we're seeing potential breaches, things like that, then 
the board of directors should be able to say maybe you don't have 
the right risk quantification framework or the right risk management 
framework.'').
    \314\ Workshop participants Adrienne Allen, Karthik Rangarajan, 
and Michele Norin each emphasized this point. See Safeguards 
Workshop Tr., supra note 17, pp. 201-09.
    \315\ See Juhee Kwon Jackie Rees Ulmer, & Tawei Wang, The 
Association Between Top Management Involvement and Compensation and 
Information Security Breaches, Journal of Information Systems, 
Spring 2013, at 219-236 (``. . . the involvement of an IT executive 
decreases the probability of information security breach reports by 
about 35 percent . . .''); Julia L. Higgs, Robert E. Pinsker, Thomas 
Joseph Smith, & George Young, The Relationship Between Board-Level 
Technology Committees and Reported Security Breaches, Journal of 
Information Systems, Fall 2016, at 79-98 (``[A]s a technology 
committee becomes more established, its firm is not as likely to be 
breached. To obtain further evidence on the perceived value of a 
technology committee, this study uses a returns analysis and finds 
that the presence of a technology committee mitigates the negative 
abnormal stock returns arising from external breaches.'').
---------------------------------------------------------------------------

    The Commission disagrees with the commenters who stated the 
reporting requirement would be too prescriptive. In fact, the language 
only requires reporting of (1) the overall status of the information 
security program and its compliance with this Rule; and (2) material 
matters related to the information security program. The language 
includes examples of what material matters might include, such as risk 
assessments and security events, but does not require all of them be 
included. The financial institution and the Qualified Individual will 
be responsible for determining what is material for their organization. 
The Commission does not believe these requirements call for overly 
detailed reports.\316\
---------------------------------------------------------------------------

    \316\ Indeed, workshop participants discussed a variety of 
strategies for meaningful communication between security personnel 
and senior leadership. Participants noted the proper content, style, 
and cadence of reporting (beyond the minimum annual report) will 
vary depending on, among other things, the type of financial 
institution in question and the level of familiarity of leadership 
with the relevant technical issues. See Safeguards Workshop Tr., 
supra note 17, at 194-200.
---------------------------------------------------------------------------

    Although the Commission agrees a certification report from a 
Qualified Individual could be a part of the annual report and may cover 
many material matters, it may not suffice in all cases; thus, the 
Commission declines to include such a one-size-fits-all requirement.
    As to the suggestion to require ``regular'' reporting, the 
Commission agrees more regular reporting may be the best approach for 
many financial institutions. To this end, the Commission modifies the 
requirement in the final rule to say ``regularly, and at least 
annually.'' \317\ Beyond this modification, the Final Rule adopts 
proposed paragraph (i) as proposed.
---------------------------------------------------------------------------

    \317\ NADA argued reports required by this provision would be 
expensive because the Proposed Rule stated they would need to be 
prepared by a ``CISO,'' which NADA takes to mean a highly 
compensated expert of the type retained by the most sophisticated 
large institutions. National Automobile Dealer Association (comment 
46, NPRM), at 41. As discussed above, however, the Rule does not 
require all financial institutions to retain such an expert. 
Instead, the report will be made by the Qualified Individual, whose 
expertise and compensation will vary according to the size and 
complexity of a financial institution's information system.
---------------------------------------------------------------------------

Board Certification
    The Commission specifically sought comment on whether the Board or 
equivalent should be required to certify the contents of the report. 
The two commenters who addressed this question stated they should 
not.\318\ ACE noted ``governing boards generally will not have the 
knowledge and expertise to independently certify'' the technical 
aspects of the report and certification might require the employment of 
outside auditors.\319\ The Commission agrees senior management of 
financial institutions will often lack the technical expertise to 
personally attest to its validity. In addition, the primary purpose of 
the required report is to encourage communication between information 
security personnel and senior management, not to show compliance with 
the Rule. Requiring the governing board to certify the contents of the 
report would likely transform the report into a compliance document and 
might reduce its efficacy as a communication between the Qualified 
Individual and the Board. Accordingly, the Commission declines to adopt 
this requirement in the Final Rule.
---------------------------------------------------------------------------

    \318\ National Automobile Dealer Association (comment 46, NPRM), 
at 41 n.126; American Council on Education (comment 24, NPRM), at 
16.
    \319\ American Council on Education (comment 24, NPRM), at 16.
---------------------------------------------------------------------------

Sec.  314.5: Effective Date

    The Proposed Rule set a new effective date for some portions of the 
Rule. Proposed Sec.  314.5 provided certain elements of the information 
security program would not be required until six months after the 
publication of a final rule, rather than immediately upon publication. 
The paragraphs that would have a delayed effective date were: Sec.  
314.4(a), related to the appointment of a Qualified Individual; Sec.  
314.4(b)(1), relating to conducting a written risk assessment; Sec.  
314.4(c)(1) through (8), setting forth the new elements of the 
information security program; Sec.  314.4(d)(2), requiring continuous 
monitoring or annual penetration testing and biannual vulnerability 
assessment; Sec.  314.4(e), requiring training for personnel; Sec.  
314.4(f)(3), requiring periodic assessment of service providers; Sec.  
314.4(h), requiring a written incident response plan; and Sec.  
314.4(i), requiring annual written reports from the Qualified 
Individual. All other requirements under the Safeguards Rule would 
remain in effect during this six-month period. These remaining 
requirements largely mirrored the requirements of the existing Rule.
    All commenters that addressed this provision noted the difficulty 
of complying with some of the provisions of the Proposed Rule, and 
argued financial institutions should be given more time to comply with 
them. ACE suggested financial institutions be given one year to create 
a plan for compliance and two years to come into actual 
compliance.\320\ AFSA suggested compliance not be required for two

[[Page 70300]]

years.\321\ ACA International requested the effective date be one year 
after publication of the Rule.\322\
---------------------------------------------------------------------------

    \320\ American Council on Education (comment 24, NPRM), at 4-5.
    \321\ American Financial Services Association (comment 41, 
NPRM), at 7.
    \322\ ACA International (comment 45, NPRM), at 10-11.
---------------------------------------------------------------------------

    The Commission agrees some financial institutions may need longer 
to modify their information security programs to comply with the new 
requirements in the Final Rule, especially given the current pandemic 
and the strains it is placing on businesses. Accordingly, the Final 
Rule extends the effective date for these enumerated provisions to one 
year after the publication of this document.

Proposed Sec.  314.6: Exceptions

    Proposed Sec.  314.6 exempted financial institutions that maintain 
customer information concerning fewer than five thousand consumers from 
certain requirements of the Proposed Rule, namely Sec.  314.4(b)(1), 
requiring a written risk assessment; Sec.  314.4(d)(2), requiring 
continuous monitoring or annual penetration testing and biannual 
vulnerability assessment; Sec.  314.4(h), requiring a written incident 
response plan; and Sec.  314.4(i), requiring an annual written report 
by the CISO (as revised, the Qualified Individual).\323\ This proposed 
section was designed to reduce the burden on smaller financial 
institutions.
---------------------------------------------------------------------------

    \323\ Proposed 16 CFR 314.6.
---------------------------------------------------------------------------

    The Commission sought comment on whether it was appropriate to 
include such an exemption, whether the specific exemptions were 
appropriate, whether the use of the number of customers concerning whom 
the financial institution retains customer information is the most 
effective way to determine which financial institutions should be 
exempted and, if so, whether five thousand customers was an appropriate 
number. After reviewing the comments received, the Commission retains 
the exemption for financial institutions with fewer than 5,000 
customers as proposed.
    Several commenters supported the inclusion of an exemption for 
small financial institutions. Consumer Reports supported the exemption 
as proposed.\324\ NPA supported the decision to base this exemption on 
the number of customers whose information the financial institution 
maintains, but questioned how the number of customers would be 
determined.\325\ NPA asked whether the number of customers would be 
counted on an annual basis or include all records the financial 
institution maintains. It also asked if each transaction with a 
customer would be counted separately.\326\
---------------------------------------------------------------------------

    \324\ Consumer Reports (comment 52, NPRM), at 6; see also Credit 
Union National Association (comment 30, NPRM), at 2 (noting the 
exemption will be helpful for smaller businesses, but suggesting 
other changes to the Proposed Rule so the exemption is not 
required).
    \325\ National Pawnbrokers Association (comment 32, NPRM), at 6.
    \326\ Id.; see also National Independent Automobile Dealers 
Association (comment 48, NPRM), at 3.
---------------------------------------------------------------------------

    Some commenters argued the number of customers whose records a 
financial institution maintains was the wrong measure by which to 
assess whether the exemption should apply. For example, commenters 
suggested the Rule should take into account businesses with revenue 
beneath a certain threshold,\327\ the number of students enrolled at 
covered educational institutions,\328\ or the number of individuals 
employed by the financial institution.\329\
---------------------------------------------------------------------------

    \327\ ACA International (comment 45, NPRM), at 11-12.
    \328\ American Council on Education (comment 24, NPRM), at 5.
    \329\ Ahmed Aly (comment 22, NPRM).
---------------------------------------------------------------------------

    Additionally, some commenters argued the threshold for application 
of the exemption should be higher. ACA International suggested the 
exemption should apply to all financial institutions maintaining 
records concerning fewer than 10,000 customers.\330\ AFSA suggested a 
50,000 customer threshold.\331\ NADA \332\ and NIADA \333\ argued the 
threshold should be raised to 100,000 customers. Without proposing a 
specific alternative, NPA expressed concern the 5,000-customer 
threshold may be too low, noting pawnbrokers who accept firearms as 
collateral are required to keep customer records related to certain 
transactions for twenty years.\334\
---------------------------------------------------------------------------

    \330\ ACA International (comment 45, NPRM), at 11-12.
    \331\ American Financial Services Association (comment 41, 
NPRM), at 3-4.
    \332\ National Automobile Dealers Association (comment 46, 
NPRM), at 43-44. NADA also suggested information about customers for 
which the nonpublic information has been removed should not be 
counted to the total. If the information is anonymized or otherwise 
transformed so it is no longer reasonably linkable to a customer, 
that information will not count towards the exemption. NADA's 
example of retaining only ``name, phone number, address, and VIN of 
the vehicle they own,'' would still count as customer information 
under the Rule.
    \333\ National Independent Automobile Dealers Association 
(comment 48, NPRM), at 3.
    \334\ National Pawnbrokers Association (comment 32, NPRM), at 6.
---------------------------------------------------------------------------

    As to the substance of the exemption, some commenters felt it did 
not go far enough to relieve the burden of the rule for small financial 
institutions. ACA International proposed eligible financial 
institutions should also be exempt from the requirement to designate a 
single qualified individual to oversee their information security 
programs.\335\ The National Federation of Independent Business argued 
businesses with 15 or fewer employees should be exempted from the Rule 
entirely and instead held only to a requirement to take ``commercially 
reasonable steps'' to safeguard customer information.\336\ The Small 
Business Administration Office of Advocacy suggested, in the absence of 
additional information regarding the impact of the proposed changes on 
small businesses, the Rule should ``maintain the status quo'' for small 
entities as defined by the Small Business Administration's size 
standards.\337\
---------------------------------------------------------------------------

    \335\ ACA International (comment 45, NPRM), at 12.
    \336\ National Federation of Independent Business (comment 16, 
NPRM), at 4.
    \337\ Small Business Administration Office of Advocacy (comment 
28, NPRM), at 6.
---------------------------------------------------------------------------

    On the other hand, other commenters opposed the inclusion of any 
exemption. The Independent Community Bankers of America noted the 
Federal Financial Institutions Examination Council Interagency 
Guidelines Establishing Standards for Safeguarding Customer Information 
(``FFIEC Guidelines''), which detail how depository institutions are 
required to protect customer information, include no exemption for 
smaller institutions and suggested the Rule should also have no 
exemption and apply equally to all financial institutions.\338\
---------------------------------------------------------------------------

    \338\ Independent Community Bankers of America (comment 35, 
NPRM), at 4; see also American Escrow (comment 6, Workshop), at 3 
(arguing even small companies may need to comply with all portions 
of the Rule to maintain consumer confidence); see also Caiting Wang 
(Comment 6, Privacy) (suggesting exempted provisions should be 
optional for smaller businesses, or the Commission create a fund to 
enable small businesses to comply with these provisions).
---------------------------------------------------------------------------

    Under the existing Rule, there is no exception for smaller 
entities. Still, the Commission continues to believe it is appropriate 
to exempt small businesses from some of the revised Rule's 
requirements. Although the FFIEC Guidelines do not exempt small 
businesses from its requirements, the FFIEC Guidelines regulate only 
depository financial institutions subject to an entirely different 
regulatory regime, including supervision by their regulatory agencies. 
While the provisions from which eligible financial institutions are 
exempt have significant benefits for the security of customer 
information and other sensitive data,\339\

[[Page 70301]]

those provisions may be less necessary in situations where the overall 
volume of retained data is low. This is true in part because the 
potential for cumulative consumer harm is less where fewer consumers' 
information may be exposed as the result of a security incident.\340\
---------------------------------------------------------------------------

    \339\ See, e.g., Remarks of Brian McManamon, Safeguards Workshop 
Tr., supra note 17, at 85 (noting continuous monitoring allows 
organizations to detect and quickly respond to threats); Remarks of 
Frederick Lee, Safeguards Workshop Tr., supra note 17, at 126-28 
(Frederick Lee) (discussing benefits of penetration testing); 
Remarks of Tom Dugas, Safeguards Workshop Tr., supra note 17, at 143 
(noting the importance of vulnerability scans); Remarks of Michele 
Norin, Safeguards Workshop Tr., supra note 17, 194-95 (asserting 
annual reporting by the Qualified Individual to an organization's 
board or equivalent is beneficial); Remarks of Adrienne Allen, 
Safeguards Workshop Tr., supra note 17, at 201.
    \340\ See Remarks of James Crifasi, Safeguards Workshop Tr., 
supra note 17, at 91-92 (noting companies that control large amounts 
of consumer data should in most instances implement the full range 
of data security safeguards, whereas small businesses with less data 
may need to focus on cybersecurity basics); see also Remarks of Lee 
Waters, Safeguards Workshop Tr., supra note 17, at 91 (``[T]he 
amount of data [that a business holds] would definitely have an 
influence on whether a business is even going to be attacked.''); 
Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at 
94 (citing the volume of consumer records held by an organization as 
an important factor in assessing cybersecurity risk).
---------------------------------------------------------------------------

