Standards for Safeguarding Customer Information, 70272-70314 [2021-25736]
Download as PDF
<![CDATA[
70272
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
FEDERAL TRADE COMMISSION
16 CFR Part 314
RIN 3084–AB35
Standards for Safeguarding Customer
Information
Federal Trade Commission.
Final rule.
AGENCY:
ACTION:
The Federal Trade
Commission (‘‘FTC’’ or ‘‘Commission’’)
is issuing a final rule (‘‘Final Rule’’) to
amend the Standards for Safeguarding
Customer Information (‘‘Safeguards
Rule’’ or ‘‘Rule’’). The Final Rule
contains five main modifications to the
existing Rule. First, it adds provisions
designed to provide covered financial
institutions with more guidance on how
to develop and implement specific
aspects of an overall information
security program, such as access
controls, authentication, and
encryption. Second, it adds provisions
designed to improve the accountability
of financial institutions’ information
security programs, such as by requiring
periodic reports to boards of directors or
governing bodies. Third, it exempts
financial institutions that collect less
customer information from certain
requirements. Fourth, it expands the
definition of ‘‘financial institution’’ to
include entities engaged in activities the
Federal Reserve Board determines to be
incidental to financial activities. This
change adds ‘‘finders’’—companies that
bring together buyers and sellers of a
product or service—within the scope of
the Rule. Finally, the Final Rule defines
several terms and provides related
examples in the Rule itself rather than
incorporates them from the Privacy of
Consumer Financial Information Rule
(‘‘Privacy Rule’’).
DATES:
Effective date: This rule is effective
January 10, 2022.
Applicability date: The provisions set
forth in § 314.5 are applicable beginning
December 9, 2022.
FOR FURTHER INFORMATION CONTACT:
David Lincicum (202–326–2773),
Katherine McCarron (202–326–2333), or
Robin Wetherill (202–326–2220),
Division of Privacy and Identity
Protection, Bureau of Consumer
Protection, Federal Trade Commission,
600 Pennsylvania Avenue NW,
Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
khammond on DSKJM1Z7X2PROD with RULES3
SUMMARY:
I. Background
Congress enacted the Gramm Leach
Bliley Act (‘‘GLB’’ or ‘‘GLBA’’) in 1999.1
1 Pubic
Law 106–102, 113 Stat. 1338 (1999).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
The GLBA provides a framework for
regulating the privacy and data security
practices of a broad range of financial
institutions. Among other things, the
GLBA requires financial institutions to
provide customers with information
about the institutions’ privacy practices
and about their opt-out rights, and to
implement security safeguards for
customer information.
Subtitle A of Title V of the GLBA
required the Commission and other
Federal agencies to establish standards
for financial institutions relating to
administrative, technical, and physical
safeguards for certain information.2
Pursuant to the Act’s directive, the
Commission promulgated the
Safeguards Rule (16 CFR part 314) in
2002. The Safeguards Rule became
effective on May 23, 2003.
The current Safeguards Rule requires
a financial institution to develop,
implement, and maintain a
comprehensive information security
program that consists of the
administrative, technical, and physical
safeguards the financial institution uses
to access, collect, distribute, process,
protect, store, use, transmit, dispose of,
or otherwise handle customer
information.3 The information security
program must be written in one or more
readily accessible parts.4 The safeguards
set forth in the program must be
appropriate to the size and complexity
of the financial institution, the nature
and scope of its activities, and the
sensitivity of any customer information
at issue.5 The safeguards must also be
reasonably designed to ensure the
security and confidentiality of customer
information, protect against any
anticipated threats or hazards to the
security or integrity of the information,
and protect against unauthorized access
to or use of such information that could
result in substantial harm or
inconvenience to any customer.6
In order to develop, implement, and
maintain its information security
program, a financial institution must
identify reasonably foreseeable internal
and external risks to the security,
confidentiality, and integrity of
customer information that could result
in the unauthorized disclosure, misuse,
alteration, destruction, or other
compromise of such information.7 The
financial institution must then design
and implement safeguards to control the
risks identified through the risk
2 See
15 U.S.C. 6801(b), 15 U.S.C. 6805(b)(2).
CFR 314.2(c).
4 16 CFR 314.3(a).
5 16 CFR 314.3(a), (b).
6 16 CFR 314.3(a), (b).
7 16 CFR 314.4(b).
3 16
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
assessment, and must regularly test or
otherwise monitor the effectiveness of
the safeguards’ key controls, systems,
and procedures.8 The Rule also requires
the financial institution to evaluate and
adjust its information security program
in light of the results of this testing and
monitoring, any material changes in its
operations or business arrangements, or
any other circumstances it knows or has
reason to know may have a material
impact on its information security
program.9 The financial institution must
also designate an employee or
employees to coordinate the information
security program.10
Finally, the current Safeguards Rule
requires financial institutions to take
reasonable steps to select and retain
service providers capable of maintaining
appropriate safeguards for customer
information and require those service
providers by contract to implement and
maintain such safeguards.11
II. Regulatory Review of the Safeguards
Rule
On September 7, 2016, the
Commission solicited comments on the
Safeguards Rule as part of its periodic
review of its rules and guides.12 The
Commission sought comment on a
number of general issues, including the
economic impact and benefits of the
Rule; possible conflicts between the
Rule and state, local, or other Federal
laws or regulations; and the effect on the
Rule of any technological, economic, or
other industry changes. The
Commission received 28 comments
from individuals and entities
representing a wide range of
viewpoints.13 Most commenters agreed
there is a continuing need for the Rule
and it benefits consumers and
competition.14
On April 4, 2019, the Commission
issued a notice of proposed rulemaking
(NPRM) setting forth proposed
amendments to the Safeguards Rule (the
‘‘Proposed Rule’’).15 In response, the
Commission received 49 comments
from various interested parties
8 16
CFR 314.4(c).
CFR 314.4(e).
10 16 CFR 314.4(a).
11 16 CFR 314.4(d).
12 Safeguards Rule, Request for Comment, 81 FR
61632 (Sept. 7, 2016).
13 The 28 public comments received prior to
March 15, 2019, are posted at: https://www.ftc.gov/
policy/public-comments/initiative-674.
14 See, e.g., Mortgage Bankers Association
(comment 39, NPRM); National Automobile Dealers
Association (Comment 40, NPRM); Data &
Marketing Association (comment 38, NPRM);
Electronic Transactions Association (comment 24,
NPRM); State Privacy & Security Coalition
(comment 26, NPRM).
15 FTC Notice of Proposed Rulemaking, 84 FR
13158 (April 4, 2019).
9 16
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
including industry groups, consumer
groups, and individual consumers.16 On
July 13, 2020, the Commission held a
workshop concerning the proposed
changes and conducted panels with
information security experts discussing
subjects related to the Proposed Rule.17
The Commission received 11 comments
following the workshop.18 After
reviewing the initial comments to the
Proposed Rule, conducting the
workshop, and then reviewing the
comments received following the
workshop, the Commission now issues
final amendments to the Safeguards
Rule.
khammond on DSKJM1Z7X2PROD with RULES3
III. Overview of Final Rule
As noted above, the Final Rule
modifies the current Rule in five
primary ways. First, the Final Rule
amends the current Rule to include
more detailed requirements for the
development and establishment of the
information security program required
under the Rule. For example, while the
current Rule requires financial
institutions to undertake a risk
assessment and develop and implement
safeguards to address the identified
risks, the Final Rule sets forth specific
criteria for what the risk assessment
must include, and requires the risk
assessment be set forth in writing. As to
particular safeguards, the Final Rule
requires that they address access
controls, data inventory and
classification, encryption, secure
development practices, authentication,
information disposal procedures,
change management, testing, and
incident response. And while the Final
Rule retains the requirement from the
current Rule that financial institutions
provide employee training and
appropriate oversight of service
providers, it adds mechanisms designed
to ensure such training and oversight
are effective. Although the Final Rule
has more specific requirements than the
current Rule, it still provides financial
16 The 49 relevant public comments received on
or after March 15, 2019, can be found at
Regulations.gov. See FTC Seeks Comment on
Proposed Amendments to Safeguards and Privacy
Rules, 16 CFR part 314, Project No. P145407,
https://www.regulations.gov/docket/FTC-20190019/document.
17 See FTC, Information Security and Financial
Institutions: An FTC Workshop to Examine
Safeguards Rule Tr. (July 13, 2020), https://
www.ftc.gov/system/files/documents/public_events/
1567141/transcript-glb-safeguards-workshopfull.pdf [hereinafter Safeguards Workshop Tr.].
18 The 11 relevant public comments relating to
the subject matter of the July 13, 2020, workshop
can be found at https://www.regulations.gov/
document/FTC-2020-0038-0001. This document
cites comments using the last name of the
individual submitter or the name of the
organization, followed by the number based on the
last two digits of the comment ID number.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
institutions the flexibility to design an
information security program
appropriate to the size and complexity
of the financial institution, the nature
and scope of its activities, and the
sensitivity of any customer information
at issue.
Second, the Final Rule adds
requirements designed to improve
accountability of financial institutions’
information security programs. For
example, while the current Rule allows
a financial institution to designate one
or more employees to be responsible for
the information security program, the
Final Rule requires the designation of a
single Qualified Individual. The Final
Rule also requires periodic reports to
boards of directors or governing bodies,
which will provide senior management
with better awareness of their financial
institutions’ information security
programs, making it more likely the
programs will receive the required
resources and be able to protect
consumer information.
Third, recognizing the impact of the
additional requirements on small
businesses, the Final Rule exempts
financial institutions that collect
information on fewer than 5,000
consumers from the requirements of a
written risk assessment, incident
response plan, and annual reporting to
the Board of Directors.
Fourth, the Final Rule expands the
definition of ‘‘financial institution’’ to
include entities engaged in activities the
Federal Reserve Board determines to be
incidental to financial activities. This
change brings ‘‘finders’’—companies
that bring together buyers and sellers of
a product or service—within the scope
of the Rule. Finders often collect and
maintain very sensitive consumer
financial information, and this change
will require them to comply with the
Safeguards Rule’s requirements to
protect that information. This change
will also bring the Rule into harmony
with other Federal agencies’ Safeguards
Rules, which include activities
incidental to financial activities in their
definition of financial institution.
Finally, the Final Rule includes
several definitions and related
examples, including of ‘‘financial
institution,’’ in the Rule itself rather
than incorporate them from a related
FTC rule, the Privacy of Consumer
Financial Information Rule, 16 CFR part
313. This will make the rule more selfcontained and will allow readers to
understand its requirements without
referencing the Privacy Rule.
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
70273
IV. Section-by-Section Analysis
General Comments
The Commission received 49
comments in response to the NPRM for
the Proposed Rule, from a diverse set of
stakeholders, including industry groups,
individual businesses, consumer
advocacy groups, academics,
information security experts,
government agencies, and individual
consumers. It also hosted a workshop on
the Proposed Rule, which included
approximately 20 security experts.
Some of the comments simply
expressed general support 19 or general
disapproval 20 of the Proposed Rule.
Many, however, offered detailed
responses to specific proposals in the
NPRM. In general, industry groups were
opposed to most or all of the Proposed
Rule, and consumer advocacy groups,
academics, and security experts were
generally in favor of the amendments.
The comments and workshop record are
discussed in the following Section-bySection analysis.
Sec. 314.1: Purpose and Scope
The Purpose and Scope section of the
current Rule generally states the Rule
implements the Gramm-Leach-Bliley
Act and applies to the handling of
customer information by financial
institutions over which the FTC has
jurisdiction. In its NPRM, the
Commission proposed adding a
definition of ‘‘financial institution’’
modeled on the definition included in
the Commission’s Privacy Rule (16 CFR
part 313) and a series of examples
providing guidance on what constitutes
a financial institution under the
Commission’s jurisdiction. Other than
expanding the definition of ‘‘financial
institution’’ as discussed below, the new
language was not meant to reflect a
substantive change to the Safeguards
Rule; rather, it was meant to allow the
Rule to be read on its own, without
reference to the Privacy Rule.21 The
Commission received no comments that
addressed this section specifically, and
19 See Encore Capital Group (comment 25,
NPRM); Justine Bykowski (comment 12, NPRM);
‘‘Peggy from Bloomington, MN’’ (comment 13,
NPRM); ‘‘Anonymous’’ (comment 20, NPRM).
20 ‘‘Jane Q. Citizen’’ (comment 14, NPRM).
21 In a separate final rule, published elsewhere in
this issue of the Federal Register, the Commission
is amending the Privacy Rule to reflect changes
made by the Dodd-Frank Act, limiting that rule to
certain auto dealers. Through that proceeding, the
Commission is also removing examples of financial
institutions from the Privacy Rule that are no longer
covered under the rule in the wake of these
changes.
E:\FR\FM\09DER3.SGM
09DER3
70274
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
the Commission adopts the language of
the Proposed Rule in the Final Rule.22
Sec. 314.2: Definitions
The Proposed Rule added a number of
definitions to § 314.2. The Proposed
Rule also retained paragraph (a), which
states terms used in the Safeguards Rule
have the same meaning as set forth in
the Privacy Rule.
The American Council on Education
(ACE) suggested all terms from the
Privacy Rule, such as ‘‘consumer,’’
‘‘customer,’’ and ‘‘customer
information,’’ be included in the Final
Rule in order to make the Final Rule
easier for regulated entities to
understand.23 On the other hand,
HITRUST recommended no definitions
from the Privacy Rule be duplicated in
the Safeguards Rule, reasoning that in
the event of a need to amend the terms,
it would require the amendment of two
rules rather than one.24
The Commission is persuaded
including all terms from the Privacy
Rule within the Safeguards Rule will
improve clarity and ease of use.
Accordingly, the Commission has
determined to delete paragraph (a),
since it is no longer necessary to state
all terms in the Safeguards Rule have
the same meaning as in the Privacy
Rule. It also adds the Privacy Rule
definitions of ‘‘consumer,’’ ‘‘customer,’’
‘‘customer relationship,’’ ‘‘financial
product or service,’’ ‘‘nonpublic
personal information,’’ ‘‘personally
identifiable financial information,’’
‘‘publicly available information,’’ and
‘‘you’’ to the definitions in the Final
Rule. No substantive change to these
definitions is intended.
khammond on DSKJM1Z7X2PROD with RULES3
Authorized User
The Proposed Rule added a definition
for the term ‘‘authorized user’’ as
paragraph (b). Proposed paragraph (b)
defined an authorized user of an
information system as any employee,
contractor, agent or other person that
participates in your business operations
and is authorized to access and use any
of your information systems and data.
This term was used in § 314.4(c)(10) of
the Proposed Rule, which required
financial institutions to implement
policies to monitor the activity of
‘‘authorized users’’ and detect
unauthorized access to customer
information.
22 Several commenters addressed the change to
the definition of ‘‘financial institution.’’ Those
comments are addressed in the discussion of the
definition of ‘‘financial institution’’ below.
23 American Council on Education (comment 24,
NPRM), at 7.
24 HITRUST, (comment 18, NPRM), at 2.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
definition of authorized user should
include users who can access both
‘‘information systems and data’’ and
users authorized to access either
information systems or data.
Accordingly, for clarification purposes,
the Commission modifies the definition
of authorized user in the Final Rule as
any employee, contractor, agent,
customer or other person that is
authorized to access any of your
information systems or data.
The Commission received one
comment on this proposed definition
from the National Automobile Dealers
Association (NADA), which suggested
the term ‘‘authorized user’’ was used
inconsistently and was too vague.25
NADA pointed out while ‘‘authorized
user’’ is a defined term, the term
‘‘authorized individual’’ was used in
proposed § 313.4(c)(1) (addressing
access controls for information systems)
and (c)(3) (addressing access controls for
physical data). NADA also argued the
inclusion of ‘‘other person that
participates in the business operations
of an entity’’ within the definition of
‘‘authorized user’’ was unclear and
created ambiguity in its application.26
The Commission agrees with NADA’s
points, and, in response, modifies the
Final Rule in two ways. First, the Final
Rule replaces the term ‘‘authorized
individual’’ with ‘‘authorized user’’ in
§ 313.4(c)(1). As described further
below, because the Final Rule combines
§ 313.4(c)(3) with § 313.4(c)(1), there is
no need to make a corresponding
change to that section.
Second, because the Commission
agrees the ambiguities in the definition
of ‘‘authorized user’’ from the Proposed
Rule could create confusion, it makes
several changes to the definition. It
deletes the phrase ‘‘other person that
participates in the business operations
of an entity.’’ The Commission agrees
this phrase was vague. The Commission
had intended it to cover any person the
financial institution allows to access
information systems or data, including,
for example, ‘‘customers’’ of the
financial institutions. For the purpose of
controlling authorized access and
detecting unauthorized access (which is
where the definition of ‘‘authorized
user’’ appears), financial institutions
should monitor anomalous patterns of
usage of their systems, not only by
employees and agents, but also by
customers and other persons authorized
to access systems or data. To clarify this
point, the Commission adds ‘‘customer
or other person’’ to the definition of
‘‘authorized users.’’
The Commission intends that the
definition of ‘‘authorized users’’ should
include anyone who the financial
institution authorizes to access an
information system or data, regardless of
whether that user actually uses the data.
Thus, for clarity, the Commission has
deleted the requirement that the
authorized user be authorized to use the
information system or data. Finally, the
In proposed paragraph (c), the
Commission defined security event as
an event resulting in unauthorized
access to, or disruption or misuse of, an
information system or information
stored on such information system. This
term was used in provisions requiring
financial institutions to establish a
written incident response plan designed
to respond to security events. It also
appeared in the provision requiring the
coordinator of a financial institution’s
information security program to provide
an annual report to the financial
institution’s governing body; the
required report must identify all
security events that took place that year.
Commenters expressed three main
concerns with this definition. The first
relates to whether the term ‘‘security
event’’ should be expanded to instances
in which there is unauthorized access
to, or disruption or misuse of,
information in physical form, as
opposed to electronic form. The
Proposed Rule used the term ‘‘security
event’’ instead of ‘‘cybersecurity event’’
to clarify that an information security
program encompasses information in
both digital and physical forms and that
unauthorized access to paper files, for
example, would also be a security event
under the Rule. The Money Services
Round Table (MSRT), however, noted
despite the use of the more general
‘‘security’’ in the defined term, the
definition itself is limited to events
involving information systems.27 The
Commission agrees this creates a
contradiction. Accordingly, the Final
Rule includes the compromise of
customer information in physical form
in the definition of ‘‘security event.’’
Second, some industry groups argued
a ‘‘security event’’ should occur only
when there is ‘‘unauthorized access’’ to
an information system, not in cases in
which there has been a ‘‘disruption or
misuse’’ of such systems (e.g., a
ransomware attack).28 These
25 National Automobile Dealers Association
(comment 46, NPRM), at 11–12.
26 National Automobile Dealers Association
(comment 46, NPRM), at 11–12.
27 Money Services Round Table (comment 53,
NPRM), at 5 n.14.
28 National Independent Automobile Dealers
Association (comment 48, NPRM), at 4; National
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
Security Event
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
commenters argued the disruption or
misuse of information systems is not
directly related to the protection of
customer information and is, therefore,
outside the Commission’s statutory
authority.29 The Commission disagrees.
Requiring a financial institution to
protect against disruption and misuse of
its information system is within the
Commission’s authority under the
GLBA, which directed the Commission
to promulgate a rule that required
financial institutions to ‘‘to protect
against any anticipated threats or
hazards to the security or integrity’’ of
customer information. A disruption or
misuse of an information system will be,
in many cases, a threat to the ‘‘integrity’’
of customer information. In addition,
disruption or misuse may also indicate
the existence of a security weakness that
could be exploited to gain unauthorized
access to customer information. For
example, an event in which ransomware
placed on a system is used to encrypt
customer information, rendering it
useless, raises the possibility similar
software could have been used to
exfiltrate customer information.
Accordingly, the Final Rule retains the
inclusion of ‘‘misuse or disruption’’
within the definition of ‘‘security
event.’’
Third, several commenters suggested
the definition of ‘‘security event’’ be
limited to events in which there is a risk
of consumer harm or some other
negative effect.30 Similarly, some
commenters argued the definition
should exclude events that involve
encrypted information in which the
encryption key was not compromised or
when there is evidence the information
accessed has not been misused.31 The
Commission declines to narrow the
provision in this manner. It believes a
financial institution should still engage
in its incident response procedures to
determine whether the event indicates a
weakness that could endanger customer
Automobile Dealers Association (comment 46,
NPRM), at 12–13; Consumer Data Industry
Association (comment 36, NPRM), at 3–4.
29 National Independent Automobile Dealers
Association (comment 48, NPRM), at 4; National
Automobile Dealers Association (comment 46,
NPRM), at 12–13.
30 HITRUST (comment 18, NPRM), at 3; American
Council on Education (comment 24, NPRM), at 7;
Mortgage Bankers Association (comment 26,
NPRM), at 4–5; Consumer Data Industry
Association (comment 36, NPRM), at 3–4; National
Automobile Dealers Association (comment 46,
NPRM), at 12–13; National Independent
Automobile Dealers Association (comment 48,
NPRM), at 4.