    For similar reasons, the Commission finds the number of individuals 
concerning whom a financial institution maintains customer information 
is the appropriate measure of whether the exemption should apply to a 
particular financial institution. The application of the exemption 
should take into account both the potential burden of compliance to 
financial institutions and the risk to consumers when standards are 
relaxed--in other words, the purpose of the exemption is to avoid 
imposing undue burden while assuring customer information is subject to 
necessary protections. Even a very small financial institution, 
depending on its business model, may retain very large quantities of 
sensitive customer information.\341\ Adequate security is necessary to 
protect such information, which may constitute an attractive target for 
bad actors such as identity thieves; the value of the target is 
correlated with the volume of information maintained.\342\ While a 
business's revenue or number of employees may provide a measure of the 
burden of compliance for that business, these figures do not capture 
consumer risk. By contrast, the number of individuals about whom a 
financial institution maintains customer information is a proxy for the 
level of security necessary in light of both the risk of attack and the 
potential consumer harm should a security incident occur.\343\ In 
addition, basing the exemption on the number of individuals concerning 
whom a financial institution maintains customer information provides an 
incentive to financial institutions to reduce the amount of information 
they retain. A financial institution may choose to dispose of 
information so it holds information on few enough consumers to qualify 
for exemption.\344\
---------------------------------------------------------------------------

    \341\ See, e.g., Remarks of James Crifasi, Safeguards Workshop 
Tr., supra note 17, at 91-92 (noting small businesses with an 
enormous amount of consumer records need to follow all of the 
safeguards and ``can't get away with just doing the basics''); see 
also ACA International (comment 45, NPRM) at 11 (``Many small 
financial institutions, including a number of ACA members, have 
objectively limited operations in terms of number of employees and 
revenues, but handle large volumes of consumer account data for each 
of their clients on whose behalf they are collecting debts.'').
    \342\ See. e.g., Remarks of Rocio Baeza, Safeguards Workshop 
Tr., supra note 17, at 94 (opining ``the better indicators for 
cybersecurity risk are going to be two things: The volume of 
consumer records that a financial institution holds and also the 
rate of change.''); Remarks of Lee Waters, Safeguards Workshop Tr., 
supra note 17, at 91 (noting the amount of data a company holds 
influences whether it is going to be attacked).
    \343\ See Remarks of Brian McManamon, Safeguards Workshop Tr., 
supra note 17, at 89-90 (noting the size of a financial institution 
and the amount and nature of the information it holds factor into an 
appropriate information security program).
    \344\ The Commission understands this provision to count all 
individual consumers about which a financial institution maintains 
customer information, including both current and former customers. 
The exemption counts consumers rather than transactions so a 
financial institution that had 100 transactions with a single 
customer would count only a single consumer.
---------------------------------------------------------------------------

    The Final Rule adopts this section as proposed. The Commission 
continues to believe the cutoff for financial institutions maintaining 
information concerning 5,000 consumers appropriately balances the need 
for security with the burdens on smaller businesses. The requirements 
to which exempted financial institutions would still be required to 
adhere are tailored to balance the importance of adequately securing 
customer information against the need to limit financial burdens for 
small businesses. Many of these requirements were already in force as 
part of the existing Rule--for example, covered financial institutions 
were already required to design and implement a written information 
security program, conduct risk assessments, perform an initial 
assessment of their service providers, and designate one or more 
employees to oversee information security. For reasons discussed 
elsewhere in this document, the new requirements that apply to exempted 
financial institutions, such as the requirement to designate a single 
qualified individual to oversee information security rather than one or 
more individuals, will ensure financial institutions of all sizes 
continue to adequately protect customer information in an environment 
of increasing cybersecurity risk, while avoiding the imposition of 
undue burden.

IV. Paperwork Reduction Act

    The Paperwork Reduction Act (``PRA''), 44 U.S.C. 35, requires 
Federal agencies to seek and obtain Office of Management and Budget 
(OMB) approval before undertaking a collection of information directed 
to ten or more persons.\345\ A ``collection of information'' occurs 
when ten or more persons are asked to report, provide, disclose, or 
record information in response to ``identical questions.'' \346\ 
Applying these standards, neither the Safeguards Rule nor the 
amendments constitute a ``collection of information.'' \347\ The Rule 
calls upon affected financial institutions to develop or strengthen 
their information security programs in order to provide reasonable 
safeguards. Under the Rule, each financial institution's safeguards 
will vary according to its size and complexity, the nature and scope of 
its activities, and the sensitivity of the information involved. For 
example, a financial institution with numerous employees would develop 
and implement employee training and management procedures beyond those 
that would be appropriate or reasonable for a sole proprietorship, such 
as an individual tax preparer or mortgage broker. Similarly, a 
financial institution that shares customer information with numerous 
service providers would need to take steps to ensure such information 
remains protected, while a financial institution with no service 
providers would not need to address this issue. Thus, although each 
financial institution must summarize its compliance efforts in one or 
more written documents, the discretionary balancing of factors and 
circumstances the Rule allows--including the myriad operational 
differences among businesses it contemplated--does not require entities 
to answer ``identical questions'' and therefore does not trigger the 
PRA's requirements.
---------------------------------------------------------------------------

    \345\ 44 U.S.C. 3502(3)(A)(i).
    \346\ See 44 U.S.C. 3502(3)(A).
    \347\ See Standards for Safeguarding Customer Information, 67 FR 
36484, 36491 (May 23, 2002).
---------------------------------------------------------------------------

    The amendments to the Rule do not change this analysis because they 
retain the existing Rule's process-based approach, allowing financial 
institutions to tailor their programs to reflect the financial 
institutions' size, complexity, and operations, and to the

[[Page 70302]]

sensitivity and amount of customer information they collect. For 
example, amended Sec.  314.4(b) would require a written risk 
assessment, but each risk assessment will reflect the particular 
structure and operation of the financial institution and, though each 
assessment must include certain criteria, these are only general 
guidelines and do not consist of ``identical questions.'' Similarly, 
amended Sec.  314.4(h), which requires a written incident response 
plan, is only an extension of the preexisting requirement of a written 
information security plan and would necessarily vary significantly 
based on factors such as the financial institution's internal 
procedures, which officials within the financial institution have 
decision-making authority, how the financial institution communicates 
internally and externally, and the structure of the financial 
institution's information systems. Likewise, the proposed requirement 
for Qualified Individuals to produce annual reports under proposed 
Sec.  314.4(i) does not consist of answers to identical questions, as 
the content of these reports would vary considerably between financial 
institutions and Qualified Individuals are given flexibility in 
deciding what to include in the reports. Finally, the modification of 
the definition of ``financial institution'' to include ``activities 
incidental to financial activities'' and therefore bring finders under 
the scope of the Rule do not constitute a ``collection of 
information,'' and therefore do not trigger the PRA's requirements.

V. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires an 
agency to either provide an Initial Regulatory Flexibility Analysis 
(IRFA) with a proposed Rule, or certify that the proposed Rule will not 
have a significant impact on a substantial number of small 
entities.\348\ The Commission published an Initial Regulatory 
Flexibility Analysis in order to inquire into the impact of the 
Proposed Rule on small entities. In response, the Commission received 
comments that argued the revision to the Safeguards Rule would be 
unduly burdensome for smaller financial institutions. The discussion 
below summarizes these comments and the Commission's response to them.
---------------------------------------------------------------------------

    \348\ 5 U.S.C. 603 et seq.
---------------------------------------------------------------------------

1. Description of the Reason for Agency Action

    The Commission issues these amendments to clarify the Safeguards 
Rule by including a definition of ``financial institution'' and related 
examples in the Safeguards Rule rather than incorporating them from the 
Privacy Rule by reference. The amendments also expand the definition of 
``financial institution'' in the Rule to include entities engaged in 
activities incidental to financial activities. This change would bring 
``finders'' within the scope of the Rule. This change harmonizes the 
Rule with other agencies' rules and requires finders that collect 
consumers' sensitive financial information to comply with the 
Safeguards Rule's process-based approach to protect that data.
    In addition, the amendments modify the Safeguards Rule to include 
more detailed requirements for the information security program 
required by the Rule.

2. Issues Raised by Comments in Response to the IRFA

    As stated above, the Commission received several comments that 
argued the revised Safeguards Rule would impose unduly heavy burdens on 
smaller businesses. The Small Business Administration's Office of 
Advocacy commented it was concerned the FTC had not gathered sufficient 
data as to either the costs or benefits of the proposed changes for 
small financial institutions. The FTC shares the Office of Advocacy's 
interest in ensuring regulatory changes have an evidentiary basis. Many 
of the questions on which the FTC sought public comment, both in the 
regulatory review and in the proposed rule context, specifically 
related to the costs and benefits of existing and proposed Rule 
requirements. Following the initial round of commenting, the Commission 
conducted the FTC Safeguards Workshop and solicited additional public 
comments with the explicit goal of gathering additional data relating 
to the costs and benefits of the proposed changes.\349\ As detailed 
throughout this document, the Commission believes there is a strong 
evidentiary basis for the issuance of the Final Rule.
---------------------------------------------------------------------------

    \349\ See Public Workshop Examining Information Security for 
Financial Institutions and Information Related to Changes to the 
Safeguards Rule, 85 FR 13082 (Mar. 6, 2020).
---------------------------------------------------------------------------

    The Office of Advocacy also argued the Proposed Rule's requirements 
were unduly prescriptive and should not be enacted as they apply to 
small businesses until the Commission can ``ascertain the quantitative 
impact on small entities.'' \350\ The Office of Advocacy, along with 
other commenters, argued the amendments taken together would create a 
large burden on smaller financial institutions. In particular, 
commenters pointed to the requirements that financial institutions 
appoint a chief information security officer, customer information be 
encrypted, financial institutions utilize multi-factor authentication, 
and financial institutions regularly update training programs. These 
comments and the Commission's response are discussed at length above. 
Most commenters did not provide any specific estimates of these 
expenses, but two commenters did provide a summary of their expected 
expenses.
---------------------------------------------------------------------------

    \350\ Small Business Administration Office of Advocacy (comment 
28, NPRM), at 6.
---------------------------------------------------------------------------

    As discussed in the document, the Commission believes any burden 
imposed by the revised Rule is substantially mitigated by the fact the 
Rule continues to be process-based, flexible, and based on the 
financial institution's size and complexity. In addition, the 
amendments exempt institutions that maintain information on fewer than 
5,000 consumers from certain requirements that require additional 
written product and might pose a greater burden on smaller entities. 
The Commission believes most of the entities covered by the exemption 
will be small businesses. Finally, the Commission believes all 
financial institutions, including small businesses, that comply with 
the current Safeguards Rule will already be in compliance with most of 
the new provisions of the revised Rule as part of their current 
information security program.
    In addition, in response to the comments concerned about the burden 
of the amendments, the Commission extended the effective date from six 
months after the publication of the Final Rule to one year after the 
publication to allow financial institutions additional time to come 
into compliance with the revised Rule. In addition, in response to 
comments that argued hiring a chief information security officer would 
be prohibitively expensive for small financial institutions, the 
Commission amended the rule to clarify such an employee was not 
required for all financial institutions. The Final Rule is modified to 
clarify a financial institution need only appoint an individual who is 
qualified to coordinate its information security program, and those 
qualifications will vary based on the complexity of the program and 
size and nature of the

[[Page 70303]]

financial institution. The Commission also clarified employee training 
programs need to be updated only as necessary, to respond to a comment 
regular updating would be difficult for smaller financial institutions.

3. Estimate of Number of Small Entities to Which the Amendments Will 
Apply

    As previously discussed in the IRFA, determining a precise estimate 
of the number of small entities \351\--including newly covered entities 
under the modified definition of financial institution--is not readily 
feasible. Financial institutions already covered by the Rule as 
originally promulgated include lenders, financial advisors, loan 
brokers and servicers, collection agencies, financial advisors, tax 
preparers, and real estate settlement services, to the extent they have 
``customer information'' within the meaning of the Rule. Finders are 
also covered under the Final Rule. However, it is not known whether any 
finders are small entities, and if so, how many there are. The 
Commission requested comment and information on the number of 
``finders'' that would be covered by the Rule's modified definition of 
``financial institution,'' and how many of those finders, if any, are 
small entities. The Commission received no comments that addressed this 
question.
---------------------------------------------------------------------------

    \351\ The U.S. Small Business Administration Table of Small 
Business Size Standards Matched to North American Industry 
Classification System Codes (``NAICS'') are generally expressed in 
either millions of dollars or number of employees. A size standard 
is the largest a business can be and still qualify as a small 
business for Federal Government programs. For the most part, size 
standards are the annual receipts or the average employment of a 
firm. Depending on the nature of the financial services an 
institution provides, the size standard varies. By way of example, 
mortgage and nonmortgage loan brokers (NAICS code 522310) are 
classified as small if their annual receipts are $8.0 million or 
less. Consumer lending institutions (NAICS code 522291) are 
classified as small if their annual receipts are $41.5 million or 
less. Commercial banking and savings institutions (NAICS codes 
522110 and 522120) are classified as small if their assets are $600 
million or less. Assets are determined by averaging the assets 
reported on businesses' four quarterly financial statements for the 
preceding year. The 2019 Table of Small Business Size Standards is 
available at https://www.sba.gov/sites/default/files/2019-08/SBA%20Table%20of%20Size%20Standards_Effective%20Aug%2019%2C%202019_Rev.pdf.
---------------------------------------------------------------------------

4. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements

    The Rule does not impose any reporting or any specific 
recordkeeping requirements as discussed earlier. See supra Section IV 
(Paperwork Reduction Act). With regard to other compliance 
requirements, the addition of definitions and examples from the Privacy 
Rule is not expected to have an impact on covered financial 
institutions, including those that may be small entities. (The 
preceding section of this analysis discusses classes of covered 
financial institutions that may qualify as small entities.) The 
addition of ``finders'' to the definition of financial institutions 
imposes the obligations of the Rule on entities that engage in 
``finding'' activity and also collect customer information.
    The addition of more detailed requirements may require some 
financial institutions to perform additional risk assessments or 
monitoring, or to create additional safeguards as set forth in the 
Proposed Rule. These obligations may require institutions to retain 
employees or third-party service providers with skills in information 
security, but, as discussed above, the Commission believes most 
financial institutions will have already complied with many parts of 
the Rule as part of their information security programs required under 
the existing Rule. There may be additional related compliance costs 
(e.g., legal, new equipment or systems, modifications to policies or 
procedures), but, as discussed above, the Commission believes these are 
limited by several factors, including the flexibility of the Rule, the 
existing safeguards in place to comply with the existing Rule, and the 
exemption for financial institutions that maintain less consumer 
information.
    Although two commenters provided summaries of the expected expenses 
for some financial institutions to comply with the Rule, those 
estimates did not provide sufficient detail to fully evaluate whether 
they were accurate or representative of other financial institutions 
and appeared to be based, at least in part, on a misunderstanding of 
the requirement to appoint a Qualified Individual. The Commission 
believes, for most smaller financial institutions, there are very low-
cost solutions for any additional duties imposed by the Final Rule. 
This view is supported by the comments of several experts at the 
Safeguards Rule Workshop.\352\
---------------------------------------------------------------------------

    \352\ See, e.g., Remarks of Brian McManamon, Safeguards Workshop 
Tr., supra note 17, at 78 (describing virtual CISO services); 
Matthew Green, Safeguards Workshop Tr., supra note 17, at 225 
(noting website usage of encryption for data in motion is above 80 
percent; ``Let's Encrypt'' provides free TLS certificates; and costs 
have gone down to the point that if a financial institution is not 
using TLS encryption for data in motion, it is making an unusual 
decision outside the norm); Rocio Baeza, Safeguards Workshop Tr., 
supra note 17, at 106 (``[T]he encryption of data in transit has 
been standard. There's no pushback with that.''); Slides 
Accompanying the Remarks of Lee Waters, ``Information Security 
Programs and Smaller Businesses,'' in Safeguards Workshop Slides, 
supra note 72, at 26 (``Estimated Costs of Proposed Changes,'' 
estimating costs of multi-factor authentication to be $50 for 
smartcard or fingerprint readers, and $10 each per smartcard); 
Slides Accompanying Remarks of Wendy Nather, Safeguards Workshop 
Slides, supra note 72, at 37 (chart showing the use of multi-factor 
authentication solutions such as Duo Push, phone call, mobile 
passcode, SMS passcode, hardware token, Yubikey passcode, and U2F 
token in industries such as financial services and higher 
education).
---------------------------------------------------------------------------

    The Commission believes the protection of consumers' financial 
information is of the utmost importance and the cost of the safeguards 
required to provide that protection is justified and necessary. The 
Commission carefully balanced the cost of these requirements with the 
need to protect consumer information and has made every effort to 
ensure the Final Rule retains flexibility so financial institutions can 
tailor information security programs to the size and complexity of the 
financial institution, the nature and scope of its activities, and the 
sensitivity of any customer information at issue.

5. Description of Steps Taken To Minimize Significant Economic Impact, 
if Any, on Small Entities, Including Alternatives

    The standards in the Final Rule allow a small financial institution 
to develop an information security program appropriate to its size and 
complexity, the nature and scope of its activities, and the sensitivity 
of any customer information at issue. The amendments include certain 
design standards (e.g., a company must implement encryption, 
authentication, and incident response) in the Rule, in addition to the 
performance standards (reasonable security) the Rule currently uses. As 
discussed, while these design standards may introduce some additional 
burden, the Commission believes many financial institutions' existing 
information security programs already meet most of these requirements. 
In addition, the requirements in the Final Rule, like those in the 
existing Rule, are designed to allow financial institutions flexibility 
in how and whether they should be implemented. For example, the 
requirement encryption be used to protect customer information in 
transit and at rest may be met with effective alternative compensating 
controls if encryption is infeasible for a given financial institution.
    In addition, the amendments exempt financial institutions that 
maintain relatively small amounts of customer information from certain 
requirements of the Final Rule. The exemptions would apply to financial 
institutions that maintain customer information

[[Page 70304]]

concerning fewer than ten thousand consumers. The Commission believes 
exempted financial institutions are generally, but not exclusively, 
small entities. Such financial institutions are not required to perform 
a written risk assessment, conduct continuous monitoring or annual 
penetration testing and biannual vulnerability assessment, prepare a 
written incident response plan, or prepare an annual written report by 
the Qualified Individual. These exemptions are intended to reduce the 
burden on smaller financial institutions. The Commission believes the 
obligations subject to these exemptions are the ones most likely to 
cause undue burden on smaller financial institutions.
    Exempted financial institutions will still need to conduct risk 
assessments, design and implement a written information security 
program with the required elements, utilize qualified information 
security personnel and train employees, monitor activity of authorized 
users, oversee service providers, and evaluate and adjust their 
information security program. These are core obligations under the Rule 
any financial institution that collects customer information must meet, 
regardless of size.
    The Commission considered allowing compliance with a third-party 
data security standard, such as the NIST framework, to act as a safe 
harbor for compliance with the Rule. The Commission, however, 
determined any reduction of burden created by allowing such safe 
harbors is offset by issues they would cause. For example, such safe 
harbors would require the Commission to monitor the third-party 
standard or standards to determine whether they continued to align with 
the Safeguards Rule. In addition, the Commission would still have to 
investigate a company's compliance with the outside standard in any 
enforcement action. The Commission also does not agree compliance with 
an outside standard is likely to be less burdensome than complying with 
the Safeguards Rule itself.

VI. Other Matters

    Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), 
the Office of Information and Regulatory Affairs designated this rule 
as not a ``major rule,'' as defined by 5 U.S.C. 804(2).

List of Subjects in 16 CFR Part 314

    Consumer protection, Credit, Data protection, Privacy, Trade 
practices.

    For the reasons stated above, the Federal Trade Commission amends 
16 CFR part 314 as follows:

PART 314--STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION

0
1. The authority citation for part 314 continues to read as follows:

    Authority: 15 U.S.C. 6801(b), 6805(b)(2).


0
2. In Sec.  314.1, revise paragraph (b) to read as follows:


Sec.  314.1   Purpose and scope.

* * * * *
    (b) Scope. This part applies to the handling of customer 
information by all financial institutions over which the Federal Trade 
Commission (``FTC'' or ``Commission'') has jurisdiction. Namely, this 
part applies to those ``financial institutions'' over which the 
Commission has rulemaking authority pursuant to section 501(b) of the 
Gramm-Leach-Bliley Act. An entity is a ``financial institution'' if its 
business is engaging in an activity that is financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which 
incorporates activities enumerated by the Federal Reserve Board in 12 
CFR 225.28 and 225.86. The ``financial institutions'' subject to the 
Commission's enforcement authority are those that are not otherwise 
subject to the enforcement authority of another regulator under section 
505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805. More specifically, 
those entities include, but are not limited to, mortgage lenders, ``pay 
day'' lenders, finance companies, mortgage brokers, account servicers, 
check cashers, wire transferors, travel agencies operated in connection 
with financial services, collection agencies, credit counselors and 
other financial advisors, tax preparation firms, non-federally insured 
credit unions, investment advisors that are not required to register 
with the Securities and Exchange Commission, and entities acting as 
finders. They are referred to in this part as ``You.'' This part 
applies to all customer information in your possession, regardless of 
whether such information pertains to individuals with whom you have a 
customer relationship, or pertains to the customers of other financial 
institutions that have provided such information to you.

0
3. Revise Sec.  314.2 to read as follows:


Sec.  314.2   Definitions.

    (a) Authorized user means any employee, contractor, agent, 
customer, or other person that is authorized to access any of your 
information systems or data.
    (b)(1) Consumer means an individual who obtains or has obtained a 
financial product or service from you that is to be used primarily for 
personal, family, or household purposes, or that individual's legal 
representative.
    (2) For example:
    (i) An individual who applies to you for credit for personal, 
family, or household purposes is a consumer of a financial service, 
regardless of whether the credit is extended.
    (ii) An individual who provides nonpublic personal information to 
you in order to obtain a determination about whether he or she may 
qualify for a loan to be used primarily for personal, family, or 
household purposes is a consumer of a financial service, regardless of 
whether the loan is extended.
    (iii) An individual who provides nonpublic personal information to 
you in connection with obtaining or seeking to obtain financial, 
investment, or economic advisory services is a consumer, regardless of 
whether you establish a continuing advisory relationship.
    (iv) If you hold ownership or servicing rights to an individual's 
loan that is used primarily for personal, family, or household 
purposes, the individual is your consumer, even if you hold those 
rights in conjunction with one or more other institutions. (The 
individual is also a consumer with respect to the other financial 
institutions involved.) An individual who has a loan in which you have 
ownership or servicing rights is your consumer, even if you, or another 
institution with those rights, hire an agent to collect on the loan.
    (v) An individual who is a consumer of another financial 
institution is not your consumer solely because you act as agent for, 
or provide processing or other services to, that financial institution.
    (vi) An individual is not your consumer solely because he or she 
has designated you as trustee for a trust.
    (vii) An individual is not your consumer solely because he or she 
is a beneficiary of a trust for which you are a trustee.
    (viii) An individual is not your consumer solely because he or she 
is a participant or a beneficiary of an employee benefit plan that you 
sponsor or for which you act as a trustee or fiduciary.
    (c) Customer means a consumer who has a customer relationship with 
you.
    (d) Customer information means any record containing nonpublic 
personal information about a customer of a financial institution, 
whether in paper, electronic, or other form, that is handled

[[Page 70305]]

or maintained by or on behalf of you or your affiliates.
    (e)(1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family, or household purposes.
    (2) For example:
    (i) Continuing relationship. A consumer has a continuing 
relationship with you if the consumer:
    (A) Has a credit or investment account with you;
    (B) Obtains a loan from you;
    (C) Purchases an insurance product from you;
    (D) Holds an investment product through you, such as when you act 
as a custodian for securities or for assets in an Individual Retirement 
Arrangement;
    (E) Enters into an agreement or understanding with you whereby you 
undertake to arrange or broker a home mortgage loan, or credit to 
purchase a vehicle, for the consumer;
    (F) Enters into a lease of personal property on a non-operating 
basis with you;
    (G) Obtains financial, investment, or economic advisory services 
from you for a fee;
    (H) Becomes your client for the purpose of obtaining tax 
preparation or credit counseling services from you;
    (I) Obtains career counseling while seeking employment with a 
financial institution or the finance, accounting, or audit department 
of any company (or while employed by such a financial institution or 
department of any company);
    (J) Is obligated on an account that you purchase from another 
financial institution, regardless of whether the account is in default 
when purchased, unless you do not locate the consumer or attempt to 
collect any amount from the consumer on the account;
    (K) Obtains real estate settlement services from you; or
    (L) Has a loan for which you own the servicing rights.
    (ii) No continuing relationship. A consumer does not, however, have 
a continuing relationship with you if:
    (A) The consumer obtains a financial product or service from you 
only in isolated transactions, such as using your ATM to withdraw cash 
from an account at another financial institution; purchasing a money 
order from you; cashing a check with you; or making a wire transfer 
through you;
    (B) You sell the consumer's loan and do not retain the rights to 
service that loan;
    (C) You sell the consumer airline tickets, travel insurance, or 
traveler's checks in isolated transactions;
    (D) The consumer obtains one-time personal or real property 
appraisal services from you; or
    (E) The consumer purchases checks for a personal checking account 
from you.
    (f) Encryption means the transformation of data into a form that 
results in a low probability of assigning meaning without the use of a 
protective process or key, consistent with current cryptographic 
standards and accompanied by appropriate safeguards for cryptographic 
key material.
    (g)(1) Financial product or service means any product or service 
that a financial holding company could offer by engaging in a financial 
activity under section 4(k) of the Bank Holding Company Act of 1956 (12 
U.S.C. 1843(k)).
    (2) Financial service includes your evaluation or brokerage of 
information that you collect in connection with a request or an 
application from a consumer for a financial product or service.
    (h)(1) Financial institution means any institution the business of 
which is engaging in an activity that is financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution 
that is significantly engaged in financial activities, or significantly 
engaged in activities incidental to such financial activities, is a 
financial institution.
    (2) Examples of financial institutions are as follows:
    (i) A retailer that extends credit by issuing its own credit card 
directly to consumers is a financial institution because extending 
credit is a financial activity listed in 12 CFR 225.28(b)(1) and 
referenced in section 4(k)(4)(F) of the Bank Holding Company Act of 
1956 (12 U.S.C. 1843(k)(4)(F)), and issuing that extension of credit 
through a proprietary credit card demonstrates that a retailer is 
significantly engaged in extending credit.
    (ii) An automobile dealership that, as a usual part of its 
business, leases automobiles on a nonoperating basis for longer than 90 
days is a financial institution with respect to its leasing business 
because leasing personal property on a nonoperating basis where the 
initial term of the lease is at least 90 days is a financial activity 
listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of 
the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F).
    (iii) A personal property or real estate appraiser is a financial 
institution because real and personal property appraisal is a financial 
activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section 
4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F).
    (iv) A career counselor that specializes in providing career 
counseling services to individuals currently employed by or recently 
displaced from a financial organization, individuals who are seeking 
employment with a financial organization, or individuals who are 
currently employed by or seeking placement with the finance, accounting 
or audit departments of any company is a financial institution because 
such career counseling activities are financial activities listed in 12 
CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank 
Holding Company Act, 12 U.S.C. 1843(k)(4)(F).
    (v) A business that prints and sells checks for consumers, either 
as its sole business or as one of its product lines, is a financial 
institution because printing and selling checks is a financial activity 
that is listed in 12 CFR 225.28(b)(10)(ii) and referenced in section 
4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F).
    (vi) A business that regularly wires money to and from consumers is 
a financial institution because transferring money is a financial 
activity referenced in section 4(k)(4)(A) of the Bank Holding Company 
Act, 12 U.S.C. 1843(k)(4)(A), and regularly providing that service 
demonstrates that the business is significantly engaged in that 
activity.
    (vii) A check cashing business is a financial institution because 
cashing a check is exchanging money, which is a financial activity 
listed in section 4(k)(4)(A) of the Bank Holding Company Act, 12 U.S.C. 
1843(k)(4)(A).
    (viii) An accountant or other tax preparation service that is in 
the business of completing income tax returns is a financial 
institution because tax preparation services is a financial activity 
listed in 12 CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) 
of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G).
    (ix) A business that operates a travel agency in connection with 
financial services is a financial institution because operating a 
travel agency in connection with financial services is a financial 
activity listed in 12 CFR 225.86(b)(2) and referenced in section 
4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G).
    (x) An entity that provides real estate settlement services is a 
financial institution because providing real estate settlement services 
is a financial activity