31 Mortgage Bankers Association (comment 48,
NPRM), at 4–5; National Automobile Dealers
Association (comment 46, NPRM), at 12–13;
National Independent Automobile Dealers
Association (comment 48, NPRM) at 4; American
Council on Education (comment 24, NPRM), at 7.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
information and to respond accordingly.
The financial institution can then take
the appropriate steps in response.
Further, § 314.4(h) of the Final Rule,
which sets forth the requirement for an
incident response plan, requires the
incident response plan be designed to
respond only to security events
‘‘materially affecting the confidentiality,
integrity, or availability of customer
information,’’ limiting the impact of the
definition of ‘‘security event.’’
Accordingly, the Final Rule defines
security event as an event resulting in
unauthorized access to, or disruption or
misuse of, an information system,
information stored on such information
system, or customer information held in
physical form. The Proposed Rule
placed this definition as paragraph (c),
out of alphabetical order. The Final Rule
adopts it as paragraph (p), placing it in
alphabetical order with the other
definitions in § 314.2.
Encryption
Proposed paragraph (e) defined
encryption as the transformation of data
into a form that results in a low
probability of assigning meaning
without the use of a protective process
or key. This term was used in proposed
§ 314.4(c)(4), which generally required
financial institutions to encrypt
customer information. This definition
was intended to define the process of
encryption while not requiring any
particular technology or technique for
achieving the protection provided by
encryption.
NADA argued this definition should
be made more flexible by adding an
alternative so it would read ‘‘the
transformation of data into a form that
results in a low probability of assigning
meaning without the use of a protective
process or key or securing information
by another method that renders the data
elements unreadable or unusable’’
(emphasis added).32 On the other hand,
others argued the Proposed Rule’s
definition did not sufficiently protect
customer information.33 For example,
the Princeton University Center for
Information Technology Policy
(‘‘Princeton Center’’) suggested the Rule
should be changed ‘‘to clarify that
encryption must be consistent with
current cryptographic standards and
accompanied by appropriate safeguards
for cryptographic key material.’’ 34
32 National Automobile Dealers Association
(comment 46, NPRM), at 13.
33 American Council on Education (comment 24,
NPRM), at 7; Princeton University Center for
Information Technology Policy (comment 54,
NPRM), at 4.
34 Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 4.
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
70275
Similarly, ACE argued the definition
should include ‘‘the transformation of
data in accordance with industry
standards.’’ 35
The Commission agrees the proposed
definition should be tethered to some
technical standard, without being too
prescriptive about what that standard is.
Under the proposed definition, as well
as NADA’s proposed definition,
financial institutions could have
claimed they were ‘‘encrypting’’ data if
they were aggregating it, scrambling it,
or redacting it in a way that made it
possible to re-identify the data through,
for example, the application of common
algorithms or programs. The
Commission does not believe this would
have provided consumers with
sufficient protection. The Commission
also agrees with the commenters who
stated the definition should signal that
encryption should be cryptographically
based.
Accordingly, the Final Rule defines
encryption as the transformation of data
into a form that results in a low
probability of assigning meaning
without the use of a protective process
or key, consistent with current
cryptographic standards and
accompanied by appropriate safeguards
for cryptographic key material. This
definition does not require any specific
process or technology to perform the
encryption but does require that
whatever process is used be sufficiently
robust to prevent the deciphering of the
information in most circumstances.
Financial Institution
Incidental Activity
The Proposed Rule made one
substantive change to the definition of
‘‘financial institution’’ it incorporated
from the Privacy Rule. The change was
designed to include entities
‘‘significantly engaged in activities that
are incidental to [] financial activity’’ as
defined by the Bank Holding Company
Act. This proposed change brought only
one activity into the definition that was
not covered before: the act of ‘‘finding’’
as defined in 12 CFR 225.86(d)(1). The
proposed revision to paragraph (f)
added an example of a financial
institution acting as a finder by
‘‘bringing together one or more buyers
and sellers of any product or service for
transactions that the parties themselves
negotiate and consummate.’’ This
example used the language set forth in
12 CFR 225.86(d)(1), which defines
‘‘finding’’ as an activity incidental to a
financial activity under the Bank
Holding Company Act. The Commission
35 American Council on Education (comment 24,
NPRM), at 7.
E:\FR\FM\09DER3.SGM
09DER3
70276
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
adopts this proposal without
modification.
The change to the definition of
‘‘financial institution’’ brings it into
harmony with other agencies’ GLB
rules.36 The change is supported by the
language of the Gramm-Leach-Bliley
Act.37 The Act defines a ‘‘financial
institution’’ as any institution ‘‘the
business of which is engaging in
financial activities as described in
section 1843(k) of title 12.’’ 38 That
section, in turn, describes activities that
are financial in nature as those the
Board has determined ‘‘to be financial
in nature or incidental to such financial
activity.’’ 39 The Final Rule’s definition
mirrors this language. The change will
not lead to a significant expansion of the
Rule coverage as it expands the
definition only to include entities
engaged in activity incidental to
financial activity, as determined by the
Federal Reserve Board. The Board has
determined only one activity to be
incidental to financial activity—‘‘acting
as a finder.’’ 40
Several commenters who addressed
this issue supported the inclusion of
activities incidental to financial
activities.41 Other commenters
expressed concern the proposed change
in the definition would expand the
Rule’s coverage to businesses that
should not be considered financial
institutions.42 They argued the
definition of the term ‘‘finder’’ is too
broad and companies that connect
buyers and sellers in non-financial
contexts would be swept
inappropriately into the definition of
‘‘financial institution.’’ The Association
of National Advertisers argued
advertising agencies could be
considered ‘‘finders’’ because they play
36 See 12 CFR 1016.3(l) (defining ‘‘financial
institution’’ for entities regulated by agencies other
than the FTC). See also 17 CFR 248.3(n) (defining
‘‘financial institution’’ to include ‘‘any institution
the business of which is . . . incidental to . . .
financial activities’’ for Security and Exchange
Commission’s rule implementing GLBA’s safeguard
provisions.).
37 15 U.S.C. 6801 et seq.
38 15 U.S.C. 6809(3).
39 12 U.S.C. 1843(k).
40 12 CFR 225.86.
41 Electronic Privacy Information Center
(comment 55, NPRM), at 9; Independent
Community Bankers of America (comment 35,
NPRM), at 3; National Automobile Dealers
Association (comment 46, NPRM), at 13–16.
42 Association of National Advertisers (comment,
Workshop), at 4–5; internet Association (comment,
Workshop), at 4–5; see also Anonymous (comment
15, NPRM) (questioning whether any governing
body would oversee any future determinations by
the Federal Reserve Board that activities are
incidental to financial activity).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
a role in connecting buyers and
sellers.43
In response, the Commission notes
the Federal Reserve Board describes
acting as a finder as ‘‘bringing together
one or more buyers and sellers of any
product or service for transactions that
the parties themselves negotiate and
consummate.’’ 44 The Board sets forth
several activities within the scope of
acting as a finder, such as ‘‘[i]dentifying
potential parties, making inquiries as to
interest, introducing and referring
potential parties to each other, []
arranging contacts between and
meetings of interested parties’’ and
‘‘[c]onveying between interested parties
expressions of interest, bids, offers,
orders and confirmations relating to a
transaction.’’ 45
Although this language is somewhat
broad, its scope is significantly limited
in the context of the Safeguards Rule.
First, the Safeguards Rule applies only
to transactions ‘‘for personal, family, or
household purposes.’’ 46 Therefore, only
finding services involving consumer
transactions will be covered. Second,
the Safeguards Rule applies only to the
information of customers, which are
consumers with which a financial
institution has a continuing
relationship.47 Therefore, it will not
apply to finders that have only isolated
interactions with consumers and do not
receive information from other financial
institutions about those institutions’
customers. This significantly narrows
the types of finders that will have
obligations under the Rule, excluding,
the Commission believes, most
advertising agencies and similar
businesses that generally do not have
continuing relationships with
consumers who are using their services
for personal or household purposes.
The Commission believes entities that
perform finding services for consumers
with whom they have an ongoing
relationship are properly considered
‘‘financial institutions’’ for purposes of
the Rule. Accordingly, the Commission
adopts the changes to the definition of
‘‘financial institution’’ as proposed.
Other Changes to Definition of
‘‘Financial Institutions’’
Other commenters suggested
modifying the definition of ‘‘financial
institution’’ 48 in different ways. The
43 Association of National Advertisers (comment
5, Workshop), at 5.
44 12 CFR 225.86 (d).
45 12 CFR 225.86 (d)(1)(i).
46 See Final Rule 16 CFR 314.2(b)(1).
47 16 CFR 314.1; Final Rule 16 CFR 314.2(c).
48 National Pawnbrokers Association (comment
32, NPRM), at 5–6 (arguing that transactionreporting vendors be included in definition);
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
Electronic Privacy Information Center
(EPIC) argued the definition should be
expanded by treating more activities as
financial activities.49 EPIC pointed out
information shared with social media
companies, retailers, apps, and devices
generally is not covered under the
Safeguards Rule. The Commission
understands the concern that many
businesses fall outside the coverage of
the Safeguards Rule, despite handling
sensitive consumer information, but the
Commission’s authority to regulate
activity under the Safeguards and
Privacy Rules is established by the
GLBA. The Rule’s application is limited
to financial institutions as defined by
that statute and cannot be extended
beyond that definition.50 The
institutions discussed by EPIC,
however, are still covered by the FTC
Act’s prohibition against deceptive or
unfair conduct, including with respect
to their use and protection of consumer
information.51
The National Federation of
Independent Business (NFIB) argued
individuals and sole proprietors should
be excluded from the definition of
‘‘financial institution’’ because an
individual cannot be an ‘‘institution.’’ 52
When the Privacy Rule was
promulgated in 2000, commenters also
suggested the definition should exclude
sole proprietors.53 The Commission
noted there was no basis to exclude sole
proprietors and ‘‘[w]hether or not a
National Consumer Law Center and others
(comment 58, NPRM), at 5 (arguing that consumer
reporting agencies be included explicitly in the
definition); see also American Escrow Association
(comment, Workshop), at 2–3 (requesting that the
Rule specifically set out the duties of real estate
settlement operations and other businesses that
handle but do not maintain sensitive information);
Beverly Enterprises, LLC (comment 3, NPRM), at 3–
4 (requesting that the Rule specifically set out
duties related to online notarizations); Yangxue Li
(comment 5, NPRM) (asking whether Rule would
set forth specific guidelines for different industries);
Slobadon Raybolka (comment 17, NPRM)
(suggesting that companies that perform online
background checks be covered by the rule); The
Clearing House (comment 49, NPRM) (suggesting a
separate set of more stringent rules for fintech
companies).
49 Electronic Privacy Information Center
(comment 55, NPRM), at 9.
50 See 15 U.S.C. 6801 (requiring agencies to
promulgate Rule establishing standards for financial
institutions); 15 U.S.C. 6809(3) (defining ‘‘financial
institutions’’ as an ‘‘institution the business of
which is engaging in financial activities as
described’’ in the Bank Holding Company Act).
51 In the Matter of Facebook, Inc., Docket No. C–
4365 (Apr. 28, 2020); FTC v. Wyndham Worldwide
Corporation, 799 F.3d 236 (3d Cir. 2015); FTC v. DLink Systems, Inc., Case No. 3:17–cv–00039–JD
(N.D. Cal. July 2, 2019); In the Matter of Twitter,
Inc., Docket No. C–4316 (Mar. 11, 2011).
52 National Federation of Independent Business
(comment 16, NPRM), at 2–3.
53 Privacy Rule, Final Rule, 65 FR 33645 (May 24,
2000) at 33656.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
commercial enterprise is operated by a
single individual is not determinative’’
of whether the enterprise is a financial
institution. The Commission has not
changed its position on this matter and
declines to make this change to the
definition of ‘‘financial institution.’’
The Final Rule adopts this definition
as proposed without change.
Information Security Program
Paragraph (i) of the Final Rule adopts
the existing Rule’s paragraph (c) and
does not alter the definition of
‘‘information security program.’’ The
Commission received no comments on
this definition, and accordingly, adopts
the current definition in the Final Rule.
khammond on DSKJM1Z7X2PROD with RULES3
Information System
Proposed paragraph (h) defined
information system as a discrete set of
electronic information resources
organized for the collection, processing,
maintenance, use, sharing,
dissemination or disposition of
electronic information, as well as any
specialized system such as industrial/
process controls systems, telephone
switching and private branch exchange
systems, and environmental control
systems. The term ‘‘information system’’
was used throughout the proposed
amendments to designate the systems
that must be covered by the information
security program.
The MSRT suggested this definition
was too narrow in some respects and too
broad in others.54 It argued the
definition of ‘‘information system’’ was
too narrow because it did not include
physical systems or employees and
would exclude them from some of the
provisions of the Rule. Specifically, the
MSRT argued that based on this
definition, the penetration tests required
by § 314.4(d)(2) would not be required
to test ‘‘potential human
vulnerabilities’’ such as social
engineering or phishing.55 The
Commission does not agree. Penetration
testing, as defined by the Final Rule, is
a process through which testers
‘‘attempt to circumvent or defeat the
security features of an information
system.’’ 56 One way such security
features are tested is through social
engineering and phishing.57 The fact
that the testing involves employees with
access to the information system, rather
54 Money Services Round Table (comment 53,
NPRM), at 5–6.
55 Id. at 5.
56 Final Rule § 314.2(j).
57 Indeed, Workshop participant Scott Wallace
noted, in conducting penetration testing, ‘‘the first
thing [he does]’’ is generally to ‘‘prepare for the
phishing campaign.’’ Remarks of Scott Wallace,
Safeguards Workshop Tr., supra note 17, at 131–32.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
than just the system itself, does not
exclude such tests from the definition of
‘‘penetration testing.’’ Attempted social
engineering and phishing are important
parts of testing the security of
information systems and would not be
excluded by this definition.
The MSRT also argued the definition
was too broad, and was joined by other
commenters in this concern.58 These
commenters shared a concern the
proposed definition would include
systems that are in no way connected to
customer information and would
require financial institutions to include
all systems in their possession,
regardless of their involvement with
customer information. The Commission
agrees the definition should be limited
to those systems that either contain
customer information or are connected
to systems that contain customer
information, and adds that limitation to
the Final Rule. The Rule does not limit
the definition to only those systems that
contain customer information, because a
common source of data breaches is a
vulnerability in a connected system that
an attacker exploits to gain access to the
company’s network and move within
the network to obtain access to the
system containing sensitive
information.59 Accordingly, the
definition of information system in the
Final Rule is modified to a discrete set
of electronic information resources
organized for the collection, processing,
maintenance, use, sharing,
dissemination or disposition of
electronic information containing
customer information or any such
system connected to a system
containing customer information, as
well as any specialized system such as
industrial/process controls systems,
telephone switching and private branch
exchange systems, and environmental
controls systems, that contains customer
information or that is connected to a
system that contains customer
information.
58 Money Services Round Table (comment 53,
NPRM), at 5; Consumer Data Industry Association
(comment 36, NPRM), at 4; American Council on
Education (comment 24, NPRM), at 7–8.
59 See Remarks of Serge Jorgensen, Safeguards
Workshop Tr., supra note 17, at 58–59 (noting
cybersecurity attacks can take advantage of systems
that are connected to the systems in which sensitive
information is stored); Remarks of Tom Dugas,
Safeguards Workshop Tr., supra note 17, at 138
(noting a vulnerability in one system can result in
the exposure of information maintained in another
system); see also Remarks of Rocio Baeza,
Safeguards Workshop Tr., supra note 17, at 106–07
(noting the heightened importance of encryption in
a context where numerous systems are connected);
Remarks of James Crifasi, Safeguards Workshop Tr.,
supra note 17, at 107–08 (same).
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
70277
Multi-Factor Authentication
Proposed paragraph (i) defined multifactor authentication as authentication
through verification of at least two of
the following types of authentication
factors: Knowledge factors, such as a
password; possession factors, such as a
token; or inherence factors, such as
biometric characteristics. This term was
used in proposed § 314.4(c)(6),60 which
required financial institutions to
implement multi-factor authentication
for individuals accessing networks that
contain customer information.
Several commenters argued the
definition should explicitly include
SMS text messages as an acceptable
example of a possession factor or
otherwise to be explicitly allowed.61
The Proposed Rule did not include SMS
text messages as an example of a
possession factor.62 Most commenters
who addressed this issue interpreted
this exclusion from the examples as
forbidding financial institutions from
using SMS text messages as a possession
factor for multi-factor authentication.
That is not the effect of this exclusion,
however. The language of the definition
neither prohibits nor recommends use
of SMS text messages. Indeed, SMS text
messages are not addressed at all. In
some cases, use of SMS text messages as
a factor may be the best solution
because of its low cost and easy use, if
its risks do not outweigh those benefits
under the circumstances.63 In other
instances, however, the use of SMS text
messages may not be a reasonable
solution, such as when extremely
sensitive information can be obtained
through the access method being
controlled, or when a more secure
method can be used for a comparable
price. A financial institution will need
to evaluate the balance of risks for its
situation. If, however, the Commission
were to explicitly allow use of SMS text
messages, this could be considered a
safe harbor that would not require the
company to consider risks associated
with use of SMS text as a factor in a
particular use case. Accordingly, the
Final Rule does not include SMS text
60 Section
314.4(c)(5) in the Final Rule.
Transactions Association (comment
27, NPRM), at 4; U.S. Chamber of Commerce
(comment 33, NPRM), at 9; CTIA (comment 34,
NPRM), at 7–9; Global Privacy Alliance (comment
38, NPRM), at 9; National Automobile Dealers
Association (comment 46, NPRM), at 29; National
Independent Automobile Dealers Association
(comment 48, NPRM), at 6.
62 See, e.g., NIST Special Publication 800–63B,
Digital Identity Guidelines, 5.1.3.3 (restricting use
of verification using the Public Switched Telephone
Network (SMS or voice) as an ‘‘out-of-band’’ factor
for multi-factor authentication).
63 See, e.g., Remarks of Wendy Nather, Safeguards
Workshop Tr., supra note 17, at 231–32.
61 Electronic
E:\FR\FM\09DER3.SGM
09DER3
70278
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
messages in the examples of possession
factors.
The final Rule adopts the proposed
definition of ‘‘multi-factor
authentication’’ without change as
paragraph (k) of this section.
khammond on DSKJM1Z7X2PROD with RULES3
Penetration Testing
Proposed paragraph (j) defined
penetration testing as a test
methodology in which assessors attempt
to circumvent or defeat the security
features of an information system by
attempting penetration of databases or
controls from outside or inside your
information systems. This term was
used in proposed § 314.4(d)(2), which
required financial institutions to
continually monitor the effectiveness of
their safeguards or to engage in annual
penetration testing. The Commission
received no comments concerning this
definition. The Final Rule adopts the
definition from the Proposed Rule as
paragraph (m) of this section.
Personally Identifiable Financial
Information
To minimize cross-referencing to the
Privacy Rule, as noted above, the
Commission is adding several
definitions to the Final Rule. One of
these definitions is ‘‘personally
identifiable financial information,’’
which is identical to the definition
currently contained in the Privacy Rule.
This term is included within the ambit
of ‘‘customer information,’’ in both the
existing Rule and the Final Rule.
The Princeton Center suggested
expanding the definition of ‘‘personally
identifiable financial information’’ from
the Privacy Rule to include ‘‘aggregate
information or blind data that does not
contain personal identifiers such as
account numbers, names, or
addresses.’’ 64 The Princeton Center
further suggested clarifying that, for
information to not be considered
‘‘personally identifiable financial
information,’’ the financial institution
must be required to demonstrate the
information is not ‘‘reasonably linkable’’
to individuals.
The Commission does not believe this
amendment is necessary. The definition
of ‘‘personally identifiable financial
information’’ is already a broad one.65 It
includes not just information associated
with types of personal information such
as a name or address or account
number, but also information linked to
a persistent identifier (‘‘any information
you collect through an Internet ‘cookie’
(an information collecting device from a
64 Princeton University Center for Information
Technology Policy (comment 54, NPRM) at 9–10.
65 See 16 CFR 313.3(o)(1).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
web server’’)).66 While there may be
some merit to limiting the exception for
aggregate information or blind data to
data that cannot be reasonably linkable
to an individual, for purposes of a rule
that can be periodically updated to keep
up with changing technology, the
current approach is more concrete and
enforceable, and less subject to
differences in interpretation.
Service Provider
Proposed paragraph (k) adopted the
existing Rule’s definition and does not
alter the definition of ‘‘service
provider.’’ The Commission received no
comments on this definition and adopts
it as paragraph (q) of the Final Rule.
Sec. 314.3: Standards for Safeguarding
Customer Information
Proposed § 314.3, which required
financial institutions to develop an
information security program
(paragraph (a)) and set forth the
objectives of the Rule (paragraph (b)),
was largely identical to the existing
Rule. It changed only the requirement
that ‘‘safeguards’’ be based on the
elements set forth in § 314.4, by
replacing ‘‘safeguards’’ with
‘‘information security program.’’ The
Commission received no comments on
this proposal and adopts it without
change in the Final Rule.