[[Page 70306]]

listed in 12 CFR 225.28(b)(2)(viii) and referenced in section 
4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F).
    (xi) A mortgage broker is a financial institution because brokering 
loans is a financial activity listed in 12 CFR 225.28(b)(1) and 
referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 
U.S.C. 1843(k)(4)(F).
    (xii) An investment advisory company and a credit counseling 
service are each financial institutions because providing financial and 
investment advisory services are financial activities referenced in 
section 4(k)(4)(C) of the Bank Holding Company Act, 12 U.S.C. 
1843(k)(4)(C).
    (xiii) A company acting as a finder in bringing together one or 
more buyers and sellers of any product or service for transactions that 
the parties themselves negotiate and consummate is a financial 
institution because acting as a finder is an activity that is financial 
in nature or incidental to a financial activity listed in 12 CFR 
225.86(d)(1).
    (3) Financial institution does not include:
    (i) Any person or entity with respect to any financial activity 
that is subject to the jurisdiction of the Commodity Futures Trading 
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
    (ii) The Federal Agricultural Mortgage Corporation or any entity 
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 
2001 et seq.);
    (iii) Institutions chartered by Congress specifically to engage in 
securitizations, secondary market sales (including sales of servicing 
rights) or similar transactions related to a transaction of a consumer, 
as long as such institutions do not sell or transfer nonpublic personal 
information to a nonaffiliated third party other than as permitted by 
Sec. Sec.  313.14 and 313.15; or
    (iv) Entities that engage in financial activities but that are not 
significantly engaged in those financial activities, and entities that 
engage in activities incidental to financial activities but that are 
not significantly engaged in activities incidental to financial 
activities.
    (4) Examples of entities that are not significantly engaged in 
financial activities are as follows:
    (i) A retailer is not a financial institution if its only means of 
extending credit are occasional ``lay away'' and deferred payment plans 
or accepting payment by means of credit cards issued by others.
    (ii) A retailer is not a financial institution merely because it 
accepts payment in the form of cash, checks, or credit cards that it 
did not issue.
    (iii) A merchant is not a financial institution merely because it 
allows an individual to ``run a tab.''
    (iv) A grocery store is not a financial institution merely because 
it allows individuals to whom it sells groceries to cash a check, or 
write a check for a higher amount than the grocery purchase and obtain 
cash in return.
    (i) Information security program means the administrative, 
technical, or physical safeguards you use to access, collect, 
distribute, process, protect, store, use, transmit, dispose of, or 
otherwise handle customer information.
    (j) Information system means a discrete set of electronic 
information resources organized for the collection, processing, 
maintenance, use, sharing, dissemination or disposition of electronic 
information containing customer information or connected to a system 
containing customer information, as well as any specialized system such 
as industrial/process controls systems, telephone switching and private 
branch exchange systems, and environmental controls systems that 
contains customer information or that is connected to a system that 
contains customer information.
    (k) Multi-factor authentication means authentication through 
verification of at least two of the following types of authentication 
factors:
    (1) Knowledge factors, such as a password;
    (2) Possession factors, such as a token; or
    (3) Inherence factors, such as biometric characteristics.
    (l)(1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description, or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
using any personally identifiable financial information that is not 
publicly available.
    (2) Nonpublic personal information does not include:
    (i) Publicly available information, except as included on a list 
described in paragraph (l)(1)(ii) of this section; or
    (ii) Any list, description, or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
without using any personally identifiable financial information that is 
not publicly available.
    (3) For example:
    (i) Nonpublic personal information includes any list of 
individuals' names and street addresses that is derived in whole or in 
part using personally identifiable financial information (that is not 
publicly available), such as account numbers.
    (ii) Nonpublic personal information does not include any list of 
individuals' names and addresses that contains only publicly available 
information, is not derived, in whole or in part, using personally 
identifiable financial information that is not publicly available, and 
is not disclosed in a manner that indicates that any of the individuals 
on the list is a consumer of a financial institution.
    (m) Penetration testing means a test methodology in which assessors 
attempt to circumvent or defeat the security features of an information 
system by attempting penetration of databases or controls from outside 
or inside your information systems.
    (n)(1) Personally identifiable financial information means any 
information:
    (i) A consumer provides to you to obtain a financial product or 
service from you;
    (ii) About a consumer resulting from any transaction involving a 
financial product or service between you and a consumer; or
    (iii) You otherwise obtain about a consumer in connection with 
providing a financial product or service to that consumer.
    (2) For example:
    (i) Information included. Personally identifiable financial 
information includes:
    (A) Information a consumer provides to you on an application to 
obtain a loan, credit card, or other financial product or service;
    (B) Account balance information, payment history, overdraft 
history, and credit or debit card purchase information;
    (C) The fact that an individual is or has been one of your 
customers or has obtained a financial product or service from you;
    (D) Any information about your consumer if it is disclosed in a 
manner that indicates that the individual is or has been your consumer;
    (E) Any information that a consumer provides to you or that you or 
your agent otherwise obtain in connection with collecting on, or 
servicing, a credit account;
    (F) Any information you collect through an internet ``cookie'' (an 
information collecting device from a web server); and
    (G) Information from a consumer report.
    (ii) Information not included. Personally identifiable financial 
information does not include:

[[Page 70307]]

    (A) A list of names and addresses of customers of an entity that is 
not a financial institution; and
    (B) Information that does not identify a consumer, such as 
aggregate information or blind data that does not contain personal 
identifiers such as account numbers, names, or addresses.
    (o)(1) Publicly available information means any information that 
you have a reasonable basis to believe is lawfully made available to 
the general public from:
    (i) Federal, State, or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public that are required to be 
made by Federal, State, or local law.
    (2) You have a reasonable basis to believe that information is 
lawfully made available to the general public if you have taken steps 
to determine:
    (i) That the information is of the type that is available to the 
general public; and
    (ii) Whether an individual can direct that the information not be 
made available to the general public and, if so, that your consumer has 
not done so.
    (3) For example:
    (i) Government records. Publicly available information in 
government records includes information in government real estate 
records and security interest filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper, or a website that is 
available to the general public on an unrestricted basis. A website is 
not restricted merely because an internet service provider or a site 
operator requires a fee or a password, so long as access is available 
to the general public.
    (iii) Reasonable basis. (A) You have a reasonable basis to believe 
that mortgage information is lawfully made available to the general 
public if you have determined that the information is of the type 
included on the public record in the jurisdiction where the mortgage 
would be recorded.
    (B) You have a reasonable basis to believe that an individual's 
telephone number is lawfully made available to the general public if 
you have located the telephone number in the telephone book or the 
consumer has informed you that the telephone number is not unlisted.
    (p) Security event means an event resulting in unauthorized access 
to, or disruption or misuse of, an information system, information 
stored on such information system, or customer information held in 
physical form.
    (q) Service provider means any person or entity that receives, 
maintains, processes, or otherwise is permitted access to customer 
information through its provision of services directly to a financial 
institution that is subject to this part.
    (r) You includes each ``financial institution'' (but excludes any 
``other person'') over which the Commission has enforcement 
jurisdiction pursuant to section 505(a)(7) of the Gramm-Leach-Bliley 
Act.

0
4. In Sec.  314.3, revise paragraph (a) to read as follows:


Sec.  314.3   Standards for safeguarding customer information.

    (a) Information security program. You shall develop, implement, and 
maintain a comprehensive information security program that is written 
in one or more readily accessible parts and contains administrative, 
technical, and physical safeguards that are appropriate to your size 
and complexity, the nature and scope of your activities, and the 
sensitivity of any customer information at issue. The information 
security program shall include the elements set forth in Sec.  314.4 
and shall be reasonably designed to achieve the objectives of this 
part, as set forth in paragraph (b) of this section.
* * * * *

0
5. Revise Sec.  314.4 to read as follows:


Sec.  314.4   Elements.

    In order to develop, implement, and maintain your information 
security program, you shall:
    (a) Designate a qualified individual responsible for overseeing and 
implementing your information security program and enforcing your 
information security program (for purposes of this part, ``Qualified 
Individual''). The Qualified Individual may be employed by you, an 
affiliate, or a service provider. To the extent the requirement in this 
paragraph (a) is met using a service provider or an affiliate, you 
shall:
    (1) Retain responsibility for compliance with this part;
    (2) Designate a senior member of your personnel responsible for 
direction and oversight of the Qualified Individual; and
    (3) Require the service provider or affiliate to maintain an 
information security program that protects you in accordance with the 
requirements of this part.
    (b) Base your information security program on a risk assessment 
that identifies reasonably foreseeable internal and external risks to 
the security, confidentiality, and integrity of customer information 
that could result in the unauthorized disclosure, misuse, alteration, 
destruction, or other compromise of such information, and assesses the 
sufficiency of any safeguards in place to control these risks.
    (1) The risk assessment shall be written and shall include:
    (i) Criteria for the evaluation and categorization of identified 
security risks or threats you face;
    (ii) Criteria for the assessment of the confidentiality, integrity, 
and availability of your information systems and customer information, 
including the adequacy of the existing controls in the context of the 
identified risks or threats you face; and
    (iii) Requirements describing how identified risks will be 
mitigated or accepted based on the risk assessment and how the 
information security program will address the risks.
    (2) You shall periodically perform additional risk assessments that 
reexamine the reasonably foreseeable internal and external risks to the 
security, confidentiality, and integrity of customer information that 
could result in the unauthorized disclosure, misuse, alteration, 
destruction, or other compromise of such information, and reassess the 
sufficiency of any safeguards in place to control these risks.
    (c) Design and implement safeguards to control the risks you 
identity through risk assessment, including by:
    (1) Implementing and periodically reviewing access controls, 
including technical and, as appropriate, physical controls to:
    (i) Authenticate and permit access only to authorized users to 
protect against the unauthorized acquisition of customer information; 
and
    (ii) Limit authorized users' access only to customer information 
that they need to perform their duties and functions, or, in the case 
of customers, to access their own information;
    (2) Identify and manage the data, personnel, devices, systems, and 
facilities that enable you to achieve business purposes in accordance 
with their relative importance to business objectives and your risk 
strategy;
    (3) Protect by encryption all customer information held or 
transmitted by you both in transit over external networks and at rest. 
To the extent you determine that encryption of customer information, 
either in transit over external networks or at rest, is infeasible, you 
may instead secure such customer information using effective

[[Page 70308]]

alternative compensating controls reviewed and approved by your 
Qualified Individual;
    (4) Adopt secure development practices for in-house developed 
applications utilized by you for transmitting, accessing, or storing 
customer information and procedures for evaluating, assessing, or 
testing the security of externally developed applications you utilize 
to transmit, access, or store customer information;
    (5) Implement multi-factor authentication for any individual 
accessing any information system, unless your Qualified Individual has 
approved in writing the use of reasonably equivalent or more secure 
access controls;
    (6)(i) Develop, implement, and maintain procedures for the secure 
disposal of customer information in any format no later than two years 
after the last date the information is used in connection with the 
provision of a product or service to the customer to which it relates, 
unless such information is necessary for business operations or for 
other legitimate business purposes, is otherwise required to be 
retained by law or regulation, or where targeted disposal is not 
reasonably feasible due to the manner in which the information is 
maintained; and
    (ii) Periodically review your data retention policy to minimize the 
unnecessary retention of data;
    (7) Adopt procedures for change management; and
    (8) Implement policies, procedures, and controls designed to 
monitor and log the activity of authorized users and detect 
unauthorized access or use of, or tampering with, customer information 
by such users.
    (d)(1) Regularly test or otherwise monitor the effectiveness of the 
safeguards' key controls, systems, and procedures, including those to 
detect actual and attempted attacks on, or intrusions into, information 
systems.
    (2) For information systems, the monitoring and testing shall 
include continuous monitoring or periodic penetration testing and 
vulnerability assessments. Absent effective continuous monitoring or 
other systems to detect, on an ongoing basis, changes in information 
systems that may create vulnerabilities, you shall conduct:
    (i) Annual penetration testing of your information systems 
determined each given year based on relevant identified risks in 
accordance with the risk assessment; and
    (ii) Vulnerability assessments, including any systemic scans or 
reviews of information systems reasonably designed to identify publicly 
known security vulnerabilities in your information systems based on the 
risk assessment, at least every six months; and whenever there are 
material changes to your operations or business arrangements; and 
whenever there are circumstances you know or have reason to know may 
have a material impact on your information security program.
    (e) Implement policies and procedures to ensure that personnel are 
able to enact your information security program by:
    (1) Providing your personnel with security awareness training that 
is updated as necessary to reflect risks identified by the risk 
assessment;
    (2) Utilizing qualified information security personnel employed by 
you or an affiliate or service provider sufficient to manage your 
information security risks and to perform or oversee the information 
security program;
    (3) Providing information security personnel with security updates 
and training sufficient to address relevant security risks; and
    (4) Verifying that key information security personnel take steps to 
maintain current knowledge of changing information security threats and 
countermeasures.
    (f) Oversee service providers, by:
    (1) Taking reasonable steps to select and retain service providers 
that are capable of maintaining appropriate safeguards for the customer 
information at issue;
    (2) Requiring your service providers by contract to implement and 
maintain such safeguards; and
    (3) Periodically assessing your service providers based on the risk 
they present and the continued adequacy of their safeguards.
    (g) Evaluate and adjust your information security program in light 
of the results of the testing and monitoring required by paragraph (d) 
of this section; any material changes to your operations or business 
arrangements; the results of risk assessments performed under paragraph 
(b)(2) of this section; or any other circumstances that you know or 
have reason to know may have a material impact on your information 
security program.
    (h) Establish a written incident response plan designed to promptly 
respond to, and recover from, any security event materially affecting 
the confidentiality, integrity, or availability of customer information 
in your control. Such incident response plan shall address the 
following areas:
    (1) The goals of the incident response plan;
    (2) The internal processes for responding to a security event;
    (3) The definition of clear roles, responsibilities, and levels of 
decision-making authority;
    (4) External and internal communications and information sharing;
    (5) Identification of requirements for the remediation of any 
identified weaknesses in information systems and associated controls;
    (6) Documentation and reporting regarding security events and 
related incident response activities; and
    (7) The evaluation and revision as necessary of the incident 
response plan following a security event.
    (i) Require your Qualified Individual to report in writing, 
regularly and at least annually, to your board of directors or 
equivalent governing body. If no such board of directors or equivalent 
governing body exists, such report shall be timely presented to a 
senior officer responsible for your information security program. The 
report shall include the following information:
    (1) The overall status of the information security program and your 
compliance with this part; and
    (2) Material matters related to the information security program, 
addressing issues such as risk assessment, risk management and control 
decisions, service provider arrangements, results of testing, security 
events or violations and management's responses thereto, and 
recommendations for changes in the information security program.

0
6. Revise Sec.  314.5 to read as follows:


Sec.  314.5   Effective date.

    Section 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), 
(h), and (i) are effective as of December 9, 2022.

0
7. Add Sec.  314.6 to read as follows:


Sec.  314.6   Exceptions.

    Section 314.4(b)(1), (d)(2), (h), and (i) do not apply to financial 
institutions that maintain customer information concerning fewer than 
five thousand consumers.

    By direction of the Commission, Commissioners Phillips and 
Wilson dissenting.
April Tabor,
Secretary.

    Note: The following appendix will not appear in the Code of 
Federal Regulations.


[[Page 70309]]



Appendix--Statements Issued on October 27, 2021

Statement of Chair Lina M. Khan Joined by Commissioner Rebecca Kelly 
Slaughter Regarding Regulatory Review of the Safeguards Rule

    Today the FTC is significantly strengthening the Safeguards 
Rule,\1\ first promulgated by the FTC twenty years ago pursuant to a 
Congressional directive to protect personal information that is 
stored by financial institutions. This revamping--the first time in 
the Rule's history--is sorely needed. In the twenty years since the 
Rule was first issued, the complexity of information security has 
increased drastically, the use of computer networks in every aspect 
of life has expanded exponentially, and, most notably, an unending 
chain of damaging data breaches caused by inadequate security have 
cost Americans heavily.\2\ The amendments adopted today require 
financial institutions to develop information security programs that 
can meet the challenges of today's security environment.
---------------------------------------------------------------------------

    \1\ 16 CFR part 314. Pursuant to the Gramm Leach Bliley Act 
(``GLB'' or ``GLBA''), Public Law 106-102, 113 Stat. 1338 (1999) 
(codified as amended in scattered sections of 12 and 15 U.S.C.), the 
Commission promulgated the Safeguards Rule in 2001.
    \2\ See, e.g., 2020 Internet Crime Report, Fed. Bur. 
Investigations,at 20 (Mar. 2021) (reporting consumer loss of over 
$128 million resulting from corporate data breaches to those who 
filed complaints in 2020 alone); Int'l Bus. Mach, Cost of a Data 
Breach, at 4 (2021) (estimating that the average cost of single data 
breach has risen to $4.24 million).
---------------------------------------------------------------------------

    For Americans, the harms stemming from the types of security 
vulnerabilities that this Rule addresses are all too real. Victims 
of breaches have their most sensitive information exposed, making 
them more vulnerable to identity theft, phishing attacks, and other 
forms of fraud.\3\ In 2018, almost 10 percent of Americans suffered 
some form of identity theft, costing many of them hundreds of 
dollars and dozens of hours of time, an experience that many 
describe as distressing.\4\ For some, the cost is much higher, with 
victims losing tens of thousands of dollars.\5\
---------------------------------------------------------------------------

    \3\ 2013 Identity Fraud Report: Data Breaches Becoming a 
Treasure Trove for Fraudsters, Javelin Strategy, at 1 (Feb. 2013) 
(reporting that 1 in 4 recipients of a data breach notification 
become victims of identity theft); Michelle Singletary, Your online 
profile may help identity thieves, Washington Post (Feb. 28, 2012), 
https://www.washingtonpost.com/business/economy/michelle-singletary-your-online-profile-may-help-identity-thieves/2012/02/28/gIQAXFjygR_story.html (reporting that recipients of data breach 
letters are 9.5% more likely to suffer identity theft).
    \4\ See Erika Harrell, Victims of Identity Theft, 2018, U.S. 
Dep't of Just., at 1 (Apr. 2021), https://bjs.ojp.gov/content/pub/pdf/vit18.pdf.
    \5\ See 2021 Consumer Aftermath Report, Identity Theft Resource 
Center (2021), at 6 (finding that in a study of 427 identity crime 
victims, 21% of them suffered losses of over $20,000).
---------------------------------------------------------------------------

    The Rule amendments the FTC is issuing today are strongly 
supported by the evidence in the record.\6\ The evidence gathered 
from information security experts, industry associations, and 
consumer groups--those with hands-on experience in the area and 
knowledge of the field--decisively show that the amendments are 
necessary. Of course, all of this information supplements the 
experience that Commission staff has obtained over twenty years of 
enforcing the Rule, and gained through investigations of companies' 
data security practices under the FTC's deception and unfairness 
authority.
---------------------------------------------------------------------------

    \6\ The Commission first sought public comments on the proposed 
amendments in April 2019. See Privacy of Consumer Financial 
Information Rule Under the Gramm-Leach-Bliley Act, 84 FR 13150; 
Standards for Safeguarding Customer Information, 84 FR 13158 (April 
4, 2019). The agency received almost 50 comments from consumer 
groups, industry associations, and data security experts. See FTC 
Seeks Comment on Proposed Amendments to Safeguards and Privacy 
Rules, 16 CFR part 314, Project No. P145407, (FTC-2019-0019) (``2019 
Safeguards and Privacy NPRM ''), https://www.regulations.gov/docket/FTC-2019-0019/document. Further, the Commission conducted a workshop 
discussing the proposed amendments with information security 
professionals and experts, including IT staff from financial 
institutions covered by the Safeguards Rule. See Transcript, 
Information Security and Financial Institutions: An FTC Workshop to 
Examine Safeguards Rule, Fed. Trade Comm'n (July 13, 2020) 
(``Safeguards Workshop''), https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf. Connected with the workshop, the Commission sought and 
received another round of public comments on the amendments. The 
eleven relevant public comments relating to the subject matter of 
the July 13, 2020, workshop can be found here: Postponement of 
Public Workshop Related to Proposed Changes to the Safeguards Rule, 
85 FR 23354 (FTC-2020-0038) (Apr. 27, 2020) (``Workshop Comment 
Docket''), https://www.regulations.gov/document/FTC-2020-0038-0001.
---------------------------------------------------------------------------

    The dissent's conclusion that these amendments are unnecessary 
is belied by both the reality of rampant data security breaches as 
well as the robust evidentiary record. The recent history of major 
data breaches affecting millions of consumers shows that more needs 
to be done to protect consumers' sensitive information. Despite the 
increasing sophistication of cyberattacks, many businesses continue 
to offer inadequate security.\7\ In particular, the massive Equifax 
breach, which the FTC alleged was caused by inadequate data security 
that could have been easily corrected by the company, is a glaring 
example of how a financial institution's lax security practices can 
have devastating consequences for Americans.\8\ The dissent's 
suggestion that our current framework is sufficient falls flat in 
the face of such a stark example of the harm that can arise from 
avoidable lax security practices by covered financial institutions. 
Moreover, the dissent's complaint that the rule is also informed by 
evidence arising from breaches and practices occurring in other 
types of industries misses the mark. Not only is there substantial 
evidence in the rulemaking record clearly illustrating security 
lapses of financial institutions that are covered by the Rule,\9\ 
but the implication that we shouldn't use our broader knowledge of 
common security pitfalls is unwise.
---------------------------------------------------------------------------

    \7\ See, e.g., Electronic Privacy Information Center, Comment 
Letter No. 55 on 2019 Safeguards and Privacy NPRM (FTC-2019-0019), 
at 3 (Aug. 1, 2019) (citing dramatic increase in data breaches at 
financial services firms affecting millions of consumers), https://www.regulations.gov/comment/FTC-2019-0019-0055; Consumer Reports, 
Comment Letter No. 52 on 2019 Safeguards and Privacy NPRM (FTC-2019-
0019) (Aug. 2, 2019), https://www.regulations.gov/comment/FTC-2019-0019-0052 (noting several high profile data breaches at financial 
institutions as evidence for the need for stronger regulation); 
Inpher, Inc., Comment Letter No. 50 on 2019 Safeguards and Privacy 
NPRM (FTC-2019-0019), at 1 (Aug. 1, 2019), https://www.regulations.gov/comment/FTC-2019-0019-0050 (pointing to major 
breaches at financial institutions as evidence for the need of 
stronger security regulations); Independent Community Bankers of 
America, Comment Letter No. 35 on 2019 Safeguards and Privacy NPRM 
(FTC-2019-0019) (Aug. 2, 2019), https://www.regulations.gov/comment/FTC-2019-0019-0035 (noting that FTC-regulated financial institutions 
are subject to less stringent security requirements than those 
regulated by banking agencies, even though many handle the same 
types of information as those financial institutions); National 
Consumer Law Center et al., Comment Letter No. 58 on 2019 Safeguards 
and Privacy NPRM (FTC-2019-0019) (Aug. 2, 2019), https://www.regulations.gov/document/FTC-2019-0019-0058 (arguing that the 
recent Equifax breach showed the need for strengthening the 
Safeguards Rule); Cisco Systems, Inc., Comment Letter No. 51 on 2019 
Safeguards and Privacy NPRM (FTC-2019-0019) (Aug. 2, 2019), https://www.regulations.gov/document/FTC-2019-0019-0051 (noting that 
sophisticated hacking techniques used in state sponsored attacks are 
likely to be adopted by ``more garden variety, less sophisticated 
hackers.''); Safeguards Workshop, at 24-26 (July 13, 2020) (remarks 
of Chris Cronin) (stating that many companies do not conduct 
complete or adequate risk assessments). Id. at 38-39 (remarks of 
Serge Jorgensen) (noting that businesses' understanding of the need 
for security has improved, but that they continue to struggle to 
implement controls across business units). Id. at 39-41 (remarks of 
Chris Cronin) (stating that, ``as a rule,'' businesses of all sizes 
are ``behind'' on cybersecurity, attributing this in part to 
consultants whose advice about reasonable security is motivated by a 
desire to ``make the clients happy''). Id. at 43 (remarks of Pablo 
Molina) (citing ``the mounting losses that come from cybercrime'' as 
evidence that many businesses are ``falling behind'' 
cybercriminals). Id. at 114 (remarks of Brian McManamon) (noting 
that ``the proposed changes are the minimum necessary to have an 
effective security program in place.''). Id. at 44 (remarks of Sam 
Rubin) (noting that, in his experience, companies make significant 
investments in technical security measures but that investment in 
personnel to oversee and use those measures is ``a huge shortcoming 
that I'm seeing in the field.''); The Clearing House Association 
LLC, Comment Letter No. 49 on 2019 Safeguards and Privacy NPRM (FTC-
2019-0019), at 7-9 (Aug. 2, 2019), https://www.regulations.gov/comment/FTC-2019-0019-0049 (citing a 2018 study by the Center for 
Financial Inclusion that showed widespread data security failures 
among financial technology companies around the globe).
    \8\ Press Release, Fed. Trade Comm'n, Equifax to Pay $575 
Million as Part of Settlement with FTC, CFPB, and States Related to 
2017 Data Breach, (July 22, 2019), https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related.
    \9\ See infra, note 7.
---------------------------------------------------------------------------

    The record evidence also shows that the amendment's requirements 
track bedrock principles of data security and represent proven 
elements of effective data security programs that reduce the risk of 
breaches.\10\

[[Page 70310]]

The amended Rule requires that financial institutions' information 
security plans address such core concepts as controlling who is 
accessing their system,\11\ understanding their system,\12\ 
monitoring what users do in their system,\13\ and protecting the 
information contained in their system.\14\ More particularly, it 
also requires encryption of customer information and the use of 
multifactor authentication. Adopting these practices will reduce the 
chances of a breach occurring.
---------------------------------------------------------------------------