Sec. 314.4: Elements
Proposed § 314.4 altered the current
Rule’s required elements of an
information security program and added
several new elements.
General Comments
The Commission received many
comments addressing the new elements,
both in favor of the changes and
opposed to them. The comments in
favor of the changes generally argued
these changes would protect consumers
by improving the data security of
institutions that hold their
information.67 Most of the comments
opposed to the proposed elements fell
into several categories, objecting: (1)
The proposed changes were too
prescriptive and did not allow financial
66 16
CFR 313.3(o)(2)(i)(F).
e.g., New York Department of Financial
Service (comment 40, NPRM), at 1 (arguing the
Proposed Rule would ‘‘further advance efforts to
protect financial institutions and consumers from
cybercriminals.’’); Princeton University Center for
Information Technology Policy (comment 54,
NPRM), at 1 (stating the Proposed Rule ‘‘would
significantly reduce data security risks for the
customers of financial institutions.’’); National
Consumer Law Center and others (comment 58,
NPRM), at 2 (stating requirements of Proposed Rule
are ‘‘reasonable and common-sense measures that
any company dealing with large amounts of
consumer personal information should take.’’).
67 See,
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
institutions sufficient flexibility in
managing their information security; (2)
the proposed amendments would be too
expensive for financial institutions,
particularly smaller institutions, to
adopt; and (3) some of the requirements
should not apply to all customer
information but should be limited to
some subset of especially ‘‘sensitive’’
customer information. The Commission
does not agree with these comments for
the reasons discussed below, and
accordingly, retains the general
approach of the Proposed Rule in the
Final Rule.
Flexibility
Many industry groups argued the new
proposed elements were too
prescriptive, lacked flexibility, would
quickly become outdated, and would
force financial institutions to engage in
activities that would not enhance
security.68 For example, the Electronics
Transactions Association argued the
Proposed Rule would ‘‘limit the ability
of industry to develop new and
innovative approaches to information
security.’’ 69 Similarly, CTIA
commented the Proposed Rule would
create a ‘‘prescriptive core of
requirements that covered businesses
must follow, irrespective of whether risk
assessments show they are
necessary.’’ 70
The Commission, however, believes
the elements provide sufficient
flexibility for financial institutions to
adopt information security programs
suited to the size, nature, and
complexity of their organization and
information systems. The elements for
the information security programs set
forth in this section are high-level
principles that set forth basic issues the
68 See, e.g., HITRUST (comment 18, NPRM), at 1–
2; American Council on Education (comment 24,
NPRM), at 2–4; Cristian Munarriz (comment 21,
NPRM); Electronic Transactions Association
(comment 27, NPRM), at 1–2; National Pawnbrokers
Association (comment 32, NPRM), at 3; CTIA
(comment 34, NPRM), at 5; Consumer Data Industry
Association (comment 36, NPRM), at 2; Wisconsin
Bankers Association (comment 37, NPRM), at 1–2;
Global Privacy Alliance (comment 38, NPRM), at 5–
6; Bank Policy Institute (comment 39, NPRM), at 2;
American Financial Services Association (comment
41, NPRM), at 4; National Association of Dealer
Counsel (comment 44, NPRM), at 1; ACA
International, (comment 45, NPRM), at 4; National
Automobile Dealers Association (comment 46,
NPRM), at 11; National Independent Automobile
Dealers Association (comment 48, NPRM), at 2–3;
Money Services Round Table (comment 53, NPRM),
at 1–4; Software & Information Industry Association
(comment 56, NPRM), at 1–3; Gusto and others
(comment 11, Workshop), at 2; Association of
National Advertisers (comment 5, Workshop), at 1–
3; internet Association (comment 9, Workshop), at
2–3.
69 Electronic Transactions Association (comment
27, NPRM), at 1–2.
70 CTIA (comment 34, NPRM), at 5.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
programs must address, and do not
prescribe how they will be addressed.
For example, the requirement that the
information security program be based
on a risk assessment sets forth only
three general items the assessment must
address: (1) Criteria for evaluating risks
faced by the financial institution; (2)
criteria for assessing the security of its
information systems; and (3) how the
identified risks will be addressed. Other
than meeting these basic requirements,
financial institutions are free to perform
their risk assessments in whatever way
they choose, using whatever method or
approach works best for them, as long
as the method identifies reasonably
foreseeable risks. The other elements are
similarly flexible. The two elements that
are more prescriptive, encryption and
multi-factor authentication, allow
financial institutions to adopt
alternative solutions when necessary.
Comments concerning individual
elements are addressed separately in the
more detailed analysis below.
khammond on DSKJM1Z7X2PROD with RULES3
Cost
Another common theme among the
comments from industry groups was the
proposed information security program
elements would be prohibitively
expensive, especially for smaller
businesses.71 Commenters argued the
Proposed Rule would have required
financial institutions to implement
expensive changes to their systems and
hire highly-compensated professionals
to do so.72 Industry groups were
71 American Council on Education (comment 24,
NPRM), at 13–14; Wisconsin Bankers Association
(comment 37, NPRM), at 1–2; American Financial
Services Association (comment 41, NPRM), at 4;
National Association of Dealer Counsel (comment
44, NPRM), at 1; National Automobile Dealers
Association (comment 46, NPRM), at 11; National
Independent Automobile Dealers Association,
(comment 48, NPRM), at 3; Gusto and others
(comment 11, Workshop), at 2–4; National
Pawnbrokers Association (comment 3, NPRM), at 2;
see also Remarks of James Crifasi, Safeguards
Workshop Tr., supra note 17, at 72–74 (describing
study that found compliance would be expensive
for automobile dealers).
72 See, e.g., Slides Accompanying Remarks of
James Crifasi, FTC, ‘‘NADA Cost Study: Average
Cost Per U.S. Franchised Dealership,’’ Event
Materials, Information Security and Financial
Institutions: An FTC Workshop to Examine
Safeguards Rule (July 13, 2020) https://www.ftc.gov/
system/files/documents/public_events/1567141/
slides-glb-workshop.pdf (hereinafter Safeguards
Workshop Slides), at 25 (estimating an upfront cost
of $293,975 per dealership, and an recurring annual
cost of $276,925); see also Remarks of James Crifasi,
Safeguards Workshop Tr., supra note 17, at 72–75;
Remarks of Brian McManamon, Safeguards
Workshop Tr., supra note 17, at 78 (estimating the
average annual salary of a CISO can range from
$180,000 to upwards of $400,000); Slides
Accompanying Remarks of Lee Waters, ‘‘Estimated
Costs of Proposed Changes,’’ Safeguards Workshop
Slides, at 26 (estimating the annual costs of a
security program to include: Multi-factor
authentication, $50 for smart card readers, and $10
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
particularly concerned about the
requirement that financial institutions
designate a single qualified individual
to coordinate their information security
programs, arguing this would require
hiring professionals that were both
expensive, with salaries of more than
$100,000 suggested by some, and in
limited supply.73 Overall, several
commenters argued some financial
institutions would be unable to afford to
bring themselves into compliance with
the Proposed Rule.74
The Commission recognizes properly
securing information systems can be an
expensive and technically difficult task.
However, the Commission believes the
additional costs imposed by the
Proposed Rule are mitigated for several
reasons and, ultimately, those costs are
justified in order to protect customer
information as required by the GLBA.75
each for smart cards; a CISO, either an in-house
CISO, $180,000, an in-house cybersecurity analyst,
$76,000, or an outsourced cybersecurity contractor,
between $120,000 and $240,000; penetration
testing, average cost $4,800; and physical security,
$215,000 for construction, and $10,000 to $20,000
for new or upgraded locks); see also Remarks of Lee
Waters, Safeguards Workshop Tr., supra note 17, at
75–76.
73 See, e.g., Slides Accompanying Remarks of Lee
Waters, ‘‘Estimated Costs of Proposed Changes,’’
Safeguards Workshop Slides, supra note 72, at 26
(estimating costs of an in-house CISO to be
$180,000 annually, and an in-house cybersecurity
analyst to be $76,000 annually; and estimating an
outsourced cybersecurity contractor would cost
between $120,000 to $240,000 annually); see also
Remarks of Lee Waters, Safeguards Workshop Tr.,
supra note 17, at 75–76; Remarks of Brian
McManamon, Safeguards Workshop Tr., supra note
17, at 78 (estimating that the average annual salary
of a CISO can range from $180,000 to upwards of
$400,000).
74 See Remarks of Lee Waters, Safeguards
Workshop Tr., supra note 17, at 119–20 (noting
when small businesses have to spend money to hire
third-party vendors and security experts to comply
with regulations, that affects consumer prices and
small business profit margins); Slides
Accompanying Remarks of James Crifasi, ‘‘NADA
Cost Study: Average Cost Per U.S. Franchised
Dealership,’’ Safeguards Workshop Slides, supra
note 72, at 25; see also Remarks of James Crifasi,
supra note 17, at 73 (noting the requirements ‘‘start
becoming a little bit unaffordable here.’’).
75 The Small Business Administration’s Office of
Advocacy commented it was concerned the FTC
had not gathered sufficient data as to either the
costs or benefits of the proposed changes for small
financial institutions. Office of Advocacy, U.S.
Small Business Administration (comment 28,
NPRM), at 3–4. The FTC shares the Office of
Advocacy’s interest in ensuring that regulatory
changes have an evidentiary basis. Many of the
questions on which the FTC sought public
comment, both in the regulatory review and in the
proposed Rule context, specifically related to the
costs and benefits of existing and proposed Rule
requirements. Following the initial round of
commenting, the Commission conducted the FTC
Safeguards Workshop and solicited additional
public comments with the explicit goal of gathering
additional data relating to the costs and benefits of
the proposed changes. See Public Workshop
Examining Information Security for Financial
Institutions and Information Related to Changes to
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
70279
First, for almost 20 years, financial
institutions have been required under
the current Safeguards Rule to have
information security programs in place.
The current Safeguards Rule requires
financial institutions to ‘‘develop,
implement, and maintain a
comprehensive [written] information
security program . . . appropriate to
[the financial institutions’] size and
complexity, the nature and scope of
[their] activities, and the sensitivity of
any customer information at issue.’’ 76
This comprehensive program must be
coordinated by one or more individuals
and based on a risk assessment.77 As
such, financial institutions complying
with the current Rule will not be
required to establish an information
security program from scratch. Instead,
they can compare their existing
programs to the revised Rule, and
address any gaps. The Commission
believes many of the requirements set
forth in the Final Rule are so
fundamental to any information security
program that the information security
programs of many financial institutions
will already include them if those
programs are in compliance with the
current Safeguards Rule.
Second, a number of commenters who
raised concerns about the costs imposed
by the Rule believed the Proposed Rule
would have required the hiring of a
highly-compensated expert to serve as a
Chief Information Security Officer
(CISO).78 It is correct the Proposed Rule
would have modified the current
requirement of designating an
‘‘employee or employees to coordinate
your information security program’’ by
requiring the designation of a single
qualified individual responsible for
the Safeguards Rule, 85 FR 13082 (Mar. 6, 2020).
As detailed throughout this document, the
Commission believes there is a strong evidentiary
basis for the issuance of the final Rule.
76 16 CFR 314.3.
77 16 CFR 314.4.
78 Several speakers at the Safeguards Workshop
also raised this concern. See, e.g., Slides
Accompanying Remarks of James Crifasi, ‘‘NADA
Cost Study: Average Cost Per U.S. Franchised
Dealership,’’ in Safeguards Workshop Slides, supra
note 72, at 25 (estimating appointing a CISO to
increase program accountability would be a onetime, up-front cost of $27,500, with a recurring
annual cost of $51,000); Remarks of James Crifasi,
Safeguards Workshop Tr., supra note 17, at 72–75;
Slides Accompanying Remarks of Lee Waters,
‘‘Estimated Costs of Proposed Changes,’’ in
Safeguards Workshop Slides, supra note 72, at 26
(estimating costs of an in-house CISO to be
$180,000 annually, and an in-house cybersecurity
analyst to be $76,000 annually; and estimating that
an outsourced cybersecurity contractor would cost
between $120,000 to $240,000 annually); Remarks
of Lee Waters, Safeguards Workshop Tr., supra note
17, at 75–76; Remarks of Brian McManamon,
Safeguards Workshop Tr., supra note 17, at 78
(estimating that the average annual salary of a CISO
can range from $180,000 to upwards of $400,000).
E:\FR\FM\09DER3.SGM
09DER3
70280
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
overseeing and implementing the
security program. This individual was
referred to in the Proposed Rule as a
Chief Information Security Officer or
‘‘CISO.’’ As discussed in detail below,
the Final Rule does not use this term,
though the concept is the same: The
person designated to coordinate the
information security program need only
be ‘‘qualified.’’ No particular level of
education, experience, or certification is
prescribed by the Rule. Accordingly,
financial institutions may designate any
qualified individual who is appropriate
for their business. Only if the
complexity or size of their information
systems require the services of an expert
will the financial institution need to
hire such an individual.79
Finally, the Commission believes
while large financial institutions may
well incur substantial costs to
implement complex information
security programs, there are much more
affordable solutions available for
financial institutions with smaller and
simpler information systems. For
example, there are very low-cost or even
free vulnerability assessment programs
available: ‘‘virtual CISO’’ services
enable a third party to provide security
support for many companies, splitting
the cost of information security
professionals among them; many
applications and hardware have built-in
encryption requirements; 80 and there
are affordable multi-factor
authentication solutions aimed at
businesses of various sizes.
Considering these points, although
there will undoubtedly be expenses
involved for some, or even many,
financial institutions to update their
programs, the Commission believes
these expenses are justified because of
the vital importance of protecting
customer information collected,
maintained, and processed by financial
institutions. Congress recognized the
importance of securing consumers’
sensitive financial information when it
passed the GLBA, which required the
FTC to promulgate the Safeguards Rule.
79 See, e.g., Remarks of Brian McManamon,
Safeguards Workshop Tr., supra note 17, at 89–90
(noting the size of a financial institution and the
amount and nature of the information it holds factor
into an appropriate information security program);
see also Slides Accompanying Remarks of Rocio
Baeza, ‘‘Models for Complying to the Safeguards
Rule Changes,’’ in Safeguards Workshop Slides,
supra note 72, at 27–28 (describing three different
compliance models: In-house, outsource, and
hybrid, with costs ranging from $199 per month to
more than $15,000 per month); Remarks of Rocio
Baeza, Safeguards Workshop Tr., supra note 17, at
81–83 (describing three compliance models in more
detail).
80 See Remarks of Brian McManamon, Safeguards
Workshop Tr., supra note 17, at 78 (describing
virtual CISO services).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
The importance, as well as the
difficulty, of protecting customer
information has only increased in the
more than twenty years since the
passage of the GLBA. The Commission
believes the amendments to the
Safeguards Rule are necessary to ensure
the purposes of the GLBA are satisfied,
and so consumers can have confidence
financial institutions are providing
reasonable safeguards to protect their
information.
‘‘Sensitive’’ Customer Information
Several industry groups also
suggested significant portions of the
Proposed Rule should not apply to all
customer information, but rather only to
some subset of particularly ‘‘sensitive’’
customer information, such as account
numbers or social security numbers.81
These commenters generally argued the
definition of ‘‘customer information’’ is
too broad, as it will include information
the commenters felt is not particularly
sensitive, such as name and address,
and does not justify extensive
safeguards.82
The Commission does not agree that
some portion of customer information is
not entitled to the protections required
by the Final Rule. The Safeguards Rule
defines ‘‘customer information’’ as ‘‘any
record containing nonpublic personal
information’’ about a customer handled
or maintained by or on behalf of a
financial institution.83 The Final Rule
defines ‘‘nonpublic personal
information’’ as ‘‘personally identifiable
financial information,’’ but does not
include information that is ‘‘publicly
available.’’ Although this definition is
broad, the Commission believes
information covered by it is rightfully
considered sensitive and should be
protected accordingly. The businesses
regulated by the Safeguards Rule are not
just any businesses, but are financial
institutions and are responsible for
handling and maintaining financial
information that is both important to
consumers and valuable to attackers
who try to obtain the information for
financial gain. Even the fact that a
consumer is a customer of a particular
financial institution is generally
nonpublic and can be sensitive. For
example, the revelation of a customer
81 See, e.g., Electronic Transactions Association
(comment 27, NPRM), at 2–4; CTIA (comment 34,
NPRM), at 10; Global Privacy Alliance (comment
38, NPRM), at 7–8; American Financial Services
Association (comment 41, NPRM), at 5; ACA
International (comment 45, NPRM), at 13; Money
Services Round Table (comment 53, NPRM), at 6–
7.
82 See, e.g., Electronic Transactions Association
(comment 27, NPRM), at 2; Global Privacy Alliance
(comment 38, NPRM), at 7.
83 16 CFR 314.2(b).
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
relationship between a consumer and a
particular type of financial institution,
such as debt collectors or payday
lenders, may make those customers’
information more vulnerable to
compromise by facilitating social
engineering or similar attacks. The
nature of the relationship between
customers and their financial
institutions makes all nonpublic
information held by the financial
institution inherently sensitive and
worthy of the level of protection set
forth in the Rule.
Although the Commission believes all
customer information should be
safeguarded by financial institutions
and declines to exclude any portion of
that information from protection under
any of the provisions of the Rule, it
notes the Rule does contemplate
financial institutions will consider the
sensitivity of particular information in
designing their information security
programs and safeguards. The elements
required by this section are generally
flexible enough to allow financial
institutions to treat various pieces of
information differently. For example,
paragraph (c)(1) requires information
security programs to include safeguards
that address access control of customer
information. The paragraph requires
financial institutions to develop
measures to ensure only authorized
users access customer information, but
does not prescribe any particular
measures that must be adopted. When
designing these measures, a financial
institution may design a system in
which more sensitive information is
protected by more stringent access
controls. Even in the more specific
provisions of the Rule, there is
flexibility to address the relative
sensitivity of information. For example,
in § 313.4(c)(5)’s requirement that
customer information be protected by
multi-factor authentication, financial
institutions have flexibility to
implement the multi-factor
authentication depending on the
sensitivity of the information. The
financial institution may select factors
such as SMS text messages to access less
sensitive information, but determine
more sensitive information should be
protected by other, more secure, factors
for authentication.
Third-Party Standards and Frameworks
In addition, in the NPRM, the
Commission asked whether the
Safeguards Rule should incorporate
outside standards, such as the National
Institute of Standards and Technology
(‘‘NIST’’) framework, either as required
elements of an information security
program or as a safe harbor that would
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
treat compliance with such a standard
as compliance with the Safeguards Rule.
Some commenters advocated for the
adoption of an outside standard into the
Safeguards Rule.84 Cisco Systems, Inc.
suggested the Safeguards Rule should be
connected to NIST guidance, arguing
this would allow the Rule to evolve as
NIST’s guidance evolves.85 An
anonymous commenter suggested the
Rule should comply with ‘‘international
standard ISO/IEC 27001.’’ 86 The
National Consumer Law Center argued
certain financial institutions with
particularly sensitive customer
information should be required to
comply with guidelines issued by NIST
and the Federal Financial Institutions
Examination Council (FFIEC).87 Other
commenters acknowledged the value of
outside standards but were opposed to
the Rule requiring compliance with
them.88
Some commenters suggested while
compliance with outside standards
should not be required, compliance
should serve as a ‘‘safe harbor’’ for
compliance with the Rule.89 On the
other hand, Consumer Reports noted
while such standards can be helpful
guidance, they should not be a safe
harbor for compliance with the Rule
because financial institutions must take
steps to ensure they are responding to
changing information security threats
regardless of the requirements of an
outside framework.90
The Commission declines to change
the Rule to incorporate or reference a
particular security standard or
framework for a variety of reasons. First,
it is not clear the more detailed
frameworks would apply well to
financial institutions of various sizes
84 Cisco Systems, Inc. (comment 51, NPRM), at 4;
National Consumer Law Center and others
(comment 58), at 2; Anonymous (comment 2,
Workshop).
85 Cisco Systems, Inc. (Comment 51, NPRM), at 4.
86 Anonymous (comment 2, Workshop). The ISO/
IEC 27001 standard is an information security
standard issued by the International Organization
for Standardization. See ISO/IEC 27001 Information
Security Management, ISO, https://www.iso.org/
isoiec-27001-information-security.html (last
accessed 15 Dec. 2020).
87 National Consumer Law Center and others
(comment 58, NPRM), at 2.
88 HITRUST (comment 18, NPRM), at 2; see also
Consumer Reports (comment 52, NPRM), at 6–7
(discouraging the adoption of outside standards as
a safe harbor for companies).
89 Mortgage Bankers Association (comment 26,
NPRM), at 2 (suggesting Rule be modified so
financial institutions that use the NIST
Cybersecurity Framework would be in de facto
compliance with the Rule); see also National
Pawnbrokers Association (comment 32, NPRM), at
6–7 (advocating for the adoption of safe harbors for
small financial institutions without detailing what
should be required to qualify for the safe harbor).
90 Consumer Reports (comment 52, NPRM), at 6–
7.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
and industries. In addition, mandating
companies follow a particular security
standard or framework would reduce
the flexibility built into the Rule.
Similarly, the Commission declines to
make compliance with an outside
standard a safe harbor for the Rule. In
such a scenario, the use of safe harbors
would not greatly enhance regulatory
stability or predictability for financial
institutions because the Commission
would be required to actively monitor
whether those standards continued to
provide equivalent protections for
Safeguards compliance and modify the
Rule if a standard became inadequate. In
addition, in investigating possible
violations of the Rule, the Commission
would be required to independently
verify whether the financial institution
had in fact complied with the outside
framework, which would require
substantial effort and expense on the
part of the Commission and the target of
the investigation.
Specific Elements
In addition to these generally
applicable comments, commenters
addressed many of the individual
elements set forth by this section. These
elements are discussed in more detail
below.
Paragraph (a)—Designation of a Single
Qualified Individual
Proposed paragraph (a) changed the
current requirement that institutions
designate an ‘‘employee or employees to
coordinate your information security
program’’ to instead require the
financial institution to designate ‘‘a
qualified individual responsible for
overseeing and implementing your
information security program and
enforcing your information security
program.’’ 91 This individual was
referenced in the Proposed Rule as a
Chief Information Security Officer or
‘‘CISO.’’
The notice of proposed rulemaking for
the Proposed Rule emphasized the use
of the term ‘‘CISO’’ was for clarity in the
Proposed Rule.92 Despite the use of the
term ‘‘CISO,’’ the Proposed Rule did not
require financial institutions to actually
grant that title to the designated
individual. Commenters that responded
to this proposal, however, generally
assumed the person designated to
coordinate and oversee a financial
institution’s information security
program would be required to have the
qualifications, duties, responsibilities,
and accompanying pay of a CISO as that
position is generally understood in the
91 Section
92 84
PO 00000
314.4(a).
FR 13165.
Frm 00011
Fmt 4701
Sfmt 4700
70281
information security field.93 The
position of CISO is generally limited to
large companies with fairly complex
information security systems, so the
salary of this position is often very
high.94 Accordingly, many commenters
argued hiring a CISO would be
prohibitively expensive for many
financial institutions.95 Additionally,
commenters argued the hiring of such
an in-demand professional would be
difficult because of a general shortage of
such professionals available for hiring.96
By using the term ‘‘CISO,’’ the
Commission did not intend to require
all financial institutions hire a highly
qualified professional with an extremely
high salary, regardless of the financial
institutions’ size or complexity. The
Proposed Rule required only that
financial institutions designate a
‘‘qualified individual’’ to oversee and
enforce their information security
program, without specifying any
particular level of experience,
education, or compensation, or
requiring any particular duties outside
of overseeing the financial institution’s
information security program and other
requirements specifically set forth in the
Rule.97 The use of the term ‘‘CISO’’ in
the Proposed Rule, however, caused
confusion about the requirements of this
section. Accordingly, the Final Rule
replaces the term ‘‘CISO’’ with
‘‘Qualified Individual’’ to refer to the
individual designated under this section
of the Rule.
The use of the term ‘‘Qualified
Individual’’ is meant to clarify the only
requirement for this designated
individual is that he or she be qualified
to oversee and enforce the financial
institution’s information security
program. What qualifications are
necessary will depend upon the size
and complexity of a financial
institution’s information system and the
volume and sensitivity of the customer
information the financial institution
93 U.S. Chamber of Commerce (comment 33,
NPRM), at 10; National Automobile Dealers
Association (comment 46), at 17–19; National
Independent Automobile Dealers Association
(comment 48, NPRM), at 5; ACA International
(Comment 45, NPRM), at 8.
94 See. e.g., Brian McManamon, Safeguards
Workshop Tr., supra note 17, at 78 (estimating the
average annual salary of a CISO can range from
$180,000 to upwards of $400,000).
95 National Automobile Dealers Association
(comment 46, NPRM), at 17–19; National
Independent Automobile Dealers Association
(comment 48, NPRM), at 5; U.S. Chamber of
Commerce (comment 33, NPRM), at 10; ACA
International (comment 45, NPRM), at 8.
96 National Automobile Dealers Association
(comment 46, NPRM), at 18–19; U.S. Chamber of
Commerce (comment 33, NPRM), at 10; ACA
International (comment 45, NPRM), at 8.
97 84 FR 13175.
E:\FR\FM\09DER3.SGM
09DER3
70282
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
possesses or processes. The Qualified
Individual of a financial institution with
a very small and simple information
system will need less training and
expertise than a Qualified Individual for
a financial institution with a large,
complex information system. The exact
qualifications will depend on the nature
of the financial institution’s information
system. Each financial institution will
need to evaluate its own information
security needs and designate an
individual with appropriate
qualifications to meet those needs.
The Commission believes, in many
cases, financial institutions’ current
coordinators, whether their own
employees or third-party contractors,
may be qualified for this role.98 Because
the current Safeguards Rule requires
financial institutions to designate an
‘‘employee or employees to coordinate
your information security program,’’
financial institutions in compliance
with that Rule will already have one or
more information security coordinators.
Although the current Rule does not
expressly require that these coordinators
be qualified for that position, the
current Rule requires a financial
institution to maintain ‘‘appropriate’’
safeguards, regularly test those
safeguards, and evaluate and adjust the
information security program in light of
that testing.99 In order to effectively
comply with these ongoing
requirements, a financial institution’s
coordinator must have some level of
information security training and
knowledge and, therefore, will likely be
an appropriate Qualified Individual
under the Final Rule. Accordingly, in
many cases this amendment to the Rule
will not require any additional hiring
expenses.
In addition to explicitly requiring that
the information security program
coordinator be qualified for the role, the
Commission proposed to require the
designation of a single employee, as
opposed to the multiple coordinators
allowed by the existing Rule. Some
commenters objected to this proposal on
the grounds that it would interfere with
financial institutions’ flexibility in
98 Remarks of James Crifasi, Safeguards Workshop
Tr., supra note 17, at 74 (stating car dealerships can
rely on existing staff for this role); Remarks of Lee
Waters, Safeguards Workshop Tr., supra note 17, at
78–79 (stating any dealership with any IT staff at
all would have someone who could assume the role
of ‘‘qualified individual,’’ perhaps requiring some
additional research or outside help); Remarks of
Rocio Baeza, Safeguards Workshop Tr., supra note
17, at 81–82 (stating companies may use an existing
employee for the role and ‘‘for any areas where
there may be skill gaps, that can be supplemented
with either certifications or some type of
education.’’).
99 16 CFR 314.4.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
organizing their information security
personnel.100 For example, the
Consumer Data Industry Association
(‘‘CDIA’’) commented the designation of
a single coordinator would interfere
with financial institutions’ ability to
organize their program ‘‘to share
responsibilities among different
personnel with different strengths.’’ 101
Similarly, ACA International argued this
requirement would prevent financial
institutions from having multiple staff
members share responsibilities for
information security programs.102
Other commenters argued the
designation of a single individual as the
coordinator of the information security
program provides no proven benefits
over the use of multiple coordinators.103
Similarly, NADA argued that, while the
appointment of a single qualified
individual might improve
accountability, improving
accountability does not improve
security.104 On the other hand, a group
of consumer and advocacy groups
including the National Consumer Law
Center (‘‘NCLC’’) argued appointing a
single individual as the coordinator of
the information security program can
increase security and prevent security
events based on lack of accountability
and poor coordination.105
The Commission retains the
requirement to designate a single
qualified individual, because it believes
there are clear benefits to the
designation of a single coordinator.
Designating a single coordinator to
oversee an information security program
clarifies lines of reporting in enforcing
the program, can avoid gaps in
responsibility in managing data
100 National Independent Automobile Dealers
Association (comment 48, NPRM), at 5; Consumer
Data Industry Association (comment 36, NPRM), at
5; National Association of Dealer Counsel (comment
44, NPRM), at 2; ACA International (comment 45,
NPRM), at 7–8; Money Services Round Table
(comment 53, NPRM), at 10; Gusto and others
(Comment 11, Workshop), at 2; see also Remarks of
James Crifasi, Safeguards Workshop TR, supra note
17, at 74 (stating ‘‘when we’re talking about a small
and medium business [. . .] we really need to see
that ‘qualified individual’ be a mix of folks’’).
101 Consumer Data Industry Association
(comment 36, NPRM), at 5.
102 ACA International (comment 45, NPRM), at 7–
8. NPA raised similar concerns. National
Pawnbrokers Association (comment 3, Workshop),
at 2.
103 Consumer Data Industry Association
(comment 36, NPRM), at 5; National Automobile
Dealers Association (comment 46, NPRM), at 19;
ACA International (comment 45, NPRM), at 8.
104 National Automobile Dealers Association
(comment 46, NPRM), at 19.
105 National Consumer Law Center and others
(comment 58, NPRM), at 3 (arguing that a clear line
of reporting with a single responsible individual
could have prevented the Equifax consumer data
breach).
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
security, and improve
communication.106
The Commission disagrees with the
commenter who stated improved
accountability does not lead to
improved security. The goal of
improving accountability is to ensure
information security staff and financial
institution management give the
necessary attention and resources to
information security. In addition, an
individual that has clear responsibility
for the strength of a financial
institution’s information security
program will be accountable to improve
the program and ensure it protects
customer information.107
The major breach that occurred at
national consumer reporting agency
Equifax in 2017 demonstrates the
importance of clear lines of reporting
and accountability in management of
information security programs. The U.S.
House Committee on Oversight and
Government Reform issued a report on
the breach that identified Equifax’s
organization as one of the major causes
of the breach.108 The report indicated
Equifax’s division of responsibility for
information security between two
individuals that reported to two
different company officers contributed
to failures of communication, oversight,
and enforcement that led to millions of
consumers’ data being compromised.109
Increasing accountability for individuals
and organizations can directly lead to
improved security for customer
information.
Finally, the Commission does not
believe the requirement to designate a
single Qualified Individual would
106 Remarks of Adrienne Allen, Safeguards
Workshop Tr., supra note 17, at 182–84 (stating that
without a single responsible individual,
information security staff ‘‘can fall into traps of
each relying on someone else to make a hard call
. . . [In a program without a single coordinator]
issues can sometimes fall through the cracks.’’);
Remarks of Michele Norin, Safeguards Workshop
Tr., supra note 17, at 184–85 (‘‘I think it’s extremely
important to have a person in front of the
information security program. I think that there are
so many components to understand, to manage, to
keep an eye on. I think it’s difficult to do that if
it’s part of someone else’s job. And so I found that
it’s extremely helpful to have a person in charge of
that program just from a pure basic management
perspective and understanding perspective.’’).
107 See, e.g., Federal Trade Commission Staff
Comment on the Preliminary Draft for the NIST
Privacy Framework: A Tool for Improving Privacy
through Enterprise Risk Management (Oct. 24,
2019), at 12–14 (suggesting NIST clarify that one
person should be in charge of the program). https://
www.ftc.gov/system/files/documents/advocacy_
documents/ftc-staff-comment-preliminary-draftnist-privacy-framework/p205400nistprivacy
frameworkcomment.pdf.
108 U.S. House, Committee on Oversight and
Government Reform, Majority Staff Report, The
Equifax Data Breach, at 55–62, 115th Congress (Dec.
2018).
109 Id.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
prevent the approach of having multiple
people responsible for different aspects
of the program, as some commenters
asserted. While the Qualified Individual
appointed as the coordinator of the
information security program would
have ultimate responsibility for
overseeing and managing the
information security program, financial
institutions may still assign particular
duties and responsibilities to other staff
members.110 A financial institution may
organize its personnel in teams or share
decision making between individuals.
Moreover, the Rule does not require this
be the Qualified Individual’s sole job—
he or she may have other duties. The
Rule requires only that one individual
assume the ultimate responsibility for
overseeing and enforcing the program.
Accordingly, the Final Rule requires
designation of a single Qualified
Individual, as proposed, but no longer
uses the term ‘‘CISO.’’
khammond on DSKJM1Z7X2PROD with RULES3
Third-Party Coordinators
The Proposed Rule stated that the
Qualified Individual would not need to
be an employee of the financial
institution, but could be an employee of
an affiliate or a service provider. This
change was intended to accommodate
financial institutions that may prefer to
retain an outside expert, lack the
resources to employ a qualified person
to oversee a program, or decide to pool
resources with affiliates to share staff to
manage information security. The
Proposed Rule required, however, that
to the extent a financial institution used
a service provider or affiliate, the
financial institution must still: (1)
Retain responsibility for compliance
with the Rule; (2) designate a senior
member of its personnel to be
responsible for direction and oversight
of the Qualified Individual; and (3)
require the service provider or affiliate
to maintain an information security
program that protects the financial
institution in accordance with the Rule.
The Commission received one
comment on this aspect of the
provision. NADA argued that, because a
senior member of a financial
institution’s personnel must be
responsible for the oversight of a thirdparty Qualified Individual, the
supervising individual would need to be
an expert in information security, and
the financial institution would still be
required to hire an expensive employee
to supervise the third-party Qualified
110 See Remarks of Adrienne Allen, Safeguards
Workshop Tr., supra note 17, at 189–90 (noting
that, even where there is a single point person,
decision makers rarely operate ‘‘in a vacuum.’’).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
Individual.111 The Rule, however, does
not require individuals responsible for
overseeing third-party Qualified
Individuals to be information security
experts themselves. The senior
personnel that oversees the third-party
Qualified Individual is charged with
supervising and monitoring the thirdparty so the financial institution is
aware of its data security needs and the
safeguards being used to protect its
information systems. This person does
not need to be qualified to coordinate
the information security program him or
herself. Technical staff are frequently
supervised by employees or officers
with limited technical expertise.112 The
Rule requires only the same
responsibilities a supervisor would have
in overseeing an in-house information
security coordinator of a financial
institution. Accordingly, the
Commission adopts the proposed
paragraph without modification.
Proposed Paragraph (b)
The NPRM proposed amending
paragraph (b) to clarify a financial
institution must base its information
security program on the findings of its
risk assessment by adding an explicit
statement that financial institutions’
‘‘information security program [shall be
based] on a risk assessment.’’ 113 In
addition, the Proposed Rule removed
existing § 314.4(b)’s requirement that
the risk assessment must include
consideration of specific risks 114
because these specific risks are set forth
elsewhere in the Proposed Rule.115 The
Commission received no comments on
this paragraph and adopts paragraph (b)
as proposed.
Written Risk Assessment
Paragraph (b)(1) of the Proposed Rule
required the risk assessment be written
and include: (1) Criteria for the
evaluation and categorization of
111 National Automobile Dealers Association
(comment 46, NPRM), at 18.
112 See Remarks of James Crifasi, Safeguards
Workshop Tr., supra note 17, at 79–80 (stating that,
in his work as a third-party information security
service provider, he is often overseen by executives
without technical backgrounds); see also Remarks
of Rocio Baeza, Safeguards Workshop Tr., supra
note 17, at 105–06 (noting distinction in how
executives and technical staff may understand their
organizations’ use of encryption); Remarks of
Karthik Rangarajan, Safeguards Workshop Tr.,
supra note 17, at 196 (discussing challenges
inherent in discussing technical issues with board
members who lack a technical background)and at
211 (noting organizations can successfully manage
their relationships with third-party service
providers without ‘‘becom[ing] experts’’ in the
services provided).
113 Proposed 16 CFR 314.4(b).
114 Proposed 16 CFR 314.4(b)(1), (2), and (3).
115 See, e.g., Proposed 16 CFR 314.4(c)(2) and (10)
and (e).
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
70283
identified security risks or threats the
financial institution faces; (2) criteria for
the assessment of the confidentiality,
integrity, and availability of the
financial institution’s information
systems and customer information,
including the adequacy of the existing
controls in the context of the identified
risks or threats to the financial
institution; and (3) requirements
describing how identified risks will be
mitigated or accepted based on the risk
assessment and how the information
security program will address the
financial institution’s risks. Commenters
raised several concerns about the
Proposed Rule’s provisions on risk
assessment, none of which merit
changes to the Proposed Rule.
First, some commenters objected to
the level of specificity of the Proposed
Rule, with some arguing the
requirements were too specific, and
others arguing the requirements were
not specific enough. With respect to the
Proposed Rule being too specific,
commenters such as ACA and U.S.
Chamber of Commerce argued it
removed financial institutions’
flexibility in performing risk
assessments.116 The U.S. Chamber of
Commerce contended, because the
criteria are too specific, a risk
assessment performed using them
would not be ‘‘sufficiently risk
based.’’ 117 CDIA expressed concern it
was unclear ‘‘what level of specificity is
required’’ in the written risk assessment
and if detailed risk assessments are
required, they ‘‘could themselves
become a roadmap for a security
breach.’’ 118
In contrast, several other commenters
recommended the Rule set forth more
specific criteria for risk assessments.
Inpher suggested the Commission add a
requirement that risk assessments
require financial institutions to examine
‘‘technologies that are deployed by
[financial institutions’] information
security systems, and evaluate the
feasibility’’ of adopting ‘‘privacy
enhancing technologies’’ that would
better address vulnerabilities and thwart
threats.119 Inpher also recommended the
Rule require financial institutions to
conduct privacy impact assessments
with ‘‘specific guidelines to review
internal data protection standards and
adherence to fair information
116 ACA International (comment 45, NPRM), at
12; U.S. Chamber of Commerce (comment 33,
NPRM), at 10.
117 U.S. Chamber of Commerce (comment 33,
NPRM), at 10.
118 Consumer Data Industry Association
(comment 36, NPRM), at 5.
119 Inpher, Inc. (comment 50, NPRM), at 4.
E:\FR\FM\09DER3.SGM
09DER3
70284
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
principles.’’ 120 The Princeton Center
suggested the Rule require risk
assessments to include threat modeling
and adopt the concept of defense in
depth.121 HALOCK Security Labs
recommended the Rule specifically
require ‘‘a) That risk assessments should
evaluate the likelihood of magnitudes of
harm that result from threats and errors,
b) That risk assessments should
explicitly estimate foreseeable harm to
consumers as well as to the covered
financial institutions, c) That risk
mitigating controls are commensurate
with the risks they address, [and] d)
That risk assessments estimate
likelihoods and impacts using available
data.’’ 122
The Commission believes the
Proposed Rule’s provisions on risk
assessment strike the right balance
between specificity and flexibility. The
amendments provide only a high-level
list of criteria the risk assessment must
address. They essentially require that
the financial institution identify and
evaluate risks to its systems, evaluate
the adequacy of its existing controls for
addressing these risks, and identify how
these risks can be mitigated. These are
core requirements of any riskassessment.123 The Rule does not
require any specific methodology or
approach for performing the assessment.
Financial institutions are free to perform
the risk assessment using the method
most suitable for their organization as
long as that method meets the general
requirements set forth in the Rule. 124
And while the Commission agrees the
additional requirements suggested by
some commenters may be beneficial in
many, or even most, risk assessments, it
khammond on DSKJM1Z7X2PROD with RULES3
120 Id.
121 Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 2.
122 HALOCK Security Labs (comment 4,
Workshop) at 2. See Rocio Baeza (comment 12,
Workshop) at 2–3 (suggesting a detailed list of
requirements for the risk assessment).
123 See, e.g., Remarks of Chris Cronin, Safeguards
Workshop Tr., supra note 17, at 25 (stating that
evaluating the likelihoods and impacts of potential
security risks and evaluating existing controls is an
important component of a risk assessment);
Remarks of Serge Jorgensen, Safeguards Workshop
Tr., supra note 17, at 29–30 (emphasizing the
importance of risk assessments as tools for adjusting
existing security measures to account for both
current and future security threats); Nat. Inst. of Sci.
& Tech., U.S. Dept. of Com., Special Publication
800–30 Rev. 1, Guide for Conducting Risk
Assessments 1 (2012) (describing the purpose of
risk assessments as the identification of and
prioritization of risk in order to inform decision
making and risk response).
124 ACA International further argued because risk
assessment criteria are generally understood, they
do not need to be included in the Final Rule. ACA
International (comment 45, NPRM). The
Commission believes it is helpful to be clear about
the criteria the risk assessment must contain, even
if those criteria are commonly understood.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
believes a more flexible requirement
will better allow financial institutions to
find the risk assessment method that
best fits their organization and will
better accommodate changes in
recommended approaches in the future.
In response to CDIA’s concern about
the risk assessment providing a
roadmap for bad actors, certainly, the
written risk assessment will include
details about a financial institution’s
systems that could assist an attacker if
obtained by the attacker. Accordingly,
the risk assessment should be protected
as any other sensitive information
would be. The Commission does not
view this concern as a reason not to
create such a document. Indeed, the
concern would apply to any written
document that provides information
regarding a financial institution’s
information security procedures, from a
network diagram to written security
code.