    \10\ See, e.g., for Single Qualified Individual Requirement: 
National Consumer Law Center et al., supra note 7, at 3 (arguing 
that a clear line of reporting with a single responsible individual 
could have prevented the Equifax consumer data breach); Safeguards 
Workshop, at 182-84 (remarks of Adrienne Allen) (stating that 
without a single responsible individual, information security staff 
``can fall into traps of each relying on someone else to make a hard 
call . . . [In a program without a single coordinator] issues can 
sometimes fall through the cracks.''). Id. at 184-85 (remarks of 
Michele Norin) (``I think it's extremely important to have a person 
in front of the information security program. I think that there are 
so many components to understand, to manage, to keep an eye on. I 
think it's difficult to do that if it's part of someone else's job. 
And so I found that it's extremely helpful to have a person in 
charge of that program just from a pure basic management perspective 
and understanding perspective.''); Risk Assessment Requirement: Id. 
at 25 (remarks of Chris Cronin) (stating that evaluating the 
likelihoods and impacts of potential security risks and evaluating 
existing controls is an important component of a risk assessment). 
Id. at 29-30 (remarks of Serge Jorgensen) (emphasizing the 
importance of risk assessments as tools for adjusting existing 
security measures to account for both current and future security 
threats); Encryption Requirement: Princeton University Center for 
Information Technology Policy, Comment Letter No. 54 on 2019 
Safeguards and Privacy NPRM (FTC-2019-0019), at 3 (Aug. 2, 2019), 
https://www.regulations.gov/document/FTC-2019-0019-0054 (noting the 
effectiveness of encryption); Inpher, Inc., supra note 7, at 4; 
Safeguards Workshop, at 225 (remarks of Matthew Green) (noting 
website usage of encryption is above 80 percent; ``Let's Encrypt'' 
provides free TLS certificates; and costs have gone down to the 
point that if a financial institution is not using TLS encryption 
for data in motion, it is making an unusual decision outside the 
norm). Id. at 106 (remarks of Rocio Baeza) (``[T]he encryption of 
data in transit has been standard. There's no pushback with 
that.''); Multifactor Authentication Requirement: Princeton 
University Center for Information Technology Policy, supra note 10, 
at 6-7; Electronic Privacy Information Center, supra, note 7, at 8; 
National Consumer Law Center et al., supra note 7, at 2; Safeguards 
Workshop, at 102 (remarks of Brian McManamon) (stating that his 
company TECH LOCK supports requiring multi-factor authentication for 
users connecting from internal networks). Id. at 266 (remarks of 
Matthew Green) (explaining that passwords are not enough of an 
authentication feature but when MFA is used and deployed, the 
defenders can win against attackers). Id. at 239 (describing how 
because smart phones have modern secure hardware processors, 
biometric sensors and readers built in, increasingly consumers can 
get the security they need through the devices they already have by 
storing cryptographic authentication keys on the devices and then 
using the phone to activate them); Incident Response Plan: Credit 
Union National Association, Comment Letter No. 30 on 2019 Safeguards 
and Privacy NPRM (FTC-2019-0019), at 2 (Aug. 1, 2019), https://www.regulations.gov/document/FTC-2019-0019-0030 (noting that that an 
incident response plan ``helps ensure that an entity is prepared in 
case of an incident by planning how it will respond and what is 
required for the response.''). Consumer Reports, supra note 7, at 6 
(observing that ``a written incident response plan is an essential 
component of a good security system.''); HITRUST, Comment Letter No. 
18 on 2019 Safeguards and Privacy NPRM (FTC-2019-0019), at 2 (July 
1, 2019), https://www.regulations.gov/document/FTC-2019-0019-0018 
(commenting that incident response plans can help organizations ``to 
better allocate limited resources.). Safeguards Workshop, at 52 
(remarks of Serge Jorgenson) (observing that a prompt response to an 
incident can prevent a ``threat actor running around in my 
environment for days, months, years, and able to access anything 
they want.''); Board Reporting Requirement: Workshop participants 
Adrienne Allen, Karthik Rangarajan, and Michele Norin each 
emphasized that such reporting can aid decision making. See 
Safeguards Workshop, at 201-09; see also Rocio Baeza, Comment Letter 
No. 12 on Workshop Comment Docket (FTC-2020-0038), at 3-8 (Aug. 12, 
2020), https://www.regulations.gov/comment/FTC-2020-0038-0012 
(supporting requirement and providing sample report form and 
compliance questionnaire); Juhee Kwon et al., The Association 
Between Top Management Involvement and Compensation and Information 
Security Breaches, J. L. Info. Sys., at 219-236 (2013) (``. . . the 
involvement of an IT executive decreases the probability of 
information security breach reports by about 35 percent . . .''); 
Julia L. Higgs et al., The Relationship Between Board-Level 
Technology Committees and Reported Security Breaches, J. L. Info. 
Sys., at 79-98 (2016) (``[A]s a technology committee becomes more 
established, its firm is not as likely to be breached. To obtain 
further evidence on the perceived value of a technology committee, 
this study uses a returns analysis and finds that the presence of a 
technology committee mitigates the negative abnormal stock returns 
arising from external breaches.'').
    \11\ 16 CFR 314.4(c)(1).
    \12\ 16 CFR 314.4(c)(2).
    \13\ 16 CFR 314.4(c)(8).
    \14\ 16 CFR 314.4(c)(3) and 314.4(c)(5).
---------------------------------------------------------------------------

    In fact, it is likely that the massive breach at Equifax could 
have been prevented or mitigated by adopting practices required by 
these amendments. For example, the Commission's complaint alleged 
that the vulnerability that led to the breach was not detected for 
four months because Equifax's automated vulnerability scanner was 
not configured to scan all of the networks in the system, something 
that could have been prevented if Equifax had performed an adequate 
inventory of its system as required by Sec.  314.4(c)(2) of the 
amended Rule.\15\ Equifax allegedly did not encrypt the data of 145 
million consumers as required by Sec.  314.4(c)(3) of the amended 
Rule; such encryption might have prevented the intruders from 
misusing individuals' sensitive information, even if they were able 
to obtain it.\16\ In addition, the complaint charged that Equifax 
did not adequately monitor activity on its network, which allowed 
intruders to access and use their network undetected for months; 
such monitoring will be required by Sec.  314.4(c)(8).\17\ Finally, 
and perhaps most importantly, Equifax split authority over its 
information security program between two people, which caused 
failures of communications and oversight.\18\ Indeed, the U.S. House 
Committee on Oversight and Government identified Equifax's 
organization as one of the major causes of the breach.\19\ 
Appointing a single Qualified Individual as the coordinator of 
Equifax's information security system, as required by Sec.  314.4(a) 
of the amended Rule, could have helped prevent or limit the scope of 
one of the largest breaches in American history. By implementing the 
measures required in the amended Rule, financial institutions will 
prevent or mitigate many future breaches, protecting consumers and 
their information.
---------------------------------------------------------------------------

    \15\ Compl. for Permanent Injunction & Other Relief., FTC v. 
Equifax, Inc., No. 1:19-mi-99999-UNA (N.D. Ga. July 22, 2019) ] 17.
    \16\ Id. ] 22.E.
    \17\ Id. ] 22.F.
    \18\ While the dissent questions the requirements in the Rule 
regarding elevating security issues to the top levels of the 
corporate structure, research supports these requirements. Boards 
are becoming increasingly involved in cybersecurity governance, as 
demonstrated by surveys of practitioners and the growth of 
literature aimed at educating board members on cybersecurity. Some 
studies suggest that Board attention to data security decisions can 
dramatically improve data safeguarding. For example, one study found 
a 35% decrease in the probability of information security breaches 
when companies include the Chief Information Security Officer (or 
equivalent) in the top management team and the CISO has access to 
the board. See Juhee Kwon et al., supra note 10. see also Safeguards 
Workshop, at 201-09.
    \19\ U.S. H. Rep. Comm. on Oversight and Gov. Reform, Majority 
Staff Report on The Equifax Data Breach, 115th Cong., at 55-62 (Dec. 
2018).
---------------------------------------------------------------------------

    There is also no support for the dissent's notion that the 
amendments eliminate financial institutions' flexibility in a way 
that will hurt smaller businesses. The amendments require that 
information security programs address certain aspects of security, 
but do not prescribe any particular method for doing so. 
Specifically, the amended Rule requires that the information 
security program address areas such as access control, change 
management, information disposal, and monitoring user activity, but 
it does not require that financial institutions take any particular 
action in those areas. In fact, the Rule recognizes the concerns of 
small businesses and adopts appropriate flexibilities. Section 314.6 
of the revised Rule exempts financial institutions that maintain 
information concerning fewer than 5,000 consumers from certain 
requirements. In addition, financial institutions with smaller and 
simpler systems may determine that minimal procedures are required 
in those areas, and they retain flexibility under these amendments 
to follow that route. Moreover, the record contains significant 
evidence that there are free and low-cost solutions for smaller 
businesses with more modest data security needs.\20\
---------------------------------------------------------------------------

    \20\ See, e.g., Safeguards Workshop, at 267 (remarks of Wendy 
Nather) (``we have a lot more options, a lot more technologies today 
than we did before that are making both of these solutions, both 
encryption and MFA, easier to use, more flexible, in some cases 
cheaper, and we should be encouraging their adoption wherever 
possible.''). Id. at 265-66 (remarks of Matthew Green) (``I think 
that we're in a great time when we've reached the point where we can 
actually mandate that encryption be used. . . . And we've reached 
the point where now it is something that's come to be and we can 
actually build well.''). Id. at 229-30 (remarks of Randy Marchany) 
(noting that encryption is already built into the Microsoft Office 
environment and that a number of Microsoft products, such as 
Spreadsheets, Excel, Docs, and PowerPoint, support that encryption 
feature). Id. at 225. Id. at 106 (Remarks of Rocio Baeza) (``[T]he 
encryption of data in transit has been standard. There's no pushback 
with that.''). Id. at 74 (remarks of James Crifasi) (stating that 
car dealerships can rely on existing staff for the role of Qualified 
Individual). Id. at 78-79 (remarks of Lee Waters) (stating that any 
dealership with any IT staff at all would have someone who could 
assume the role of ``qualified individual,'' perhaps requiring some 
additional research or outside help). Id. at 81-82 (remarks of Rocio 
Baeza) (stating that companies may use an existing employee for the 
role and ``for any areas where there may be skill gaps, that can be 
supplemented with either certifications or some type of 
education.''). Id. at 89-90 (remarks of Brian McManamon) (noting 
that the size of a financial institution and the amount and nature 
of the information that it holds factor into an appropriate 
information security program); Presentation Slides, Inf. Security & 
Fin. Inst.: An FTC Workshop of GLB Safeguards, at 27-28 (July 13, 
2020) (slides Accompanying remarks of Rocio Baeza, ``Models for 
Complying to the Safeguards Rule Changes) (``Safeguards Workshop 
Presentation Slides'') https://www.ftc.gov/system/files/documents/public_events/1567141/slides-glb-workshop.pdf (describing three 
different compliance models: In-house, outsource, and hybrid, with 
costs ranging from $199 per month to more than $15,000 per month). 
Safeguards Workshop, at 81-83 (remarks of Rocio Baeza) (describing 
three compliance models in more detail); Safeguards Workshop 
Presentation Slides, at 29 (remarks of Brian McManamon, ``Sample 
Pricing'') (estimating the cost of cybersecurity services based on 
number of endpoints). Id. at 83-85.

---------------------------------------------------------------------------

[[Page 70311]]

    We believe that these amendments represent a much-needed step 
forward in protecting Americans' data security. Given growing 
recognition that the requirements captured in the Rule represent 
best practices, some financial institutions seem to have already 
taken appropriate steps to protect customers' data and meet the 
requirements set out in the amended Rule. It is important, though, 
to require those that lag behind to strengthen their security and 
prevent future breaches before they occur, rather than in the wake 
of a devastating breach after the damage has already been done.

Joint Statement of Commissioners Noah Joshua Phillips and Christine S. 
Wilson in the Matter of the Final Rule Amending the Gramm-Leach-Bliley 
Act's Safeguards Rule

    In 1999, Congress passed the Gramm-Leach-Bliley Act, which 
charged the Federal Trade Commission (the ``Commission'') with 
promulgating and enforcing a regulation to ensure that financial 
firms take care to safeguard the information they collect from 
consumers.\1\ The Safeguards Rule \2\ has established more data 
security obligations for consumer financial data than for data 
collected by non-financial firms, a gap that underlies our view--
shared by our colleagues--that congressional data security 
legislation is warranted.
---------------------------------------------------------------------------

    \1\ Public Law 106-102, 113 Stat. 1338 (1999). Notably, even as 
it transferred authority for other consumer financial regulation to 
the Consumer Financial Protection Bureau in the Dodd-Frank Act, 
Congress left this rulemaking authority with the Commission, a vote 
of confidence in our approach. 15 U.S.C. 6804(a)(1).
    \2\ 16 CFR part 314.
---------------------------------------------------------------------------

    One hallmark of the Safeguards Rule is its recognition that, in 
a world of continuously evolving threats and standards, a one-size-
fits-all approach to data security may not work. Under Democratic 
and Republic leadership, the Commission has repeatedly emphasized 
this principle.\3\ We have traditionally eschewed an overly 
prescriptive approach, both to data security in general and to the 
Safeguards Rule itself.\4\ The FTC has never demanded ``perfect'' 
security because the Commission has recognized that data security is 
neither cost- nor consequence-free, and often requires tradeoffs.\5\ 
At the same time, during our tenure, the Commission has continued to 
enforce data security standards vigorously, including those embodied 
in the Safeguards Rule.\6\
---------------------------------------------------------------------------

    \3\ See, e.g., Federal Trade Commission, Statement Marking the 
FTC's 50th Data Security Settlement, at 1 (Jan. 31, 2014), https://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf 
(``FTC Data Security Statement'') (``Through its settlements, 
testimony, and public statements, the Commission has made clear that 
it does not require perfect security; reasonable and appropriate 
security is a continuous process of assessing and addressing risks; 
there is no one-size-fits-all data security program; and the mere 
fact that a breach occurred does not mean that a company has 
violated the law.''); see also Prepared Statement of the Federal 
Trade Commission: Before the Committee on Homeland Security and 
Governmental Affairs Permanent Subcommittee on Investigations, 116 
Cong. 3 (2019) (statement of Andrew Smith, Director, Bureau of 
Consumer Protection) (``[t]here is no one-size-fits-all data 
security program . . .''), https://www.ftc.gov/system/files/documents/public_statements/1466607/commission_testimony_re_data_security_senate_03072019.pdf. Federal 
Trade Commission, Stick with Security: A Business Blog Series (Oct. 
2017), https://www.ftc.gov/news-events/blogs/business-blog/2017/10/stick-security-ftc-resources-your-business.
    \4\ FTC Notice of Proposed Rulemaking, 84 FR 13158 (Apr. 4, 
2019), https://www.federalregister.gov/documents/2019/04/04/2019-04981/standards-for-safeguarding-customer-information (``The 
Commission continues to believe that a flexible, non-prescriptive 
Rule enables covered organizations to use it to respond to the 
changing landscape of security threats, to allow for innovation in 
security practices, and to accommodate technological changes and 
advances.'').
    \5\ Under the FTC's unfairness authority, the Commission brings 
cases when companies under its jurisdiction fail to employ 
``reasonable'' security. FTC Data Security Statement, supra note 3 
(``The touchstone of the Commission's approach to data security is 
reasonableness: a company's data security measures must be 
reasonable and appropriate in light of the sensitivity and volume of 
consumer information it holds, the size and complexity of its 
business, and the cost of available tools to improve security and 
reduce vulnerabilities.'').
    \6\ See, e.g., In the matter of Ascension Data & Analytics, LLC, 
FTC File No. 1923126 (2020), https://www.ftc.gov/enforcement/cases-proceedings/192-3126/ascension-data-analytics-llc-matter; U.S. v. 
Mortgage Solutions FCS, Inc., Civ. Action No. 4:20-cv-110 (N.D. Cal 
2020), https://www.ftc.gov/enforcement/cases-proceedings/182-3199/mortgage-solutions-fcs-inc; FTC v. Equifax, Inc., Civ. Action No. 
1:19-cv-03297-TWT (N.D. Ga. 2019), https://www.ftc.gov/enforcement/cases-proceedings/172-3203/equifax-inc.
---------------------------------------------------------------------------