Second, some commenters argued
implementing the risk-assessment
provision as proposed would be too
expensive and difficult for financial
institutions.125 For example, NADA
argued the contemplated risk
assessment would be very costly
because the criteria set out in paragraph
(b)(1) are ‘‘well outside the scope of
expertise of anyone but the most
sophisticated IT professionals.’’ 126 In
response, although the Commission
declines to modify the provision, it
addresses NADA’s concern in § 314.6 by
exempting financial institutions that
maintain information concerning fewer
than 5,000 consumers from the specific
requirements of paragraph (b)(1), and
from the requirement to memorialize the
risk assessment in writing. For those
financial institutions that do not qualify
for this exemption, the Commission
believes they will be able to perform the
required risk assessment in a manner
that is practical and affordable for their
institution. There are many resources
available to financial institutions to aid
in risk assessment, including service
providers that can assist institutions of
various sizes.127
125 National Association of Dealer Counsel
(comment 44, NPRM), at 3; National Automobile
Dealers Association (comment 46, NPRM), at 20.
126 National Automobile Dealers Association
(comment 46, NPRM), at 20.
127 See, e.g., Slides Accompanying Remarks of
Rocio Baeza, in Safeguards Workshop Slides, supra
note 72, at 27–28 (describing three different
compliance models: In-house, outsource, and
hybrid, with costs ranging from $199 per month to
more than $15,000 per month); Slides
Accompanying the Remarks of Brian McManamon,
‘‘Sample Pricing,’’ in Safeguards Workshop Slides,
supra note 72, at 29 (estimating the cost of
cybersecurity services based on number of
endpoints: $2K–$5K per month for 25–250
endpoints; $5K–$15K for 250–750 endpoints;
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
While acknowledging there will be
some cost to conducting a risk
assessment, the Commission believes a
properly conducted risk assessment is
an essential part of a financial
institution’s information security
program. The entire Safeguards Rule,
both as it currently exists and as
amended, requires that the information
security program be based on a risk
assessment. An information security
program cannot properly guard against
risks to customer information if those
risks have not been identified and
assessed.128 The Commission believes
this requirement properly emphasizes
the importance of robust risk
assessments, while providing financial
institutions sufficient flexibility in
performing these assessments. Finally,
the Commission notes, because the
current Rule also requires that a risk
assessment be performed, financial
institutions that have complied with the
current Rule have already conducted a
risk assessment. And, even if that risk
assessment was not memorialized in
writing, the work conducted for that risk
assessment should be useful in
performing future risk assessments.
Third, NADA objected to the
requirement that the risk assessment
describe how each identified risk will
be ‘‘mitigated or accepted,’’ arguing it is
not clear when it is appropriate to
‘‘accept a risk.’’ 129 NADA argued that
documenting a decision to accept a risk
would ‘‘create a record that can be
distorted and second guessed after the
fact,’’ and ‘‘context is lost when it is
written and reviewed after an incident
has occurred.’’ 130 The Rule does not
require a financial institution to mitigate
every risk identified, no matter how
remote or insignificant. Instead, the
Rule allows a financial institution to
accept a risk, if its assessment of the risk
reveals that the chance it will produce
a security event is very small, if the
consequences of the risk are minimal, or
the cost of mitigating the risk far
outweighs the benefit. In those cases,
the financial institution may choose to
accept the risk. A financial institution
concerned that its decision to accept a
risk will later be questioned may choose
to set forth whatever context or
$15K–$30K for 750–1,000 endpoints; and $30K–
$50K for 1,500–2,500 endpoints); see also Remarks
of Brian McManamon, Safeguards Workshop Tr.,
supra note 17, at 83–85.
128 See Remarks of Chris Cronin, Safeguards
Workshop Tr., supra note 17, at 48–49 (noting all
information security frameworks and guidelines are
based on risk analysis).
129 National Automobile Dealers Association
(comment 46, NPRM) at 20.
130 Id.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
explanation it sees fit in the written
assessment.
Finally, while several commenters
supported the idea of conducting
‘‘periodic’’ risk assessments as required
by the Proposed Rule,131 NADA
objected it is unclear how often
financial institutions need to conduct
risk assessments under this section. 132
In order to be effective, a risk
assessment must be subject to periodic
reevaluation to adapt to changes in both
financial institutions’ information
systems and changes in threats to the
security of those systems. The
Commission declines, however, to set
forth a specific schedule for risk
assessments. The Commission believes
it would not be appropriate to set forth
an inflexible schedule for periodic risk
assessments because each financial
institution must set its own schedule
based on the needs and resources of its
institution.
The Final Rule adopts § 314.4(b) as
proposed.
khammond on DSKJM1Z7X2PROD with RULES3
Paragraph (c)
Proposed paragraph (c) retained the
existing Rule’s requirement for financial
institutions to design and implement
safeguards to control the risks identified
in the risk assessment. In addition, it
added more detailed requirements for
what the safeguards must address (e.g.,
access controls, data inventory,
disposal, change management,
monitoring). These specific
requirements represent elements of an
information security program that the
Commission views as essential and
should be addressed by all financial
institutions.133
As a preliminary matter, Global
Privacy Alliance (GPA) argued all of
these elements should be made optional
131 Inpher, Inc. (comment 50, NPRM), at 3; Global
Privacy Alliance (comment 38, NPRM), at 11.
132 National Automobile Dealers Association
(comment 46, NPRM), at 20.
133 NADA disagreed with the Commission’s
statement in the NPRM for the Proposed Rule that
‘‘most financial institutions already implement’’ the
specific requirements in paragraph (c), stating that
many financial institutions ‘‘do not currently
implement some or all of these measures.’’ National
Automobile Dealers Association (comment 46,
NPRM), at 20. The Commission continues to believe
most financial institutions institute some form of
most of these measures, such as access control,
secure disposal, and monitoring authorized users,
based on its enforcement and business outreach
experience. While NADA’s statement that some
financial institutions implement none of the
measures may be true, this underlines the necessity
of making these elements explicit requirements
under the Rule, as these elements are necessary for
a reasonable information security program for all
financial institutions. Indeed, a financial institution
that utilizes none of these elements and exercises
no access control, no secure disposal procedures,
and does not monitor users of its systems is
unlikely to be in compliance with the current Rule.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
and financial institutions should be
required only to take these elements
‘‘into consideration’’ when designing
their information security programs.134
While the Commission agrees it is
important that the Rule allow financial
institutions flexibility in designing their
information security programs, these
elements are such important parts of
information security that each program
must address them. For example, an
information security program that has
no access controls or does not contain
any measures to monitor the activities of
users on the systems cannot be said to
be protecting the financial institution’s
systems. The Final Rule, therefore,
continues to require each information
security program to contain safeguards
that address these elements, with
modifications described below.
Access Controls
Proposed paragraph (c)(1) required
financial institutions to ‘‘place access
controls on information systems,
including controls to authenticate and
permit access only to authorized
individuals to protect against the
unauthorized acquisition of customer
information and to periodically review
such access controls.’’
Commenters suggested a number of
modifications to this provision. First,
GPA argued this provision should
require controls on access to
information, rather than on information
systems.135 Second, several commenters
suggested adding further safeguards to
the ‘‘access control’’ requirement. For
example, the Princeton Center argued
the Rule should adopt the ‘‘Principle of
Least Privilege,’’ a principle that no user
should have access greater than is
necessary for legitimate business
purposes.136 Reynolds and Reynolds
Company (Reynolds) suggested the Rule
clarify that financial institutions must
‘‘vet, control, and monitor user access to
sensitive information.’’ 137 Consumer
Reports argued paragraph (c)(1) should
be amended to control access not just to
authorized users, but to further limit
access to when such access is
reasonably necessary.138 ACE argued
that any requirement for physical access
control allow financial institutions to
determine which locations should have
restricted access, rather than limiting
physical access to every building and
134 Global
Privacy Alliance (comment 38, NPRM),
at 6.
135 Global Privacy Alliance (comment 38, NPRM),
at 9–10.
136 Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 4–5.
137 Reynolds and Reynolds Company (comment 7,
Workshop), at 7.
138 Consumer Reports (comment 52, NPRM), at 7.
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
70285
office within, say, a college campus.139
Finally, some commenters argued the
proposed language was too vague,140
particularly as it applied to vendorsupplied services.141
In response to the comments, the
Commission makes a number of changes
to this provision in the Final Rule. First,
the Commission clarifies that the Rule
requires access controls, not just for
information systems, but for all
customer information, whether it is
housed in information systems or in
physical locations. To streamline the
Rule, the Final Rule combines the
separate physical access controls
requirement found in proposed
paragraph (c)(3) with this paragraph.
Physical access controls will generally
be most important in situations in
which sensitive customer information is
kept in physical form (such as hardcopy loan applications, or printed
consumer reports). It may also require
physical restrictions to access machines
that contain customer information (e.g.,
locked doors and/or key card access to
a computer lab).142 The Commission
declines to make any changes in
response to ACE’s concern that every
physical location will need to be
protected—as the Rule states, physical
controls must be implemented to protect
unauthorized access to customer
information. Where no customer
information exists, the Rule would not
require physical controls.
Second, the Commission agrees with
the commenters who advocated that the
Rule implement the principle of least
privilege. The Commission does not
believe it is appropriate, for example,
for larger companies to give all
139 American Council on Education (comment 24,
NPRM), at 10.
140 National Automobile Dealers Association
(comment 46, NPRM), at 23; National Independent
Automobile Dealers Association (comment 48,
NPRM), at 5; American Council on Education
(comment 24, NPRM), at 10;
141 National Independent Automobile Dealers
Association (comment 48, NPRM), at 5; American
Council on Education (comment 24, NPRM), at 10.
142 NIADA suggested instituting physical access
controls would cost a dealership $215,000 because
each computer would need to have its own lockable
cubicle and there would need to be lockable offices
for all desks. See Remarks of Lee Waters, Safeguards
Workshop Tr., supra note 17, at 76. As originally
promulgated, the Rule already requires financial
institutions implement ‘‘physical safeguards that
are appropriate to your size and complexity.’’ 16
CFR 314.3. The Final Rule’s requirement is
consistent with that longstanding requirement. If
computers have technical safeguards preventing
unauthorized users from accessing customer
information, they usually will not need to be in a
lockable area, particularly if they are not generally
left unattended and are not likely to be stolen.
Similarly, desks would need to be in lockable
offices only if they contain accessible paper records.
A lockable file cabinet may be a more economical
solution.
E:\FR\FM\09DER3.SGM
09DER3
70286
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
employees and service providers access
to all customer information. Such
overbroad access could create additional
harm in the event of an intruder gaining
access to a system by impersonating an
employee or service provider.
Accordingly, the Commission clarifies
this in the Final Rule by adding a
requirement that not only must a
financial institution implement access
controls, but it should also restrict
access only to customer information
needed to perform a specific function.
As to the suggestion the Commission
impose monitoring requirements for
access, that requirement exists in
paragraph (c)(8). And as to the
suggestion the requirement is too vague
as to service providers, the Commission
believes the Final Rule is clear: When a
vendor accesses the financial
institution’s data or information
systems, the financial institution must
ensure appropriate access controls are
in place. Separately, under paragraph
(f), the financial institution must
reasonably oversee the vendor’s
safeguards, which would necessarily
include access controls for the vendor’s
system.
Finally, as to the suggestion the
provision is vague generally, as
discussed above, the Final Rule seeks to
preserve flexibility in its provisions,
both so that financial institutions can
design programs appropriate for their
systems and so that changes in
technology or security practices will not
render the Rule obsolete. The
Commission believes maintaining less
prescriptive requirements is the best
way to achieve the goal of flexibility and
protecting customer information.143
Accordingly, the Commission
combines paragraphs (c)(1) and (3) from
the Proposed Rule into revised
paragraph (c)(1) of the Final Rule, which
requires implementing and periodically
reviewing access controls on customer
information, including technical and, as
appropriate, physical controls to (1)
authenticate and permit access only to
authorized users to protect against the
unauthorized acquisition of customer
information and (2) limit authorized
users’ access only to customer
information that they need to perform
their duties and functions, or, in the
143 NPA expressed concern about the effect of the
Rule on pawnbrokers who the commenter stated are
required by law to allow law enforcement access to
their physical records. National Pawnbrokers
Association (comment 32, NPRM), at 7. Nothing in
the Rule conflicts with any such requirements. Law
enforcement appropriately accessing customer
information under a law that requires that access
would be considered authorized use under those
circumstances.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
case of customers, to access their own
information.144
System Inventory
In the NPRM, the Commission
proposed to require the financial
institution to ‘‘[i]dentify and manage the
data, personnel, devices, systems, and
facilities that enable [the financial
institution] to achieve business
purposes in accordance with their
relative importance to business
objectives and [the financial
institution’s] risk strategy.’’ 145 This
requirement was designed to ensure the
financial institution inventoried the
data in its possession, inventoried the
systems on which that data is collected,
stored, or transmitted, and had a full
understanding of the relevant portions
of its information systems and their
relative importance.146 The Commission
retains this provision in the Final Rule
without modification.
Commenters raised two general
objections to this provision. First, some
commenters argued it was too vague and
that it was not clear how such an
inventory should be conducted or what
systems should be included.147 The
Commission believes the language
provides effective guidance while still
allowing a variety of approaches by
financial institutions in identifying
systems involved in their businesses.
This provision requires a financial
institution to identify all ‘‘data,
personnel, devices, systems, and
facilities’’ that are a part of its business
and to determine their importance to the
financial institution. This inventory of
systems must include all systems that
are a part of the business so the
financial institution can locate all
customer information it controls, the
systems connected to that information,
and how they are connected. This
inventory forms the basis of an
information security program because a
system cannot be protected if the
financial institution does not
understand its structure or know what
data is stored in its systems.
Second, ACE suggested the scope of
this provision should be limited to
144 As noted above, the Commission is also
changing the term ‘‘authorized individuals’’ to
‘‘authorized users.’’
145 Proposed 16 CFR 314.4(c)(2).
146 See, e.g., Complaint at 11, FTC v. Wyndham
Worldwide Corp., No. CV 2:12–cv–01365–SPL (D.
Ariz. June 26, 2012) (alleging company failed to
provide reasonable security by, among other things,
failing to inventory computers connected to its
network).
147 National Automobile Dealers Association
(comment 46, NPRM), at 23–24; American Financial
Services Association (comment 41, NPRM), at 5;
American Council on Education (comment 24,
NPRM), at 10.
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
systems ‘‘directly related to the privacy
and security of ‘customer
information.’ ’’ 148 The Commission
declines to make this change because
the purpose of this provision is to allow
financial institutions to obtain a clear
picture of their systems and to identify
where customer information is kept and
how it can be accessed. An inventory
must examine all systems in order to
identify all systems that contain
customer information or are connected
to systems that do. If a financial
institution does not first examine all
systems and instead limits the inventory
to systems it considers to be directly
related to security, it could give an
incomplete picture of the financial
institution’s systems and could result in
some customer information or ways to
connect to that information being
overlooked.149
The Commission adopts paragraph
(c)(2) of the Proposed Rule as final,
without modifications.
Access to Physical Location
Proposed paragraph (c)(3) would have
required that financial institutions
restrict access to physical locations
containing customer information only to
authorized individuals. The Final Rule
combines this section with proposed
paragraph (c)(1) in order to eliminate
redundancy and clarify that access
controls must consider both electronic
and physical access.
Encryption
Proposed paragraph (c)(4) required
financial institutions to encrypt all
customer information, both in transit
over external networks and at rest. The
Proposed Rule allowed financial
institutions to use alternative means to
protect customer information, subject to
review and approval by the financial
institution’s Qualified Individual.
Several commenters supported the
inclusion of an encryption
requirement.150 In fact, some suggested
148 American Council on Education (comment 24,
NPRM), at 10.
149 Another commenter criticized proposed
paragraph (c)(2) because some financial institutions
‘‘have no control’’ over which networks they
transmit customer information. National
Pawnbrokers Association (comment 32, NPRM), at
7. Paragraph (c)(2) does not require a financial
system to identify all networks over which it may
transmit customer information. See also, infra, this
document’s discussion of NPA’s comments on
§ 314.4(f) of the Final Rule, noting financial
institutions are generally not required to oversee
other entities’ service providers over which they
have no control.
150 Inpher, Inc. (comment 50, NPRM), at 4;
Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 3;
Electronic Privacy Information Center (comment 55,
NPRM), at 8; National Consumer Law Center and
others (comment 58, NPRM), at 3.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
the Proposed Rule did not go far enough
in requiring encryption. Inpher
suggested the Rule should require
encryption of customer information
when in use, in addition to when in
transit or at rest.151 The Princeton
Center suggested requiring encryption of
data while in transit over internal
networks, in addition to requiring it for
external networks, noting the blurring of
the distinction between internal and
external networks.152
In contrast, others argued encryption
could be too expensive and technically
challenging for some financial
institutions and should not be required
in all cases.153 Indeed, GPA argued the
Rule should not require encryption at
all, financial institutions should be free
to adopt other protective measures for
customer information, and the Rule
should allow financial institutions to
‘‘determine the controls that are most
appropriate for protecting the sensitive
information that they handle.’’ 154
Similarly, some commenters argued
financial institutions should be required
to encrypt customer information only
when the risk to the customer
information justifies it.155 Others
suggested encryption in more limited
circumstances, such as on systems ‘‘to
which unauthorized individuals may
have access,’’ 156 for sensitive data,157 or
for data in transit.158 The Mortgage
Bankers Association argued encryption
at rest is unnecessary because customer
information at rest in a financial
institution’s system is sufficiently
protected by controlling access to the
151 Inpher,
Inc. (comment 50, NPRM), at 4.
University Center for Information
Technology Policy (comment 54, NPRM), at 3.
153 National Pawnbrokers Association (comment
32, NPRM), at 3; U.S. Chamber of Commerce
(comment 33, NPRM), at 11; CTIA (comment 34,
NPRM) at 10; Wisconsin Bankers Association
(comment 37, NPRM), at 2.
154 Global Privacy Alliance (comment 38, NPRM),
at 7–8.
155 Bank Policy Institute (comment 39, NPRM), at
14; Mortgage Bankers Association (comment 26,
NPRM), at 6; Global Privacy Alliance (comment 38,
NPRM), at 7–8.
156 Bank Policy Institute (comment 39, NPRM), at
14.
157 U.S. Chamber of Commerce (comment 33,
NPRM), at 11; American Financial Services
Association (comment 41, NPRM), at 5; ACA
International (comment 45, NPRM), at 13; CTIA
(comment 34, NPRM), at 10.
158 Mortgage Bankers Association (comment 26,
NPRM), at 6; Wisconsin Bankers Association
(comment 37, NPRM), at 2; American Financial
Services Association (comment 41, NPRM), at 5;
Ken Shaurette (comment 19, NPRM), (suggesting
the Commission consider whether ‘‘databases,
applications and operating systems are prepared to
fully support full encryption without significant
performance impact or ability to continue to
function.’’); National Automobile Dealers
Association (comment 46, NPRM), at 25–26
(arguing the terms ‘‘at rest’’ and ‘‘in transit’’ are
unclear).
khammond on DSKJM1Z7X2PROD with RULES3
152 Princeton
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
system.159 Two commenters stated
guidelines issued by the Federal
Financial Institutions Examination
Council (FFIEC) do not require most
banks to encrypt data at rest, unless the
institution’s risk assessment indicates
such encryption is necessary.160
The Commission declines to modify
the encryption requirement from the
Proposed Rule. As to the comments that
suggest the requirement should be
relaxed, the Commission notes there are
numerous free or low cost encryption
solutions available to financial
institutions, particularly for data in
transit,161 that make encryption a
feasible solution in most situations. For
data at rest, encryption is now cheaper,
more flexible, and easier than ever
before.162 In many cases, widely used
software and hardware have built-in
encryption capabilities.163
In response to the argument that the
Rule should not require encryption at
159 Mortgage Bankers Association (comment 26,
NPRM), at 6.
160 Wisconsin Bankers Association (comment 37,
NPRM), at 2 (discussing FFIEC Information
Technology Booklet); American Financial Services
Association (comment 41, NPRM), at 5 (discussing
FFIEC Cybersecurity Assessment Tool).
161 See Remarks of Matthew Green, Safeguards
Workshop Tr, supra note 17, at 225 (noting website
usage of encryption is above 80 percent; ‘‘Let’s
Encrypt’’ provides free TLS certificates; and costs
have gone down to the point that if a financial
institution is not using TLS encryption for data in
motion, it is making an unusual decision outside
the norm); Remarks of Rocio Baeza, Safeguards
Workshop Tr., supra note 17, at 106 (‘‘[T]he
encryption of data in transit has been standard.
There’s no pushback with that.’’); see also National
Pawnbrokers Association (comment 3, Workshop),
at 2 (‘‘[I]n states that allow us to use technology for
the receipt of information from consumer customers
and software to print our pawn tickets and store
information, we believe our members have access
through their software providers to protections that
comply with the Safeguards Rule.’’).
162 See Remarks of Wendy Nather, Safeguards
Workshop Tr., supra note 17, at 267 (‘‘we have a
lot more options, a lot more technologies today than
we did before that are making both of these
solutions, both encryption and MFA, easier to use,
more flexible, in some cases cheaper, and we
should be encouraging their adoption wherever
possible.’’); Remarks of Matthew Green, Safeguards
Workshop Tr., supra note 17, at 265–66 (‘‘I think
that we’re in a great time when we’ve reached the
point where we can actually mandate that
encryption be used. I mean, years ago—I’ve been in
this field for 15, you know, 20 years now, I guess.
And, you know, encryption used to be this exotic
thing that was very, very difficult to use, very
expensive and not really feasible for securing
information security systems. And we’ve reached
the point where now it is something that’s come to
be and we can actually build well. So I’m really
happy about that.’’).
163 See Remarks of Randy Marchany, Safeguards
Workshop Tr., supra note 17, at 229–30 (noting
encryption is already built into the Microsoft Office
environment and a number of Microsoft products,
such as Spreadsheets, Excel, Docs, and PowerPoint,
support that encryption feature). Other applications
that have encryption built in include database
applications; app platforms iOS and Android; and
development frameworks for web applications on
banking sites.
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
70287
rest because FFIEC guidelines do not
require it, the Commission notes the
Safeguards Rule is very different from
the guidelines issued by the FFIEC. The
depository financial institutions
regulated by the banking agencies are
subject to regular examinations by their
regulator. The guidelines created by the
FFIEC are designed to be used by the
examiner, as part of those examinations,
to evaluate the security of the financial
institution; the examiner thus has a
direct role in regularly verifying the
financial institution has taken
appropriate steps to protect its customer
information. In contrast, the Safeguards
Rule regulates covered financial
institutions directly and must be usable
by those entities to determine
appropriate information security
without any interaction between the
financial institution and the
Commission. The Commission does not
have the ability to examine each
financial institution and work with that
institution to ensure their information
security is appropriate. Therefore, a
requirement that institutions encrypt
information by default is appropriate for
the Safeguards Rule, as the Commission
believes encryption of customer
information at rest is appropriate in
most cases.
Finally, while some commenters
suggested eliminating the encryption
requirement for certain types of data
(e.g., non-sensitive) or certain categories
of data (e.g., data at rest), the
Commission notes, as discussed in more
detail above, the fact that an individual
is a customer of a financial institution
alone may be sensitive. In any event, the
Rule provides financial institutions with
flexibility to adopt alternatives to
encryption with the approval of the
Qualified Individual.
Similarly, the Commission declines to
extend the encryption requirement to
data in use or to data transmitted over
internal networks, as some commenters
suggested. The Commission does not
believe the technology that would
encrypt data while in use (as opposed
to in transit or at rest) has been adopted
widely enough at this time to justify
mandating its use by all financial
institutions under the FTC’s
jurisdiction. As to encryption of data
transmitted over internal networks, the
Commission acknowledges, due to
changes in network design and the
growth of cloud and mobile computing,
the distinction between internal and
external networks is less clear than it
once was. However, the Commission
believes requiring all financial
institutions to encrypt all
communications over internal networks
would be unduly burdensome at this
E:\FR\FM\09DER3.SGM
09DER3
70288
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
time. There remain significant costs and
technical hurdles to encrypting
transmissions on internal networks that
would not be reasonable to impose on
all financial institutions, especially
smaller institutions with simpler
systems that might realize less benefit
from this approach. While the
Commission encourages financial
institutions to consider whether it
would be appropriate for them to
encrypt the transmission of customer
information over internal networks, it
declines to require this for all financial
institutions.164
Commenters pointed to three
additional concerns about encryption,
none of which the Commission finds
persuasive. First, the Bank Policy
Institute commented the encryption
requirement would in fact weaken
security by blocking surveillance of the
information by the financial institution
and requiring the ‘‘broad distribution’’
of encryption keys.165 The Commission
does not believe an encryption
requirement would weaken security.
Encryption is almost universally
recommended by security experts and
included in most security standards.166
Further, new tools have been developed
to address the issue the Bank Policy
Institute has raised. Many financial
institutions have monitoring tools on
the edge of their networks to monitor
data leaving the network. It used to be
the case these network monitoring tools
could not see the content of encrypted
data as it left the corporate network and
was transmitted to the internet.
However, there are now tools available
that can see the data as it departs the
network, even if the data is
encrypted.167 Any marginal security
costs of encryption are far outweighed
by the benefits of rendering customer
information unreadable.
Second, some commenters argued
financial institutions should be able to
implement alternatives to encryption
164 The Commission believes transmissions of
customer information to remote users or to cloud
service providers should be treated as external
transmissions, as those transmissions are sent out
of the financial institution’s systems.
165 Bank Policy Institute (comment 39, NPRM), at
13–14.
166 See, e.g., Payment Card Industry (PCI) Data
Security Standard Requirements and Security
Assessment Procedures Version 3.2.1, PCI Security
Standards Council (May 2018), https://
www.pcisecuritystandards.org/document_library
(last accessed 30 Nov. 2020) (Requirement 4 encrypt
transmission of cardholder data across open, public
networks).
167 See, e.g., Encrypted Traffic Management,
Broadcom Inc., https://www.broadcom.com/
products/cyber-security/network/encrypted-trafficmanagement (last accessed 30 Nov. 2020); SSL
Visibility, F5, Inc., https://www.f5.com/solutions/
application-security/ssl-visibility (last accessed 30
Nov. 2020).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
without obtaining approval from the
Qualified Individual.168 The New York
Insurance Association expressed
concern financial institutions might feel
they need to encrypt all customer
information because of the risk that the
alternative controls approved by the
Qualified Individual would be ‘‘second
guessed’’ in the event unencrypted data
is compromised.169 The Commission,
however, believes this concern is a core
element of information security based
on risk assessment. Every aspect of an
information security program is based
on the judgment of the financial
institution and its staff. The Qualified
Individual’s decision concerning
alternate controls, like other decisions
by the financial institution and its staff,
will be subject to review in any
enforcement action to determine
whether the decision was appropriate. If
the Qualified Individual is not required
to make a formal decision, it is much
more likely a decision not to encrypt
information will be made even if there
is no compensating control, or even
made without the Qualified Individual’s
knowledge.
Third, the National Pawnbrokers
Association (‘‘NPA’’) expressed concern
that if pawnbrokers are required to
encrypt customer information they may
fall out of compliance with state and
local regulations concerning transaction
reporting.170 NPA stated pawnbrokers
are often required by state or local law
to report every pawn transaction, along
with nonpublic personally identifiable
consumer information, to law
enforcement, and the agencies that
receive this information ‘‘prefer to take
this information electronically and in
unencrypted forms.’’ 171 The
Commission believes if transmitting the
information in unencrypted form is a
preference of the agencies and not a
requirement, then pawnbrokers can
comply with both the Safeguards Rule
and these laws by encrypting any
transmissions that include customer
information. If there are cases where a
required transmission of customer
information cannot be encrypted for
technical reasons, then the
pawnbroker’s Qualified Individual will
need to work with the law enforcement
agency to implement alternative
compensating controls to ensure the
168 Bank Policy Institute (comment 39, NPRM), at
14; New York Insurance Association (comment 31,
NPRM), at 1.
169 New York Insurance Association (comment
31, NPRM) at 1.
170 National Pawnbrokers Association (comment
3, Workshop), at 2–3.
171 Id. at 2.
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
customer information remains secure
during these transmissions.172
The Final Rule adopts this paragraph
as paragraph (c)(3) without revision.
Secure Development Practices
Proposed paragraph (c)(5) required
financial institutions to ‘‘[a]dopt secure
development practices for in-house
developed applications utilized’’ for
‘‘transmitting, accessing, or storing
customer information.’’ In this
paragraph, the Commission proposed
requiring financial institutions to
address the security of software they
develop to handle customer
information, as distinct from the
security of their networks that contain
customer information.173 In addition,
the Proposed Rule required ‘‘procedures
for evaluating, assessing, or testing the
security of externally developed
applications [financial institutions]
utilize to transmit, access, or store
customer information.’’ This provision
required financial institutions to take
steps to verify that applications they use
to handle customer information are
secure.174
Some commenters argued evaluating
the security of externally developed
software would be too expensive or
impractical for some financial
institutions,175 while others raised
different concerns. The American
Council on Education suggested, in
cases in which a financial institution
cannot obtain access to a software
provider’s code or technical
172 NADA suggested it is not clear how the
encryption requirement will apply to customer
information held on a service provider’s system or
on the systems of the subcontractors of the service
provider. National Automobile Dealers Association
(comment 46, NPRM), at 21–22. The Commission
believes the Final Rule lays out a financial
institution’s obligations in this situation: It requires
customer information be encrypted unless
infeasible. Section 314.4(e), in turn, requires
financial institutions to require service providers to
implement and maintain appropriate safeguards by
contract and to periodically assess the continued
adequacy of those measures. A financial institution
that uses a service provider to store and process
customer information must require that service
provider to encrypt that information and
periodically determine whether it continues to do
so. If it is infeasible for the service provider to meet
these requirements then the financial institution’s
Qualified Individual must work with the service
provider to develop compensating controls or cease
doing business with the service provider.
173 See, e.g., Complaint, FTC v. D-Link Systems,
Inc., No. 3:17–CV–00039–JD (N.D. Cal. March 20,
2017) (alleging company failed to provide
reasonable security when it failed to adequately test
the software on its devices).
174 See, e.g., Complaint, Lenovo, FTC No. 152–
3134 (January 2, 2018) (alleging company failed to
provide reasonable security by failing to properly
assess and address security risks caused by thirdparty software).
175 American Council on Education (comment 24,
NPRM), at 11; National Automobile Dealers
Association (comment 46, NPRM), at 26–27.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
infrastructure, then evaluating the
security of its software is infeasible.176
NADA further suggested in order to
evaluate the security of software,
financial institutions would need to hire
an expensive IT professional.177
The Commission does not agree with
these assertions. Evaluating the security
of software does not require access to
the source code of that software or
access to the provider’s infrastructure.
For example, a provider can supply the
steps it took to ensure the software was
secure, whether it uses encryption to
transmit information, and the results of
any testing it conducted. In addition,
there are third party services that assess
software. An institution can also set up
automated searches regarding
vulnerabilities, patches, and updates to
software listed on the financial
institution’s inventory. The exact nature
of the evaluation required will depend
on the size of the financial institution
and the amount and sensitivity of
customer information associated with
the software. If the software will be used
to handle large amounts of extremely
sensitive information, then a more
thorough evaluation will be warranted.
Likewise, the nature of the software
used will also affect the evaluation.
Software that has been thoroughly
tested by third parties may need little
more than a review of the test results,
while software that has not been widely
used and tested will require closer
examination.
The Commission adopts proposed
paragraph (c)(5) as paragraph (c)(4) of
the Final Rule.
khammond on DSKJM1Z7X2PROD with RULES3
Multi-Factor Authentication
Proposed paragraph (c)(6) required
financial institutions to ‘‘implement
multi-factor authentication for any
individual accessing customer
information’’ or ‘‘internal networks that
contain customer information.’’ 178 The
Proposed Rule would have allowed
financial institutions to adopt a method
other than multi-factor authentication
that offers reasonably equivalent or
more secure access controls with the
written permission of its Qualified
Individual. In the Final Rule, the
Commission retains the general
requirements of proposed paragraph
(c)(6) as paragraph (c)(5), with some
modifications described below.
Although several commenters
expressed support for including a multifactor authentication requirement in the
176 American Council on Education (comment 24,
NPRM), at 11.
177 National Automobile Dealers Association
(comment 46, NPRM), at 26–27.
178 Proposed 16 CFR 314.4(c)(6).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
Final Rule,179 others opposed such a
requirement. For example, ACE argued
a blanket requirement mandating multifactor authentication for all institutions
of all sizes and complexities is not the
best solution.180 The National
Independent Automobile Dealers
Association (NIADA) commented the
costs of multi-factor authentication
would be too high for some financial
institutions because it would need to be
built into their information systems
from scratch.181 NIADA also argued
adopting multi-factor authentication
would disrupt a financial institution’s
activities as employees had to ‘‘jump
through multiple hoops to log in.’’ 182
Cisco Systems, Inc. argued that while
multi-factor authentication is an
effective safeguard, it should not be
specifically required by the Rule
because, while it is currently good
security practice, in the future multifactor authentication may become
outdated, and that allowing financial
institutions to satisfy the Rule in this
way could result in inadequate
protection.183
Other commenters did not dispute the
benefits of multi-factor authentication
generally, but argued the Rule should
limit the multi-factor authentication
requirement. Some of these commenters
stated the Rule should only require
multi-factor authentication when the
financial institution’s risk assessment
justifies it.184 Others argued there
should be a distinction between internal
access and external access. For example,
some commenters argued the Rule
should not require multi-factor
authentication when a user accesses
customer information from an internal
network,185 because there are other
179 Justine Bykowski (comment 12, NPRM);
Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 6–7;
Electronic Privacy Information Center (comment 55,
NPRM), at 8; National Consumer Law Center and
others (comment 58, NPRM), at 2; see also Remarks
of Wendy Nather, Safeguards Workshop Tr., supra
note 17, at 240–41 (discussing the security poverty
line).
180 American Council on Education (comment 24,
NPRM), at 11–12.
181 National Independent Automobile Dealers
Association (comment 48, NPRM), at 6; see also Ken
Shaurette (comment 19, NPRM) (questioning
whether multi-factor authentication is appropriate
for all financial institutions).
182 National Independent Automobile Dealers
Association (comment 48, NPRM), at 6.
183 Cisco Systems, Inc. (comment 51, NPRM), at
2–4.
184 Bank Policy Institute (comment 39, NPRM), at
11–13; Global Privacy Alliance (comment 38,
NPRM), at 8.
185 Electronic Transactions Association (comment
27, NPRM), at 3 n.1; U.S. Chamber of Commerce
(comment 33, NPRM), at 11; CTIA (comment 34,
NPRM), at 11; Global Privacy Alliance (comment
38, NPRM), at 8; Bank Policy Institute (comment 39,
NPRM), at 12; National Automobile Dealers
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
70289
controls on internal access that make
multi-factor authentication
unnecessary.186 Another commenter
stated requiring multi-factor
authentication when a customer
accesses their information from an
external network could create problems
for some institutions.187 Finally, the
Princeton Center argued the Rule should
be amended to clarify that multi-factor
authentication should be required for
internal and external networks.188
Finally, CTIA took issue with the
proposed requirement that the Qualified
Individual be permitted to approve
‘‘reasonably equivalent or more secure’’
controls if multi-factor authentication is
not feasible, suggesting instead that
Qualified Individuals be permitted to
approve ‘‘effective alternative
compensating controls.’’ 189
The Commission disagrees with the
commenters who stated the Rule should
not include a multi-factor
authentication requirement. As to costs,
many affordable multi-factor
authentication solutions are available in
the marketplace.190 Most financial
institutions will be able to find a
solution that is both affordable and
workable for their organization. In the
cases when that it is not possible, the
Association (comment 46, NPRM), at 28; National
Independent Automobile Dealers Association
(comment 48, NPRM), at 6; New York Insurance
Association (comment 31, NPRM), at 1.
186 CTIA (comment 34, NPRM), at 11; Electronic
Transactions Association (comment 27, NPRM), at
3 n.1; U.S. Chamber of Commerce (comment 33,
NPRM), at 11.
187 American Council on Education (comment 24,
NPRM), at 11.
188 Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 6–7;
see also Remarks of Brian McManamon, Safeguards
Workshop Tr., supra note 17, at 102 (stating his
company TECH LOCK supports requiring multifactor authentication for users connecting from
internal networks).
189 CTIA (comment 34, NPRM), at 11–12; see also
Electronic Transactions Association (comment 27,
NPRM) at 3 (suggesting use of the term ‘‘alternative
compensating controls’’).
190 See, e.g., Slides Accompanying Remarks of
Brian McManamon, ‘‘MFA/2FA Pricing (Duo),’’ in
Safeguards Workshop Slides, supra note 72, at 30
(setting forth prices for multi-factor/two-factor
services from Duo, including free services for up to
ten users); Remarks of Brian McManamon,
Safeguards Workshop Tr., supra note 17, at 102–03;
Slides Accompanying Remarks of Lee Waters,
‘‘Estimated Costs of Proposed Changes,’’ in
Safeguards Workshop Slides, supra note 72, at 26
estimating costs of MFA to be $50 for smartcard or
fingerprint readers, and $10 each per smartcard);
Slides Accompanying Remarks of Wendy Nather,
‘‘Authentication Methods by Industry,’’ in
Safeguards Workshop Slides, supra note 72, at 37
(chart showing the use of MFA solutions such as
Duo Push, phone call, mobile passcode, SMS
passcode, hardware token, Yubikey passcode, and
U2F token in industries such as financial services
and higher education); Remarks of Wendy Nather,
Safeguards Workshop Tr., supra note 17, at 233–34.
E:\FR\FM\09DER3.SGM
09DER3
70290
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
Rule allows financial institutions to
adopt reasonably equivalent controls.191
As to potential disruptions requiring
multi-factor authentication may cause,
the Commission notes that many
organizations, both financial institutions
and otherwise, currently require
employees to use multi-factor
authentication without major
disruption.192 Many multi-factor
authentication systems are available that
do not materially increase the time it
takes to log into a system as compared
to the use of only a password.193 In
short, multi-factor authentication is an
extremely effective way to prevent
unauthorized access to a financial
institution’s information system,194 and
its benefits generally outweigh any
increased time it takes to log into a
system. In those situations when the
need for quick access outweighs the
security benefits of multi-factor
authentication, the Rule allows the use
of reasonably equivalent controls.
Finally, although the Commission
agrees the Rule should not lock
financial institutions into using
outmoded or obsolete technologies, the
basic structure of using multiple factors
to identify a user is unlikely to be
rendered obsolete in the near future.
The Rule’s definition of multi-factor
authentication addresses only this
principle and does not require any
particular technology or technique to
achieve it. This should allow it to
accommodate most changes in
information security practices. In the
event of an unforeseen change to the
information security environment that
191 See also Remarks of James Crifasi, Safeguards
Workshop Tr., supra note 17, at 103–04 (noting
even where legacy systems do not support multifactor authentication, alternative measures can be
used and ‘‘it’s things that can easily be done.’’)
192 See, e.g., Remarks of Randy Marchany,
Safeguards Workshop Tr., supra note 17, at 236–38
(describing how Virginia Tech implemented multifactor authentication in 2016 for its more than
156,000 users); Slides Accompanying Remarks of
Wendy Nather, ‘‘Authentication Methods by
Industry,’’ in Safeguards Workshop Slides, supra
note 72, at 37 demonstrating the types of multifactor authentication used by health care, financial
services, higher education and the Federal
Government); Remarks of Wendy Nather,
Safeguards Workshop Tr., supra note 17, at 233–35.
193 See Remarks of Wendy Nather, Safeguards
Workshop Tr., supra note 17, at 234 (describing
how a phone call to a landline is popular in some
segments).
194 See, e.g., Remarks of Matthew Green,
Safeguards Workshop Tr., supra note 17, at 266
(explaining passwords are not enough of an
authentication feature but when MFA is used and
deployed, the defenders can win against attackers);
id. at 239 (describing how because smart phones
have modern secure hardware processors, biometric
sensors and readers built in, increasingly
consumers can get the security they need through
the devices they already have by storing
cryptographic authentication keys on the devices
and then using the phone to activate them).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
would discount the value of multi-factor
authentication, the Commission will
adjust the Rule accordingly.195
The Commission agrees with the
commenter who stated multi-factor
authentication is justified both when
external users, such as customers, and
internal users, such as employees,
access an information system. Multifactor authentication can prevent many
attacks focused on using stolen
passwords from both employees and
customers to access customer
information. Other common attacks on
information systems, such as social
engineering or brute force password
attacks, target employee credentials and
use those credentials to get access to an
information system.196 These attacks
can usually be stopped through the use
of multi-factor authentication.
Accordingly, the Final Rule requires
multi-factor authentication whenever
any individual—employee, customer or
otherwise—accesses an information
system. If a financial institution
determines it is not the best solution for
its information system, it may adopt
reasonably equivalent controls with the
approval of the Qualified Individual.
The Commission recognizes the
language of the Proposed Rule may have
created some confusion by its use of the
term ‘‘internal networks’’ to define the
systems affected by the multi-factor
authentication requirement, instead of
the term ‘‘information systems’’ as used
other places in the Rule.197 In addition,
195 The Mortgage Bankers Association expressed
concern the Proposed Rule would not allow the use
of a single-sign on process, where a user is given
access to multiple applications with the use of one
set of credentials. Mortgage Bankers Association
(comment 26, NPRM), at 7. The Commission does
not view the Rule as preventing such a system, if
the user has used multi-factor authentication to
access the system and the system is designed to
ensure any user of a given application has been
subjected to multi-factor authentication.