    In March 2019, the Commission approved a Notice of Proposed 
Rulemaking (``NPRM'') proposing additional requirements to the 
Safeguards Rule. While we recognize the value in regularly reviewing 
our rules and updating them as needed, we dissented then because the 
proposal lacked data demonstrating the need for and efficacy of the 
proposed amendments.\7\
---------------------------------------------------------------------------

    \7\ Dissenting Statement of Commissioner Noah Joshua Phillips 
and Commissioner Christine S. Wilson, Review of Safeguards Rule 
(Mar. 5, 2019), https://www.ftc.gov/system/files/documents/public_statements/1466705/reg_review_of_safeguards_rule_cmr_phillips_wilson_dissent.pdf; See, 
e.g., Noah Joshua Phillips (@FTCPhillips), Twitter (Mar. 5, 2019, 
3:08 p.m.), https://twitter.com/FTCPhillips/status/1103024596247289867 (``A reexamination of the Rule may indeed be 
appropriate and necessary; but, before we borrow from other existing 
schemes, we must first understand whether the existing Rule is 
inadequate for its purpose and whether the data supports the 
efficacy of the alternatives.''); Christine S. Wilson, Remarks at 
NAD 2020, One Step Forward, Two Steps Back: Sound Policy on Consumer 
Protection Fundamentals 7-8 (Oct. 5, 2020), https://www.ftc.gov/system/files/documents/public_statements/1581434/wilson_remarks_at_nad_100520.pdf.
---------------------------------------------------------------------------

    We appreciate Staff's diligent work on this rule and many of the 
modifications made to the original proposal. The Federal Register 
Notice does a commendable job of presenting the full panoply of 
comments that the Commission received. The FTC is at its best when 
it seeks input from experts, industry, and consumer groups; this 
rulemaking process reflects a commitment to that approach. But the 
comment period did not produce data demonstrating that the previous 
iteration of the rule was inadequate, or that the costs and 
consequences of the new prescriptive obligations will translate into 
actual consumer safeguards. That was our concern, and the comments 
did not allay it.
    In fact, as several commenters observed, the new prescriptive 
requirements could weaken data security by diverting finite 
resources towards a check-the-box compliance exercise and away from 
risk management tailored to address the unique security needs of 
individual financial institutions. It is ironic that the revisions 
mandate a risk assessment and then order firms to prioritize 
specified precautions ahead of the risks and needs counseled by that 
assessment. The revisions also impose intrusive corporate governance 
obligations wholly unsupported by record evidence of prevalent 
failures at the senior managerial level.
    For these reasons, which we explain more fully below, we 
dissent.

The Record Fails To Provide a Basis for the New Requirements

    We expressed concern in March 2019 that some of the proposals in 
the NPRM tracked issues that arose in cases involving firms not 
covered by the Safeguards Rule. That is, those failures occurred at 
companies to which the Safeguards Rule did not apply. And heightened 
obligations imposed in a settlement context, when a company has 
engaged in risky and allegedly illegal behavior, may not be 
appropriate for all market participants. We did not see evidence 
that covered firms had a systematic problem--i.e., that the Rule was 
not

[[Page 70312]]

working.\8\ The Commission can--and does-- promote best practices 
and reasonable care requirements through speeches, guidance, 
reports, and the like, to help financial firms evaluate whether they 
are taking proper precautions.\9\ But new rules that set concrete 
standards for all companies, regardless of risk, require more 
justification. Such rules make companies liable for penalties, and 
could focus efforts on compliance to address penalty deterrence 
rather than risk.
---------------------------------------------------------------------------

    \8\ Commenters on the proposed rules reflected these same 
concerns. See, e.g, CTIA (comment 34, NPRM) at 4, https://www.regulations.gov/comment/FTC/2019-0019-0034 (observing that most 
examples cited in the NPRM are from non-financial firms and arguing 
that the FTC's action in Equifax demonstrated that the agency is 
able to use to the current framework effectively); Global Privacy 
Alliance (comment 38, NPRM) at 4, https://www.regulations.gov/comment/FTC/2019-0019-0038 (the changes to the rules started not 
from FTC experience but rather from state laws); Electronic 
Transactions Association (comment 27, NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0027 (the current rule is 
effective and there are no harms that warrant these changes); 
National Automobile Dealers Association (comment 46, NPRM) at 6, 
https://www.regulations.gov/comment/FTC/2019-0019-0046 (``[N]ew 
requirements for all financial institutions should not be based on 
unrelated enforcement actions that may not be generally applicable 
to all financial institutions subject to the Rule.'').
    \9\ Federal Trade Commission, Data Security, https://www.ftc.gov/datasecurity.
---------------------------------------------------------------------------

    Dozens of commenters have shared their views on the Safeguards 
proposal, and FTC Staff held a workshop to evaluate the need to 
change the Rule. While there is no shortage of opinions as to the 
need and benefits of the proposed changes (nor is there a shortage 
of opinions critiquing the new requirements), this process failed to 
provide evidence of market failure or other systemic problems \10\ 
necessitating the proposed changes for firms already governed by the 
requirements of the Rule. In fact, one commenter that generally 
supported the rule changes noted that it was not clear that the new 
rules would have prevented the alleged lapses that led to the 
Equifax breach, the largest Safeguards case on record.\11\
---------------------------------------------------------------------------

    \10\ One study cited by commenters pointed toward widespread 
problems among fintech firms ``including misuse of cryptography, use 
of weak cryptography, and excessive permission requirements.'' The 
Clearing House Association LLC (comment 49, NPRM) at 7-9, https://www.regulations.gov/comment/FTC/2019-0019-0049 (citing a 2018 study 
by the Center for Financial Inclusion, https://content.centerforfinancialinclusion.org/wp-content/uploads/sites/2/2018/09/CFI43-CFI_Online_Security-Final-2018.09.12.pdf). This study 
included firms from around the world and did not indicate that this 
limited set of issues arose in U.S. firms covered by the Safeguards 
Rule. See also National Automobile Dealers Association (comment 46, 
NPRM) at 46, https://www.regulations.gov/comment/FTC/2019-0019-0046 
(``These requirements have largely not been proven to be necessary 
or effective.''). Participants at the FTC's July 2020 Workshop 
generally agreed that companies could invest more in security, but 
the fact of under-investment does not mean that these changes to the 
Safeguards Rule constitute the best course of action. FTC, 
Information Security and Financial Institutions: An FTC Workshop to 
Examine Safeguards Rule Tr. at 23-70 (July 13, 2020), https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf (``Safeguards Workshop'').
    \11\ Consumer Reports (comment 52, NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0052 at 2. Not all the 
commenters agreed with this perspective, and some felt that these 
rules would have prevented the Equifax breach. See National Consumer 
Law Center and others (comment 58, NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0058. Chair Khan and 
Commissioner Slaughter focus on the Equifax breach to justify the 
adoption of prescriptive and complex data security measures, 
measures that match the sophistication and complexity of the 
consumer financial data managed by one of the largest credit 
bureaus. But even assuming the new rules would have prevented it, 
one (albeit) high-profile breach, without more, should not be 
extrapolated to an entire industry with diverse business models 
housing varied consumer financial data. Reasonable safeguards for a 
company like Equifax, based on its size and complexity, the nature 
and scope of its activities, and the sensitivity of the information 
involved, would likely outpace procedures that would be appropriate 
or reasonable for a sole proprietorship or small business.
---------------------------------------------------------------------------

    That these proposals may constitute best practices appropriate 
to certain firms or situations does not justify imposing them on 
every firm and in every situation.\12\ The FTC historically has been 
appropriately cautious in mandating specific security practices, and 
we see no sound basis in the rulemaking record to change that 
approach.\13\
---------------------------------------------------------------------------

    \12\ While the Final Rule is based on proposals from New York 
State Department of Financial Services (``NYDFS''), the FTC imposes 
its requirements much more broadly than the NYDFS Cybersecurity 
Requirements for Financial Services Companies, 23 NYCRR Pt. 500. The 
NYDFS requirements exempt a much larger cross-section of 
organizations from the most onerous, prescriptive, and expensive 
provisions in their rule. 23 NYCRR Sec.  500.19. Nor do the 
exceptions in the Final Rule, while helpful, suffice.
    \13\ Unfortunately, this is not the first time this Commission 
has emphasized what we can do over what we should do. See, e.g., 
Joint Statement of Commissioners Noah Joshua Phillips and Christine 
S. Wilson, In the matter of Resident Home LLC, Commission File No. 
2023179 (Oct. 7, 2021), https://www.ftc.gov/system/files/documents/public_statements/1597270/resident_home_dissenting_statement_wilson_and_phillips_final_0.pdf; 
Joint Statement of Commissioners Noah Joshua Phillips and Christine 
S. Wilson, U.S. v. iSpring Water Systems, LLC, Commission File No. 
C4611 (Apr. 12, 2019), https://www.ftc.gov/system/files/documents/public_statements/1513499/ispring_water_systems_llc_c4611_modified_joint_statement_of_commissioners_phillips_and_wilson_4-12.pdf.
---------------------------------------------------------------------------

The Revised Safeguards Rule Is Premature

    In our 2019 statement, we expressed concern that the proposals 
in the NPRM were premature. They are based in large part on the New 
York Department of Financial Service data security rules,\14\ 
adopted in 2016. At the same time, Congress and the Executive Branch 
were evaluating new privacy and data security legislation that may 
overlap with the proposed amendments.\15\
---------------------------------------------------------------------------

    \14\ Cybersecurity Requirements for Financial Services 
Companies, 23 NYCRR Pt. 500 (2016).
    \15\ See Consumer Data Industry Association (comment 36, NPRM) 
at 2, https://www.regulations.gov/document?D=FTC-2019-0019-0036 
(noting that the NY rule is too recent and Congress is debating new 
legislation that should be left to Congress to resolve); National 
Automobile Dealers Association (comment 46, NPRM) at 46, https://www.regulations.gov/comment/FTC-2019-0019-0046 (The new rules ``are 
premature as they are based on untested and new standards in a 
rapidly changing environment, and in a context where federal debate 
is ongoing.''); New York Insurance Association (comment 31, NPRM), 
https://www.regulations.gov/comment/FTC-2019-0019-0031 (it is 
premature to adopt these rules without the benefit of the state's 
experience).
---------------------------------------------------------------------------

    Since our original statement, we have been provided with no 
additional information on the impact and efficacy of the NYDFS 
rules.\16\ Without this critical input, we do not believe adopting 
wholesale the NYDFS approach is the prudent course.\17\ We would 
have been better served by monitoring the efficacy, costs and 
unintended consequences of the NYDFS rules during this ramp-up 
period. Imposing similar rules on far more firms across a broader 
array of industries makes even less sense.
---------------------------------------------------------------------------

    \16\ We appreciate the time and resources the NYDFS invested in 
commenting on our proposed rule. Though the NYDFS does say that its 
rules have ``enhanced cybersecurity protection across the financial 
industry and fostered an environment in which the threat of a cyber 
attack is taken seriously at all levels of New York's financial 
services firms,'' it offers no supporting data. New York State 
Department of Financial Services (comment 40, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0040.
    \17\ As several commenters pointed out, the NYDFS rules are more 
nuanced that the amendments introduced today. For instance, under 
the NYDFS regulations, certain additional requirements only apply to 
a category of sensitive data, a limitation not carried through to 
the Safeguards Rule. See, e.g., U.S. Chamber of Commerce (comment 
33, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0033; 
CTIA (comment 34, NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0034; Electronic Transactions Association (comment 27, 
NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0027. These 
distinctions only raise more questions and concerns about basing our 
regulations on the New York rules.
---------------------------------------------------------------------------

    Congress, with the encouragement of the Commission, has 
continued to consider legislative initiatives in this area. 
Throughout 2019, 2020 and 2021, we saw the release of several draft 
bills addressing data security, as well as privacy.\18\ And other 
developments, such as data security requirements of the General Data 
Protection Regulation \19\ and new cybersecurity incidents \20\ 
ensure that

[[Page 70313]]

these issues will continue to draw congressional attention. The 
decisions about tradeoffs in this space are complex and significant 
for consumers, business, and government; intrusive mandates are best 
left to the people's representatives rather than to the vagaries of 
the administrative rulemaking process.\21\
---------------------------------------------------------------------------

    \18\ See, e.g., Fourth Amendment is Not for Sale Act, S. 1265, 
117th Cong. (2021); Data Care Act of 2021, S. 919, 117th Cong. 
(2021); Data Protection Act of 2021, S. 2134, 117th Cong. (2021); 
SAFE DATA Act, S. 2499, 117th Cong. (2021); Consumer Online Privacy 
Rights Act, S. 2968, 116th Cong. (2019). See also, California 
Privacy Rights Act of 2020, Cal. Civ. Code Sec.  1798.100 et seq.; 
Virginia Consumer Data Protection Act, Va. Code Sec.  59.1-575 et 
seq.; and Colorado Privacy Act, 2021 Colo. ALS 483, 2021 Colo. Ch. 
483, 2021 Colo. SB. 190.
    \19\ Council Directive 2016/679, art. 32 2016 O.J. (L119).
    \20\ See, e.g., Joseph Menn and Christopher Bing, Hackers of 
SolarWinds stole data on U.S. sanctions policy, intelligence probes, 
Reuters (Oct. 8, 2021), https://www.reuters.com/world/us/hackers-solarwinds-breach-stole-data-us-sanctions-policy-intelligence-probes-2021-10-07/; Stephanie Kelly and Jessica Resnick-ault, One 
password allowed hackers to disrupt Colonial Pipeline, CEO tells 
senators, Reuters (June 8, 2021), https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08; Carly Page, The Accellion data breach 
continues to get messier, TechCrunch (July 8, 2021), https://techcrunch.com/2021/07/08/the-accellion-data-breach-continues-to-get-messier/; Peter Valdes-Dapena, Volkswagen hack: 3 million 
customers have had their information stolen, CNN (June 11, 2021), 
https://www.cnn.com/2021/06/11/cars/vw-audi-hack-customer-information/.
    \21\ Sen. Roger Wicker, Rep. Cathy McMorris Rodgers, & Noah 
Phillips, FTC must leave privacy legislating to Congress, Wash. 
Examiner (Sept. 29, 2021), https://www.washingtonexaminer.com/opinion/op-eds/ftc-must-leave-privacy-legislating-to-congress. 
Substance aside, businesses and consumers need confidence to plan 
around new rules. As the recent--and perhaps future--debate about 
net neutrality rules has demonstrated, agency rules are subject to 
disruptive swings that undermine such confidence.
---------------------------------------------------------------------------