196 See Remarks of Pablo Molina, Safeguards
Workshop Tr., supra note 17, at 30 (mentioning
‘‘phishing,’’ or social engineering, as a common
type of cybersecurity attack); Remarks of Lee
Waters, Safeguards Workshop, supra note 17, at 91
(same); Remarks of Michele Norin, Safeguards
Workshop Tr., supra note 17, at 179 (same); see also
Cyber Div., Fed. Bureau of Investigation, Private
Industry Notification No. 20200303–001, Cyber
Criminals Conduct Business Email Compromise
through Exploitation of Cloud-Based Email
Services, Costing U.S. Businesses Over Two Billion
Dollars, (March 2020), https://www.ic3.gov/media/
news/2020/200707-4.pdf, at 1–2, (last accessed 1
Dec. 2020) (‘‘Between January 2014 and October
2019, the Internet Crime Complaint Center (IC3)
received complaints totaling over $2.1 billion in
actual losses from [Business Email Compromise
(‘‘BEC’’)] scams targeting the largest [cloud-based
email] platforms. Losses from BEC scams overall
have increased every year since IC3 began tracking
the scam in 2013 and have been reported in all 50
states and in 177 countries.’’).
197 Consumer Data Industry Association
(comment 36, NPRM), at 6–7; Cisco Systems, Inc.
(comment 51, NPRM), at 3–4.
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
the Commission agrees with
commenters that argued separating the
multi-factor authentication into two
sentences created confusion.198
Accordingly, the Commission modifies
paragraph (c)(5) of the Final Rule, which
was proposed as paragraph (c)(6), to
require financial institutions to
‘‘[i]mplement multi-factor
authentication for any individual
accessing any information system,
unless your Qualified Individual has
approved in writing the use of
reasonably equivalent or more secure
access controls.’’
Finally, the Commission declines to
adopt CTIA’s proposed alternative that
would allow Qualified Individuals to
approve ‘‘effective alternative
compensating controls,’’ even if they are
not ‘‘reasonably equivalent or more
secure’’ than multi-factor
authentication. Given the important role
multi-factor authentication has in access
control, any alternative measure should
provide at least as much protection as
multi-factor authentication.199
Audit Trails
Proposed paragraph (c)(7) required
information security programs to
include audit trails designed to detect
and respond to security events.200 Audit
trails are chronological logs that show
who has accessed an information system
and what activities the user engaged in
during a given period.201
Some commenters supported this
requirement.202 The Princeton Center
noted audit trails are ‘‘crucial to
designing effective security measures
198 Bank
Policy Institute (comment 39, NPRM), at
11.
199 NADA argued, for financial institutions that
have appointed a third party to act as their
information security coordinator, this provision
would require the institution to turn over
decisionmaking to someone ‘‘with no stake in the
business outcome.’’ National Automobile Dealers
Association (comment 46, NPRM), at 29–30. This
concern misinterprets the role of the Qualified
Individual. Whether the Qualified Individual is
inside the company or at a third-party company,
that individual will report to and be supervised by
senior management of a financial institution (unless
the Qualified Individual is the head of the financial
institution). If a Qualified Individual recommends
a safeguard that would not be practical for the
business, the financial institution is not required to
adopt this safeguard but can use an alternative
adequate safeguard that will be functional. Indeed,
when it comes to third parties, the Rule specifically
requires someone in the financial institution direct
and oversee the third party.
200 Proposed 16 CFR 314.4(c)(7).
201 See Information Technology Laboratory
Computer Security Resource Center, Glossary,
National Institute of Standards and Technology,
https://csrc.nist.gov/glossary/term/audit-trail (last
accessed Dec. 2, 2020).
202 Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 8;
Electronic Privacy Information Center (comment 55,
NPRM), at 8.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
that allow institutions to detect and
respond to security incidents.’’ 203 It
also stated audit trails ‘‘help understand
who has accessed the system and what
activities the user has engaged in.’’ 204
Other commenters argued this
requirement imposed unclear
obligations or would not improve
security.205 For example, GPA
commented the Proposed Rule conflated
the use of logs to reconstruct past events
and the active use of logs to monitor
user activity.206 The American Financial
Services Association argued adding
logging capabilities to some legacy
systems would be expensive and
difficult.207 Another commenter argued
the increased use of cloud storage
would mean that financial institutions
might not have access to any audit
trails.208 In addition, NADA argued it
did not believe maintenance of logs
would increase security but would
instead create records that could be
sought by parties ‘‘seeking to place
blame’’ for breaches.209
The Commission believes logging user
activity is a crucial component of
information security because in the
event of a security event it allows
financial institutions to understand
what was accessed and when. However,
the term ‘‘audit trails’’ may have been
unclear in this context. In order to
clarify that logging user activity is a part
of the user monitoring process, the Final
Rule does not include paragraph (c)(7)
of the Proposed Rule and instead
modifies the user monitoring provision
to include a requirement to log user
activity.210 By putting the ‘‘monitoring’’
and ‘‘logging’’ requirements together,
the Final Rule provides greater clarity
on the comment raised by the GPA:
Financial institutions are expected to
use logging to ‘‘monitor’’ active users
and reconstruct past events.
Disposal Procedures
Proposed paragraph (c)(8) required
financial institutions to develop
procedures for the secure disposal of
203 Princeton
khammond on DSKJM1Z7X2PROD with RULES3
University Center for Information
Technology Policy (comment 54, NPRM), at 8.
204 Id.
205 National Automobile Dealers Association
(comment 46, NPRM), at 30–31; National
Independent Automobile Dealers Association
(comment 48, NPRM), at 6; American Financial
Services Association (comment 41, NPRM), at 6;
Global Privacy Alliance (comment 38, NPRM), at
11.
206 Global Privacy Alliance (comment 38, NPRM),
at 11.
207 American Financial Services Association
(comment 41, NPRM), at 6.
208 American Council of Education (comment 24,
NPRM), at 12.
209 National Automobile Dealers Association
(comment 46, NPRM), at 30–31.
210 See Final Rule, 16 CFR 314.4(c)(8).
customer information that is no longer
necessary for their business operations
or other legitimate business purposes.211
The Proposed Rule allowed the
retention of information when retaining
the information is required by law or
where targeted disposal is not feasible.
Some commenters supported the
inclusion of a disposal requirement as
proposed or suggested that the disposal
requirements should be strengthened.212
Consumer Reports argued financial
institutions should be required to
dispose of customer information when it
is no longer needed for the business
purpose for which it was gathered.213
The Princeton Center suggested the Rule
require disposal after a set period unless
the company can demonstrate a current
need for the data and that financial
institutions periodically review their
data practices to minimize their data
retention.214
Several other commenters opposed
the disposal requirement as set forth in
the Proposed Rule. Some argued the
requirement to dispose of information
goes beyond the Commission’s authority
under the GLB Act.215 NADA argued the
GLB Act does not ‘‘contain[ ] any
authority to require financial
institutions to delete any information’’
and a requirement to have procedures to
delete information for which a company
has no legitimate business purpose
would constitute a ‘‘new privacy
regime.’’ 216 The American Financial
Services Association (AFSA) stated the
requirement was too prescriptive and
the Rule should allow financial
institutions to retain information as long
as that retention complies with the
retention policy created by the financial
institution.217 AFSA further argued the
proposed requirement exceeds the
Federal banking standards, pointing to
the FFIEC Cybersecurity Assessment
Tool, which sets disposal of records
‘‘according to documented requirements
and within expected time frames’’ as a
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
211 Proposed
16 CFR 314.4(c)(8).
University Center for Information
Technology Policy (comment 54, NPRM), at 8;
Electronic Privacy Information Center (comment 55,
NPRM), at 8; Consumer Reports (comment 52,
NPRM), at 7.
213 Consumer Reports (comment 52, NPRM), at 7–
8.
214 Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 8–9.
215 National Automobile Dealers Association
(comment 46, NPRM), at 31; National Independent
Automobile Dealers Association (comment 48,
NPRM), at 6.
216 National Automobile Dealers Association
(comment 46, NPRM), at 31–32.
217 American Financial Service Association
(comment 41, NPRM), at 6.
212 Princeton
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
70291
baseline requirement for access and data
management.218
Yet other commenters suggested
modifying the requirement. NADA
argued that if there was to be a disposal
requirement, then it should be modeled
after the Disposal Rule, which requires
businesses to properly dispose of
consumer reports, but does not have an
explicit requirement to dispose of
information on any particular
schedule.219 ACE suggested modifying
the Proposed Rule to require disposal of
information only where there is no
longer any ‘‘legitimate purpose’’ rather
than any ‘‘legitimate business
purpose.’’ 220 It argued in some cases a
financial institution may have legitimate
purposes for retaining information that
are not readily defined as ‘‘business’’
purposes, such as the retention of data
by educational institutions for
institutional research or student
analytics.221
The Commission believes requiring
the disposal of customer information for
which the financial information has no
legitimate business purpose is within
the authority granted by the GLB Act to
protect the security of customer
information. The disposal of records,
both physical and digital, can result in
exposure of customer information if not
performed properly.222 Similarly, if
records are retained when they are no
longer necessary, there is a risk those
records will be subject to unauthorized
access. The risk of unauthorized access
may be reasonable where the retention
of data provides some benefit. In
situations where the information is no
longer needed for a legitimate business
purpose, though, the risk to the
customer information becomes
unreasonable because the retention is no
longer benefiting the customer or
financial institution. Disposing of
unneeded customer information,
therefore, is a vital part of protecting
customer information and serves the
purpose of the GLB Act.223
218 Cybersecurity Assessment Tool, FFIEC,
https://www.ffiec.gov/pdf/cybersecurity/FFIEC_
CAT_May_2017_Cybersecurity_Maturity_June2.pdf
at 37 (last visited December 3, 2020).
219 National Automobile Dealers Association
(comment 46, NPRM), at 32.
220 American Council on Education (comment 24,
NPRM), at 12.
221 Id.
222 See, e.g., Complaint, Rite Aid Corp., FTC No.
072–3121 (November 22, 2010) (alleging company
failed to provide reasonable data security when it
failed to implement policies and procedures to
dispose securely of personal information).
223 As to the Princeton Center’s suggestion
financial institutions periodically review their
disposal practices (Princeton University Center for
Information Technology Policy (comment 54,
NPRM), at 8–9), the Commission believes this
E:\FR\FM\09DER3.SGM
Continued
09DER3
70292
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
The Commission disagrees with
commenters who suggested narrowing
the disposal requirement or doing away
with it altogether. As noted above,
although no disposal requirement
appears in FFIEC guidelines, those
guidelines represent a different
regulatory approach and are not an
appropriate model for the Safeguards
Rule.
Finally, as to setting retention periods
or narrowing the legitimate business
purposes for which financial
institutions may retain customer
information, the Commission recognizes
financial institutions need some
flexibility. Whereas customers may
want to, for example, access and transfer
older data in some circumstances, in
other circumstances, retaining such data
would not be consistent with any
legitimate business purpose. The
Commission believes the Princeton
Center’s recommendation that
companies be required to delete
information after a set period unless the
information is still needed for a
legitimate business purpose properly
balances the needs of financial
institutions with the need to protect
customer information. Thus, the
Commission modifies proposed
paragraph (c)(6) to require the deletion
of customer information two years after
the last time the information is used in
connection with providing a product or
service to the customer unless the
information is required for a legitimate
business purpose as paragraph (c)(6)(i)
of the Final Rule. In addition, paragraph
(c)(6)(ii) of the Final Rule requires
financial institutions to periodically
review their policies to minimize the
unnecessary retention of information.
Change Management
Proposed paragraph (c)(9) required
financial institutions to adopt
procedures for change management.224
Change management procedures govern
the addition, removal, or modification
of elements of an information system.225
This paragraph required financial
institutions to develop procedures to
assess the security of devices, networks,
and other items to be added to their
information system, or the effect of
removing such items or otherwise
modifying the information system. For
example, a financial institution that
adds additional servers or other
requirement is already encompassed in the
requirement contained in § 314.4(g) to periodically
review their safeguards overall.
224 Proposed 16 CFR 314.4(c)(9).
225 See, e.g., Change Management, Rutgers OIT
Information Security Office, https://rusecure.
rutgers.edu/content/change-management (last
accessed 1 Dec. 2020).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
machines to its information system
would need to evaluate the security of
the new devices and the effect of adding
them to the existing network.
Some commenters supported this
requirement,226 while others stated it
was too broad and would impose
unnecessary burdens on financial
institutions.227 In particular, NADA
argued financial institutions that have
not made changes in their systems ‘‘for
some time’’ should not be required to
create procedures for change
management.228 ACE argued including a
change management requirement is
unnecessary because such a requirement
is ‘‘generally incorporated into an
organization’s IT operations’’ for nonsecurity purposes and the security
considerations of those changes will be
considered as part of those
procedures.229
Alterations to an information system
or network introduce heightened risk of
cybersecurity incidents; 230 thus, it is
important to expressly require change
management to be a part of an
information security program. The
Commission agrees with ACE that many
financial institutions will already have
change management procedures in
place. If those procedures adequately
consider security issues involved in the
change, then they may satisfy this
requirement.
As to the comment a financial
institution that has not made changes to
its environment in some time should
not be required to have change
management processes, the Commission
disagrees. Few information systems can
remain unchanged for a significant
period of time, given the changing
technical requirements for business and
security. Indeed, NADA acknowledges
financial institutions will need to
‘‘adapt[] their programs to keep up with
changes in data security.’’ 231 For this
226 Electronic Privacy Information Center
(comment 55, NPRM), at 8; National Consumer Law
Center and others, (comment 58, NPRM) at 3.
227 American Council on Education (comment 24,
NPRM), at 12–13; National Automobile Dealers
Association (comment 46, NPRM), at 33.
228 National Automobile Dealers Association
(comment 46, NPRM), at 32–33.
229 American Council on Education (comment 24,
NPRM), at 12.
230 See Remarks of Rocio Baeza, Safeguards
Workshop Tr., supra note 17, at 95 (‘‘[E]very time
there is a change to any of these [network]
environments, that is creating additional risk.’’);
Remarks of Scott Wallace, Safeguards Workshop
Tr., supra note 17, at 147–48 (giving an example of
an incident in which network changes led to the
exposure of sensitive information); Remarks of
Matthew Green, Safeguards Workshop Tr., supra
note 17, at 252 (noting it is ‘‘a little dangerous’’ to
make ‘‘major changes’’ to an information system at
a time of heightened stress).
231 National Automobile Dealers Association
(comment 46, NPRM), at 33 n.96.
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
reason, all financial institutions must
have procedures for when the changes
occur. As with all of the requirements
of the Rule, though, the exact nature of
these procedures will vary depending
on the size, complexity and nature of
the information system. A simple
system may have equally simple change
management procedures.
The Commission adopts this proposed
paragraph as paragraph (c)(7) of the
Final Rule without change.
System Monitoring
Proposed paragraph (c)(10) required
financial institutions to implement
policies and procedures designed ‘‘to
monitor the activity of authorized users
and detect unauthorized access or use
of, or tampering with, customer
information by such users.’’ 232 The
Proposed Rule required financial
institutions to take steps to monitor
those users and their activities related to
customer information in a manner
adapted to the financial institution’s
particular operations and needs.
NADA stated this requirement would
create unnecessary expense because it
would require financial institutions to
‘‘continually monitor all authorized
use’’ and would mean ‘‘yet more new
employees or third-party IT
consultants.’’ 233 The Commission
disagrees, however, noting that
monitoring of system use can be
automated.234 There is no requirement a
separate staff member would be
required to exclusively monitor system
use.
In addition, one commenter stated
monitoring the use of paper files is
impossible and should be excluded
from this provision.235 The Commission
acknowledges monitoring of paper
records is qualitatively different than
the monitoring of electronic records.
This requirement goes hand in hand
with limiting access to documents,
whether electronic or paper. For
example, if an institution has a file room
and access to the room is limited to
particular employees (e.g., the payroll
office), the institution should have
measures in place to ensure those access
controls are in fact being utilized (e.g.,
sign in with front desk, logging of key
card access, security camera).
As discussed above, this paragraph is
amended to also require the logging of
user activity, but is otherwise adopted
as proposed as paragraph (c)(8).
232 Proposed
16 CFR 314.4(c)(10).
Automobile Dealer Association
(comment 46, NPRM), at 33.
234 See Remarks of Nicholas Weaver, Safeguards
Workshop Tr., supra note 17, at 124–25.
235 American Financial Services Association
(comment 41, NPRM), at 6.
233 National
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
Proposed Paragraph (d)
Proposed paragraph (d)(1) retained
the current Rule’s requirement that
financial institutions ‘‘[r]egularly test or
otherwise monitor the effectiveness of
the safeguards’ key controls, systems,
and procedures, including those to
detect actual and attempted attacks on,
or intrusions into, information
systems.’’
Proposed paragraph (d)(2) provided
further detail to this requirement by
stating the monitoring must take the
form of either ‘‘continuous monitoring’’
or ‘‘periodic penetration testing and
vulnerability assessments.’’ The
proposal explained continuous
monitoring is any system that allows
real-time, ongoing monitoring of an
information system’s security, including
monitoring for security threats,
misconfigured systems, and other
vulnerabilities.236 For those who elected
to engage in periodic penetration testing
and vulnerability assessment, the
proposal required penetration testing at
least once annually (or more frequently
if called for in the financial institution’s
risk assessment) and vulnerability
assessments at least twice a year.237
Some commenters thought the
proposal went too far in requiring
continuous monitoring or penetration
and vulnerability testing, while others
thought the proposal did not go far
enough. On one hand, ACE argued
continuous monitoring is too
burdensome and difficult for some
financial institutions,238 particularly
those with ‘‘highly decentralized
systems,’’ such as colleges and
universities, which could be required to
monitor their entire system.239 ACE
further suggested the Rule should not
prescribe any particular testing
methodology or schedule and should
allow financial institutions to develop a
testing approach appropriate for the
financial institution.240 The NPA
commented penetration and
vulnerability testing would be too
expensive for small pawnbrokers with
small staffs and a small customer base,
where their members would be ‘‘likely
to notice a penetration of our
records.’’ 241 One commenter stated the
requirements for monitoring and testing
236 Financial institutions that choose the option of
continuous monitoring would also be satisfying
§ 314.4(c)(8).
237 Proposed 16 CFR 314.4(d)(1) and (2).
238 American Council on Education (comment 24,
NPRM), at 13–14.
239 American Council on Education (comment 24,
NPRM), at 13.
240 American Council on Education (comment 24,
NPRM), at 14.
241 National Pawnbrokers Association (comment
3, Workshop), at 2.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
were ‘‘overlapping and confusing’’ and
suggested the Commission avoid
confusion by including continuous
monitoring, penetration testing,
vulnerability scanning, periodic risk
assessment reviews, and logging as
optional components of an information
security program to be included on an
as-needed basis.242 Some commenters
recommended the testing requirement
be limited to electronic data and
exclude monitoring of physical data.243
The American Financial Services
Association argued the testing of
physical safeguards required by
paragraph (d)(1) ‘‘would be
impossible.’’ 244 Finally, CTIA argued,
for entities that choose the approach of
penetration and vulnerability testing,
these tests should be required less
regularly.245
On the other hand, the Princeton
Center suggested, rather than requiring
either continuous monitoring or
penetration testing, the Rule should
require both. It noted continuous
monitoring is very effective at detecting
problems with, and threats to, ‘‘off-theshelf systems’’ but penetration testing is
better at ‘‘for checking the interaction
between systems, proprietary systems,
or subtle security issues.’’ 246 Similarly,
the MSRT was concerned that the
Proposed Rule suggested annual
penetration testing alone could protect
financial institutions, rather than serve
as a supplement to proper
monitoring.247
The Commission agrees with
commenters who pointed out the
difficulty of applying certain testing
requirements to physical safeguards.
Although the general testing
requirement set forth in paragraph (d)(1)
should apply to physical safeguards
(e.g., testing effectiveness of physical
locks), the continuous monitoring,
vulnerability assessment, and
penetration testing in paragraph (d)(2) is
not relevant to information in physical
242 Global Privacy Alliance (comment 38, NPRM),
at 10–11.
243 National Independent Automobile Dealers
Association (comment 48, NPRM), at 6; American
Financial Services Association (comment 41,
NPRM), at 6.
244 American Financial Services Association
(comment 41, NPRM), at 6.
245 CTIA (comment 34, NPRM) at 12–13 (arguing
penetration testing should be required only once
every two years and vulnerability testing be
required only once a year).
246 Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 5.
247 Money Services Round Table (comment 53,
NPRM), at 9; see also Gusto and others (Comment
11, Workshop), at 2 (arguing penetration testing and
vulnerability assessments both have their
weaknesses and financial institutions should
develop a testing program that it is appropriate for
them).
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
70293
form. Accordingly, the final version of
paragraph (d)(2) is limited to safeguards
on information systems.
The Commission also agrees biannual
vulnerability testing may not be
sufficient to detect new threats. Thus,
given the relative ease with which
vulnerability assessments can be
performed, it modifies the Final Rule to
require financial institutions to perform
assessments when there is an elevated
risk of new vulnerabilities having been
introduced into their information
systems, in addition to the required
biannual assessments.
Beyond these modifications, the
Commission believes the proposal
struck the right balance between
flexibility and protection of customer
information, and adopts the proposed
provision as final. For commenters
concerned about costs of testing and
continuous monitoring, the Commission
notes the Rule requires one, not both.