The Revised Rules Inhibit Flexibility and Impose Substantial Costs

    The Safeguards Rule originally drafted and evaluated by the 
Commission embraced a flexible approach, emphasizing protections 
targeted to a company's size and risk profile.\22\ As we wrote in 
2019, these new rules move us away from that approach; that loss of 
flexibility will impose costs without necessarily improving 
safeguards for consumer data, which should be the point of this 
exercise.
---------------------------------------------------------------------------

    \22\ The Commission itself acknowledges the importance of 
flexibility in issuing the Final Rule. See, e.g., Final Rule at 27 
(``The Commission, however, believes that the elements provide 
sufficient flexibilityfor financial institutions to adopt 
information security programs suited to the size, nature, and 
complexity of their organization and information systems.'')
---------------------------------------------------------------------------

    Commenters and the Commission itself have noted that there are 
financial impacts to these new requirements.\23\ The Small Business 
Administration's Office of Advocacy stated its belief that the 
Commission itself does not appear to understand fully the economic 
impact of the proposed changes to the Safeguards Rule.\24\
---------------------------------------------------------------------------

    \23\ See Final Rule; American Council on Education (comment 24, 
NPRM) at 13-14, https://www.regulations.gov/comment/FTC-2019-0019-0024; Wisconsin Bankers Association (comment 37, NPRM) at 1-2, 
https://www.regulations.gov/comment/FTC-2019-0019-0037; American 
Financial Services Association (comment 41, NPRM) at 4, https://www.regulations.gov/comment/FTC-2019-0019-0041; National Association 
of Dealer Counsel (comment 44, NPRM) at 1, https://www.regulations.gov/comment/FTC-2019-0019-0044; National Automobile 
Dealers Association (comment 46, NPRM) at 11, https://www.regulations.gov/comment/FTC-2019-0019-0046; National Independent 
Automobile Dealers Association, (comment 48, NPRM) at 3, https://www.regulations.gov/comment/FTC-2019-0019-0048; Gusto and others 
(comment 11, Workshop) at 2-4, https://www.regulations.gov/comment/FTC-2019-0019-0011; National Pawnbrokers Association (comment 3, 
NPRM) at 2, https://www.regulations.gov/comment/FTC-2019-0019-0032; 
See also Remarks of James Crifasi, Safeguards Workshop, supra note 
10, Tr. at 72-74, https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf 
(study showing that compliance costs are unaffordable for small 
businesses).
    \24\ Small Business Administration Office of Advocacy (comment 
28, NPRM) at 3-4, https://www.regulations.gov/comment/FTC-2019-0019-0028 (``An agency cannot consider alternatives that minimize any 
significant economic impact if the agency does not know what the 
economic impact of the proposed action is.'').
---------------------------------------------------------------------------

    The burden of these new rules may also reduce competition and 
innovation, as smaller firms less able to absorb the financial costs 
cede ground to larger firms better equipped to handle new regulatory 
mandates.\25\
---------------------------------------------------------------------------

    \25\ See CTIA (comment 34, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0034 (noting the need for more study on the 
costs to competition); U.S. Chamber of Commerce (comment 33, NPRM) 
at 4, https://www.regulations.gov/comment/FTC-2019-0019-0033 (``Some 
private organizations can absorb the added costs, while others 
cannot.''). See also Christine S. Wilson, Remarks at the Future of 
Privacy Forum, A Defining Moment for Privacy: The Time is Ripe for 
Federal Privacy Legislation 13 (Feb. 6, 2020), https://www.ftc.gov/system/files/documents/public_statements/1566337/commissioner_wilson_privacy_forum_speech_02-06-2020.pdf 
(``Importantly, the legislative framework should also consider 
competition. Regulations, by their nature, will impact markets and 
competition. GDPR may have lessons to teach us in this regard. 
Research indicates that GDPR may have decreased venture capital 
investment and entrenched dominant players in the digital 
advertising market.''); Noah Joshua Phillips, Prepared Remarks at 
internet Governance Forum USA, Keep It: Maintaining Competition in 
the Privacy Debate (July 27, 2018), https://www.ftc.gov/system/files/documents/public_statements/1395934/phillips_-_internet_governance_forum_7-27-18.pdf (discussing the competition 
impacts of new privacy rules).
---------------------------------------------------------------------------

    Security itself may also suffer. A series of specific rules can 
incentivize companies to move from a thoughtful assessment of risk 
and precautions to a check-the-box exercise to ensure that they are 
complying with regulatory mandates--in other words, from a focus on 
real security to an emphasis on rule compliance.\26\ One commenter 
cited data demonstrating that when security personnel are busy with 
compliance and regulatory response, they have less time to focus on 
a firm's actual security needs.\27\ Further, without the flexibility 
to prioritize, finite resources may be diverted to areas of lower 
risk but higher regulatory scrutiny; \28\ commenters noted the irony 
of mandating a risk assessment and then ordering firms to prioritize 
specified precautions ahead of the risks and needs counseled by that 
assessment.\29\ And potentially innovative security practices that 
address changing threats and needs may be discouraged.\30\ As

[[Page 70314]]

one commenter noted, ``[e]ven today's best practices will be 
overtaken by future changes in both technology and the capabilities 
of threat actors,'' \31\ and these proscriptive rules lose the 
``self-modernizing'' nature of flexible requirements,\32\ locking in 
place the primacy of current practices.\33\
---------------------------------------------------------------------------

    \26\ See U.S. Chamber of Commerce (comment 33, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0033; Consumer Data 
Industry Association (comment 36, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0036; Global Privacy 
Alliance (comment 38, NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0038. While some parts of the rule, such as encryption 
requirements, allow security officials to make a written 
determination that a different precaution is appropriate, it seems 
unlikely that any individual security official will risk liability 
to make such a determination and the specific requirements here will 
likely become the default rule. American Council on Education 
(comment 24, NPRM) at 12, https://www.regulations.gov/comment/FTC-2019-0019-0024 (``In the absence of a clear delineation by the 
Commission of what alternatives an institutional information 
security executive might approve that the Commission considers 
reasonably equivalent, and assurance that they are reasonably 
applicable in our contexts, that pressure release valve in the 
requirement seems unlikely to release much pressure.''); Software 
Information & Industry Association (comment 29, NPRM) at 3, https://www.regulations.gov/comment/FTC-2019-0019-0056 (``The mere threat of 
a per se law violation will chill these approvals except in the most 
ironclad circumstances, thereby potentially thwarting 
industry[hyphen]wide adoption of new and better security 
standards.''); New York Insurance Association (comment 31, NPRM), 
https://www.regulations.gov/comment/FTC-2019-0019-0031 (``This runs 
the risk that companies might feel compelled to encrypt all consumer 
data regardless of whether the CISO's compensating controls would be 
second guessed in the event a company were to lose unencrypted 
customer information.''); Mortgage Bankers Association (comment 26, 
NPRM) at 4, https://www.regulations.gov/comment/FTC-2019-0019-0026 
(noting the obligation to prepare an incident response plan had 
``the potential to cripple small businesses under the pressure of 
repeatedly checking the boxes for potential harmless events.'').
    \27\ Bank Policy Institute (comment 39, NPRM) at 6, https://www.regulations.gov/comment/FTC-2019-0019-0039 (``When the sector 
surveyed its information security teams in late 2016, CISOs reported 
that approximately 40% of their cyber team's time was spent on 
compliance related matters, not on cybersecurity. Due to one 
framework issuance, in particular, the reconciliation process 
delayed one firm's implementation of a security event monitoring 
tool intended to better detect and respond to cyber-attacks by 3-6 
months. With respect to another issuance, another firm stated that 
91 internal meetings were held to determine how that issuance 
aligned with its program and in gathering data for eventual 
regulatory requests.'').
    \28\ See U.S. Chamber of Commerce (comment 33, NPRM) at 4, 
https://www.regulations.gov/comment/FTC-2019-0019-0033 (``the 
proposed requirements would increasingly divert company resources 
toward compliance and away from risk management activities that are 
tailored to businesses' unique security needs.''); Software 
Information & Industry Association (comment 29, NPRM) at 3, https://www.regulations.gov/comment/FTC-2019-0019-0056 (``The effect of a 
prescriptive approach in this enforcement structure is to place 
companies in the position of forced compliance with potentially 
unnecessary or inapplicable requirements without the appropriate 
process for these covered entities to explain to a supervisory 
authority why it is unnecessary.''); American Financial Services 
Association (comment 41, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0041. In some cases, asking too much of small 
businesses for whom all this is a substantial undertaking may lead 
them to fail at even the basic protections. Safeguards Workshop, 
supra note 10, Tr. at 118-19 (July 13, 2020), https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf.
    \29\ See Bank Policy Institute (comment 39, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0039; Money Services Round 
Table (comment 53, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0053.
    \30\ See Consumer Data Industry Association (comment 36, NPRM) 
at 7-8, https://www.regulations.gov/comment/FTC-2019-0019-0036 
(minimization requirement can impact innovative uses more broadly).
    \31\ See Cisco Systems Inc. (comment 51, NPRM) at 3, https://www.regulations.gov/comment/FTC-2019-0019-0051 (noting also in the 
context of multi-factor authentication that there will come a time 
when it is no longer the ``appropriate baseline'' and ``covered 
entities could find themselves in full compliance with the rule as 
long as they use access control technology no less protective than 
MFA as defined in the Proposed Amendments.'').
    \32\ National Automobile Dealers Association (comment 46, NPRM), 
https://www.regulations.gov/comment/FTC-2019-0019-0046.
    \33\ See CTIA (comment 34, NPRM) at 3-5, https://www.regulations.gov/comment/FTC-2019-0019-0034 (flexibility in the 
rule allowed it to keep up with evolving threats, whereas new rule 
could limit innovation); HITRUST Alliance (comment 18, NPRM), 
https://www.regulations.gov/comment/FTC-2019-0019-0018 (expressing 
concern about creating outdated requirements); The American 
Financial Services Association (comment 41, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0041.
---------------------------------------------------------------------------

    The reduction in flexibility and imposition of these costs must 
be justified by a significant reduction in risk or some other 
substantial consumer benefit. But the record provides scant support 
for these tradeoffs. Or as one commenter put it:

    [A]s with many of these requirements, we do not take issue with 
the notion that there is merit to this step [requiring monitoring], 
and that many financial institutions will implement some version of 
this control. However, by making this an explicit, stand-alone 
requirement, the Commission is enshrining costs and efforts that 
will be extensive and will likely not be needed in all 
circumstances.\34\
---------------------------------------------------------------------------

    \34\ National Automobile Dealers Association (comment 46, NPRM) 
https://www.regulations.gov/comment/FTC-2019-0019-0046 (arguing that 
the Commission needs additional study into the costs and benefits); 
See also Consumer Data Industry Association (comment 36, NPRM), 
https://www.regulations.gov/comment/FTC-2019-0019-0036 (benefits of 
new rule not justified by tradeoffs).
---------------------------------------------------------------------------

The Rules Involve the FTC in the Internal Governance Decisions of 
Covered Firms

    The specifics of the proposals also raise issues, as we 
expressed in 2019, with regard to mandating the appropriate level of 
board engagement,\35\ hiring and training requirements,\36\ and 
program accountability structures.\37\ We wrote then, and remain 
concerned now, that the Commission is substituting its own judgement 
about governance decisions for those of private companies covered by 
this Rule.
---------------------------------------------------------------------------

    \35\ American Council on Education (comment 24, NPRM) at 16, 
https://www.regulations.gov/comment/FTC-2019-0019-0024; National 
Automobile Dealers Association (comment 46, NPRM) at 41, https://www.regulations.gov/comment/FTC-2019-0019-0046.
    \36\ U.S. Chamber of Commerce (comment 33, NPRM) at 12, https://www.regulations.gov/comment/FTC-2019-0019-0033; National Automobile 
Dealers Association (comment 46, NPRM) at 34-36, https://www.regulations.gov/comment/FTC-2019-0019-0046.
    \37\ See Final Rule. See also American Council on Education 
(comment 24, NPRM) at 14, https://www.regulations.gov/comment/FTC-2019-0019-0024 (critiquing the intrusion on personnel practices).
---------------------------------------------------------------------------

    In certain extraordinary cases involving clear evidence of 
management failure, we have imposed prescriptive governance 
obligations on respondents.\38\ Those rare and egregious instances 
cannot justify a similar approach in a broad rulemaking absent a 
real record of widespread corporate mismanagement or failure at the 
senior management level.
---------------------------------------------------------------------------

    \38\ U.S. v. Facebook, Inc., Civ. Action No. 19-cv-2184 (D.D.C. 
July 24, 2019), https://www.ftc.gov/enforcement/cases-proceedings/092-3184/facebook-inc.
---------------------------------------------------------------------------

    The Commission has elected to proceed with most of these 
governance requirements, forcing the hand of management and shifting 
their priorities to avoid the risk of regulatory action,\39\ without 
clear evidence of their need or efficacy.
---------------------------------------------------------------------------

    \39\ These governance rules may not even promote security. See 
Consumer Data Industry Association (comment 36, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0036 (arguing that the 
annual reporting will become a checkbox exercise).
---------------------------------------------------------------------------

Conclusion

    Regularly reviewing our rules to ensure that they address the 
current environment is an important part of the FTC's regular 
process. But rules have far-reaching and frequently unintended 
impacts in the real world; when imposing additional legal 
obligations in the rulemaking context, we must do so with great 
care. The amended Safeguards Rule replaces a rule that has worked 
well for 20 years, a rule that took a principle-based approach in 
order to provide financial institutions flexibility to determine the 
appropriate and realistic security safeguards for their 
organizations. The record before us at best fails to convince that 
the changes are necessary and at worst raises concern about the 
substantial costs and risks in imposing these amendments. 
Accordingly, we dissent.

[FR Doc. 2021-25736 Filed 12-8-21; 8:45 am]
BILLING CODE 6750-01-P