Although many financial institutions
may choose to use both, the
Commission agrees the costs of
requiring both for all financial
institutions may not be justified. 248 As
to arguments that the testing required by
the Rule is too frequent and will
therefore be too costly, the Commission
does not agree vulnerability assessments
will be costly. Indeed, there are
resources for free and automated
vulnerability assessments.249 And
although the Commission acknowledges
penetration testing can be a somewhat
lengthy and costly process for large or
complex systems,250 a longer period
between penetration tests will leave
information systems vulnerable to
attacks that exploit weaknesses
normally revealed by penetration
testing.
Two other portions of the Final Rule
should help financial institutions
concerned about the costs of monitoring
and testing. First, because the
Commission is limiting the definition of
‘‘information system’’ in the Final Rule,
financial institutions will be able to
limit this provision’s application by
segmenting their network and
conducting monitoring or testing only of
systems that contain customer
information or that are connected to
such systems. Second, this requirement
does not apply to those institutions that
248 The Commission believes a system for
continuous monitoring will include some form of
vulnerability assessment as part of monitoring the
information system.
249 Remarks of Frederick Lee, Safeguards
Workshop Tr., supra note 17, at 139–40.
250 See id. at 129–30 (noting the cost of a
penetration test can increase significantly
depending on the complexity of the system to be
tested and the scope of the test).
E:\FR\FM\09DER3.SGM
09DER3
70294
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
maintain records on fewer than 5,000
individuals. Accordingly, for example,
it should not apply to businesses small
enough for staff to personally know a
majority of customers.
Finally, the Commission does not
believe the testing requirements are
duplicative of other provisions of the
Final Rule. The provision relating to
additional risk assessments,
§ 314.4(b)(2), requires a financial
institution to reevaluate its risks and to
determine if safeguards should be
modified or added—it does not require
testing to detect threats and technical
vulnerabilities in the existing system.
Section 313.4(c)(8)’s requirement that
financial institutions monitor users’
activity in an information system is
focused on one aspect of information
security—detecting and preventing
unauthorized access and use of the
system. The requirement of this
paragraph, on the other hand, is focused
on testing the overall effectiveness of a
financial institution’s safeguards. It is
broader than paragraph (c)(8)’s
requirement and is necessary to ensure
financial institutions test the strength of
their safeguards as a whole.
Accordingly, the Final Rule requires
financial institutions to perform
vulnerability assessments at least once
every six months and, additionally,
whenever there are material changes to
their operations or business
arrangements and whenever there are
circumstances they know or have reason
to know may have a material impact on
their information security program.
Proposed Paragraph (e)
Proposed paragraph (e) set forth a
requirement that financial institutions
implement policies and procedures ‘‘to
ensure that personnel are able to enact
[the financial institution’s] information
security program.’’ This requirement
included four components: (1) General
employee training; (2) use of qualified
information security personnel; (3)
specific training for information security
personnel; and (4) verification that
security personnel are taking steps to
maintain current knowledge on security
issues.
khammond on DSKJM1Z7X2PROD with RULES3
General Employee Training
Proposed paragraph (e)(1) required
financial institutions to provide their
personnel with ‘‘security awareness
training that is updated to reflect risks
identified by the risk assessment.’’ 251
While one commenter specifically
supported the inclusion of this training
251 Proposed
VerDate Sep<11>2014
16 CFR 314.4(e)(1).
18:18 Dec 08, 2021
Jkt 256001
requirement,252 the U.S. Chamber of
Commerce argued the Rule should not
have any specific training requirements
at all.253 NADA stated the requirement
that the training be ‘‘updated to reflect
risks identified by the risk assessment’’
will require companies to develop
individualized training programs to suit
their financial institution and that such
a process would be expensive and
unnecessary because ‘‘general security
awareness’’ is generally enough for most
financial institutions.254
Given the current Rule includes a
similar training requirement and
training remains a vital part of effective
information security, the Commission
declines to eliminate it. The
Commission believes the Final Rule’s
training requirement retains the same
flexibility as the existing Rule and
allows financial institutions to adopt a
training program appropriate to their
organization.
The Commission disagrees with
NADA’s concern the requirement to
update training programs would be too
expensive. Without a requirement that
the training program be updated based
on an assessment of risks, employees
may be subject to the same training year
after year, which might reflect obsolete
threats, as opposed to addressing
current ones. The Commission
interprets this provision to require only
that the training program be updated as
necessary based on changes in the
financial institution’s risk assessment.
The provision also gives financial
institutions the flexibility to use
programs provided by a third party, if
that program is appropriate for the
financial institution. In order to clarify
updates are required only when needed
by changes in the financial institution or
new security threats, though, the Final
Rule states training programs need to be
updated only ‘‘as necessary.’’
Information Security Personnel
Proposed paragraph (e)(2) required
financial institutions to ‘‘[u]tiliz[e]
qualified information security
personnel,’’ employed either by them or
by affiliates or service providers,
‘‘sufficient to manage [their] information
security risks and to perform or oversee
the information security program.’’ 255
This proposed provision was designed
252 Electronic Privacy Information Center
(comment 55, NPRM), at 8.
253 U.S. Chamber of Commerce (comment 33,
NPRM), at 12; see also American Financial Services
Association (comment 41, NPRM), at 6 (stating the
Commission should acknowledge that a training
program for a small financial institution will be
different than a program for a larger program).
254 National Automobile Dealers Association
(comment 46, NPRM), at 34.
255 Proposed 16 CFR 314.4(e)(2).
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
to ensure information security
personnel used by financial institutions
are qualified for their positions and
information security programs are
sufficiently staffed.
Some commenters argued this
provision was too vague because it does
not define what personnel are necessary
and what ‘‘qualified’’ means.256 NADA
argued hiring additional staff to meet
this requirement could be prohibitively
expensive.257
As discussed in relation to the
appointment of a ‘‘Qualified
Individual,’’ the Commission believes a
more specific definition of ‘‘qualified’’
would not be appropriate because each
financial institution has different needs
and different levels of training,
experience, and expertise will be
appropriate for the information security
staff of each institution. The term
‘‘qualified’’ conveys only that staff must
have the abilities and expertise to
perform the duties required by the
information security program.258 The
Commission declines to include a more
prescriptive set of qualification
requirements in the Final Rule.259
As to the concern about expense, the
Commission acknowledges hiring
employees or retaining third parties to
maintain financial institutions’
information security programs can be a
substantial expense. But the expense is
necessary to effectuate Congressional
intent that financial institutions
implement reasonable safeguards to
protect customer information. The Rule
requires only that a financial institution
have personnel ‘‘sufficient’’ to manage
its risk and to maintain its information
security program. A financial institution
is required only to have the staff
necessary to maintain its information
security. An information security
program that is not properly maintained
cannot offer the protection it is designed
to provide. A financial institution that
256 National Automobile Dealers Association
(comment 46, NPRM), at 35; National Independent
Automobile Dealers Association (comment 48,
NPRM), at 7.
257 National Automobile Dealers Association
(comment 46, NPRM), at 35.
258 NADA also asks whether this provision would
require financial institutions to hire more personnel
if they do not have enough qualified staff. Id. The
Final Rule does require the hiring of additional
personnel if existing personnel are not enough to
maintain the financial institution’s information
security program.
259 One commenter, on the other hand, approved
of the decision not to define ‘‘qualified’’ in the
Proposed Rule, but argued the requirement in its
totality was unclear because it did not set forth
‘‘how the Commission would hold covered entities
accountable.’’ American Council on Education
(comment 24, NPRM) at 14. The Commission
believes the term ‘‘qualified’’ provides a clear
enough requirement to allow a financial
institution’s compliance to be evaluated.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
does not comply with this requirement,
by definition, has insufficient staffing,
and thus, cannot reasonably protect
customer information.
Although the expense is necessary,
the level of expense is mitigated by
several factors. First, existing financial
institutions should already have
information security personnel (either
in the form of employees or third-party
service providers) qualified to perform
the duties necessary to maintain
reasonable security in order to comply
with the requirements of the current
Rule. Depending on the skills of those
employees, additional staffing may not
be necessary to meet the demands of the
Final Rule. Second, the required staffing
will vary greatly based on the size and
complexity of the information system. A
financial institution with an extremely
simple system may not require even a
single full time employee. Finally, the
Rule allows the use of service providers
to meet this requirement. This can
significantly reduce costs as services
exist to share the expense of qualified
personnel and offer information security
support at significantly less than the
cost of employing a single qualified
employee.260 The Commission
continues to believe utilizing qualified
and sufficient information security
personnel is a vital part of any
information security program and
accordingly, adopts proposed paragraph
(e)(2) in the Final Rule without
modification.
khammond on DSKJM1Z7X2PROD with RULES3
Training of Security Personnel
The Proposed Rule also required
financial institutions to ‘‘[p]rovid[e]
information security personnel with
security updates and training sufficient
to address relevant security risks.’’ 261
This is separate from paragraph (e)(1)’s
requirement to train all personnel
generally.
Some commenters argued providing
ongoing training could be too costly for
some financial institutions.262 The
Commission disagrees. Maintaining
awareness of emerging threats and
260 See, e.g., Slides Accompanying Remarks of
Rocio Baeza, ‘‘Models for Complying to the
Safeguards Rule Changes,’’ in Safeguards Workshop
Slides, supra note 72, at 27–28 (describing three
different compliance models: In-house, outsource,
and hybrid, with costs ranging from $199 per month
to more than $15,000 per month); see also remarks
of Rocio Baeza, Safeguards Workshop Tr., supra
note 17, at 81–83; slides Accompanying Remarks of
Brian McManamon, ‘‘Sample Pricing,’’ in
Safeguards Workshop Slides, supra note 72, at 29
(estimating the cost of cybersecurity services based
on number of endpoints); Remarks of Brian
McManamon, Safeguards Workshop Tr., supra note
17, at 83–85.
261 Proposed 16 CFR 314.4(e)(3).
262 National Automobile Dealers Association
(comment 46, NPRM), at 35.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
vulnerabilities is a critical aspect of
information security. In order to
perform their duties, security personnel
must be educated on the changing
nature of threats to the information
systems they maintain. There are
resources that will allow smaller
institutions to meet this requirement at
little or no cost, such as published
security updates, online courses, and
educational publications.263 For
financial institutions that utilize service
providers to meet information security
needs, the service provider is likely to
include assurances that provided
personnel will be trained in current
security practices. The Commission
views the use of such a service provider
as meeting this requirement, as the
financial institution is ‘‘providing’’ the
service as part of the price it pays to the
service provider. Thus, the Final Rule
adopts paragraph (e)(3) as proposed.264
Verification of Current Knowledge
Proposed paragraph (e)(4) required
financial institutions to ‘‘[v]erify[ ] that
key information security personnel take
steps to maintain current knowledge of
changing information security threats
and countermeasures.’’ 265 This
requirement was intended to
complement the proposed requirement
regarding ongoing training of data
security personnel, by requiring
verification such training has taken
place.
NADA argued this requirement
should not apply to smaller financial
institutions, stating the examples set
forth in the Proposed Rule would be
difficult for some smaller financial
institutions to perform.266 The examples
provided with the Proposed Rule were
that a financial institution could: (1)
Offer incentives or funds for key
personnel to undertake continuing
education that addresses recent
developments, (2) include a requirement
to stay abreast of security research as
part of their performance metrics, or (3)
conduct an annual assessment of key
personnel’s knowledge of threats related
to their information system. The
Commission believes smaller financial
institutions can take advantage of any of
these methods, particularly ‘‘requiring
263 See, e.g., Federal Trade Commission,
Cybersecurity for Small Business, https://
www.ftc.gov/tips-advice/business-center/smallbusinesses/cybersecurity (last accessed 1 Dec.
2020); Remarks of Kiersten Todt, Safeguards
Workshop Tr. at 86–88 (describing the resources of
the Cyber Readiness Institute).
264 The Clearing House suggested the Rule should
require background checks on employees. The
Clearing House (Comment 49, NPRM) at 19.
265 Proposed 16 CFR 314.4(e)(4).
266 National Automobile Dealers Association
(comment 46, NPRM), at 35–36.
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
70295
key personnel to undertake continuing
education’’ as part of that personnel’s
duties. If they outsource responsibility
for data security to service providers,
they can simply include these
requirements in their contracts.
The Commission believes the rapidly
changing nature of information security
mandates this requirement, in order that
information security leadership can
properly supervise the information
security program. Accordingly, the Final
Rule adopts proposed paragraph (e)(4)
without change.
Proposed Paragraph (f)
Proposed paragraphs (f)(1) and (2)
retained the current Rule’s requirement,
found in existing paragraphs (d)(1) and
(2), to oversee service providers, and
added a paragraph (f)(3), requiring
financial institutions also periodically
assess service providers ‘‘based on the
risk they present and the continued
adequacy of their safeguards.’’ 267 The
current Rule expressly requires an
assessment of service providers’
safeguards only at the onboarding stage;
proposed paragraph (f)(3) required
financial institutions to monitor their
service providers on an ongoing basis to
ensure they are maintaining adequate
safeguards to protect customer
information they possess or access.268
Several commenters argued it would
be costly and difficult for some financial
institutions to periodically assess their
service providers.269 These commenters
were particularly concerned with
smaller financial institutions’ ability to
‘‘monitor’’ larger service providers.270
The Internet Association commented
the requirement to periodically assess
service providers would be too onerous
for the service providers themselves,
arguing the requirement would place
‘‘service providers under constant
surveillance by their financial
institution clients.’’ 271 HITRUST
suggested the Rule should state the
periodic assessment requirement may be
satisfied by requiring service providers
to obtain and maintain information
267 Proposed
16 CFR 314.4(g).
Clearing House wrote in support of this
element of the Proposed Rule, noting it would bring
the Safeguards Rule’s provisions relating to service
provider oversight into better alignment with
security guidelines for banks. The Clearing House
(comment 49, NPRM), at 14.
269 National Automobile Dealers Association
(comment 46, NPRM), at 37; National Independent
Automobile Dealers Association (comment 48,
NPRM), at 7; see also Wangyang Shen (comment 3,
Privacy Rule) (noting difficulty of supervising cloud
services).
270 National Automobile Dealers Association
(comment 46, NPRM), at 22; National Association
of Dealer Counsel (comment 44, NPRM), at 3.
271 Internet Association (comment 9, Workshop),
at 3–4.
268 The
E:\FR\FM\09DER3.SGM
09DER3
70296
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
security certifications provided by third
parties and based on proper information
security frameworks.272 In contrast,
Consumer Reports took issue with the
Rule requiring only ‘‘assessment’’ of
service providers, and argued financial
institutions should be required to
monitor their service providers for
compliance.273 Yet other commenters
expressed confusion over the term
‘‘service provider,’’ asking whether it
would cover national consumer
reporting agencies that smaller financial
institutions would be hard-pressed to
assess.274
The Commission retains the service
provider oversight requirement from
proposed paragraph (f) without
modification. Some high profile
breaches have been caused by service
providers’ security failures,275 and the
Commission views the regular
assessment of the security risks of
service providers as an important part of
maintaining the strength of a financial
institution’s safeguards.
The Commission disagrees with the
commenters who expressed concerns
this provision, and particularly the
assessment requirement, would impose
undue costs on financial institutions.
The Rule would require financial
institutions only to assess the risks
service providers present and evaluate
whether they continue to provide the
safeguards required by contract, which
need not include extensive investigation
of a service provider’s systems. In the
case of large service providers, this
oversight may consist of reviewing
public reports of insecure practices,
changes in the services provided, or
security failures in the services
provided. In other circumstances, such
as where a large company hires a vendor
to secure sensitive customer
information, certifications, reports, or
even third-party audits may be
appropriate. The exact steps required
depend both on the size and complexity
of the financial institution and the
nature of the services provided by the
service provider. For this reason, the
Commission declines to adopt the
272 HITRUST
(comment 18, NPRM), at 3–4.
Reports (comment 52, NPRM) at 7.
274 American Financial Services Association
(comment 41, NPRM), at 7.
275 For example, in 2013, attackers were
reportedly able to use stolen credentials obtained
from a third-party service provider to access a
customer service database maintained by national
retailer Target Corporation, resulting in the theft of
information relating to 41 million customer
payment card accounts. Kevin McCoy, Target to pay
$18.5M for 2013 data breach that affected 41
million consumers, USA Today, May 23, 2017,
https://www.usatoday.com/story/money/2017/05/
23/target-pay-185m-2013-data-breach-affectedconsumers/102063932/.
khammond on DSKJM1Z7X2PROD with RULES3
273 Consumer
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
suggestion to allow a financial
institution to accept an information
security certification from the service
provider to satisfy the service provider
oversight requirement. The fact that a
company maintains an information
security certification may be a
significant part of assessing the
adequacy of a service provider’s
safeguards, but the Commission
declines to prescribe a one-size-fits all
approach, given the variation in size
and complexity of financial institutions
and their service providers.
To avoid imposing undue costs on
financial institutions, the Commission
declines to require ongoing monitoring,
rather than periodic assessment, as
recommended by Consumer Reports.
The Commission believes periodic
assessment strikes the right balance
between protecting consumers and
imposing undue costs on financial
institutions. The Commission
acknowledges financial institutions may
have limited bargaining power in
obtaining services from large service
providers and limited ability to demand
access to a service provider’s systems. In
those cases, any sort of hands-on
assessment of the provider’s systems
may not be possible.
As to the concern the assessment
requirement will impose undue burdens
on the service providers themselves, the
Commission does not believe this
concern justifies a modification to the
proposed requirement. First, the Rule
does not require ‘‘constant surveillance’’
by financial institutions—they are
required only to ‘‘periodically assess’’
the risks presented by service providers.
Second, as discussed above, the
supervision of service providers is a
vitally important aspect of information
security, and while there may be some
burdens on the service providers
associated with being supervised, these
are necessary burdens. A financial
institution must be sure a service
provider is protecting the information of
its customers, and any expenses this
involves are a necessary part of fulfilling
this duty.
Finally, as to concerns about potential
ambiguities in the definition of service
provider, the amendments preserve the
definition in the current Rule. Thus,
entities subject to this requirement
under the Final Rule will remain the
same as under the existing Rule and
may include consumer reporting
agencies. As discussed above, even
larger service providers such as national
CRAs can be subjected to some form of
review by financial institutions.276
276 The National Pawnbrokers Association
expressed concern they cannot control vendors of
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
The Commission adopts proposed
paragraph (f) in the Final Rule without
modification.
Proposed Paragraph (g)
Paragraph (g) of the Proposed Rule
retained the language of existing
paragraph (e) in the current Rule, which
requires financial institutions to
evaluate and adjust their information
security programs in light of the result
of testing required by this section,
material changes to their operations or
business arrangements, or any other
circumstances they know or have reason
to know may have a material impact on
their information security program. The
Commission received no comments on
this paragraph and adopts the language
of the Proposed Rule.
Proposed Paragraph (h)
Proposed paragraph (h) required
financial institutions to establish
written incident response plans that
addressed (1) the goals of the plan; (2)
the internal processes for responding to
a security event; (3) the definition of
clear roles, responsibilities and levels of
decision-making authority; (4) external
and internal communications and
information sharing; (5) identification of
requirements for the remediation of any
identified weaknesses in information
systems and associated controls; (6)
documentation and reporting regarding
security events and related incident
response activities; and (7) the
evaluation and revision as necessary of
the incident response plan following a
security event.
Several commenters supported the
proposal to require an incident response
plan.277 The Credit Union National
Association observed an incident
response plan ‘‘helps ensure that an
entity is prepared in case of an incident
by planning how it will respond and
what is required for the response.’’ 278
Consumer Reports noted a rapid
response to a security event can limit
damage caused by the event.279 The
local law enforcement agencies to whom they are
required to provide customer information. National
Pawnbrokers Association (comment 32, NPRM), at
2. However, the Rule does not require financial
institutions oversee service providers employed by
other entities over which they have no control.
277 Consumer Reports (comment 52, NPRM), at 6;
Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 7;
Electronic Privacy Information Center (comment 55,
NPRM), at 8; Credit Union National Association
(comment 30, NPRM), at 2; Heartland Credit Union
Association (comment 42, NPRM), at 2; National
Association of Federally-Insured Credit Unions
(comment 43, NPRM), at 1; HITRUST (comment 18,
NPRM), at 2.
278 Credit Union National Association (comment
30, NPRM), at 2.
279 Consumer Reports (comment 52, NPRM), at 6.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
Princeton Center commented ‘‘a written
incident response plan is an essential
component of a good security
system.’’ 280 HITRUST commented
incident response plans can help
organizations ‘‘to better allocate limited
resources.’’ 281 The South Carolina
Department of Consumer Affairs
suggested the provision go further by
requiring the incident response plan
include a process for notifying senior
information security personnel of the
event.282
Other commenters opposed requiring
an incident response plan or objected to
particular aspects of the requirement.
Some commenters suggested requiring
financial institutions to have incident
response plans is outside the
Commission’s authority under the GLB
Act.283 NADA argued the requirement
for an incident response plan was
overbroad in light of the broad
definition of security event,284 and the
requirement was vague as to what the
plan should include.285
Other commenters argued the
requirement was too burdensome. ACE
argued ‘‘the range of security events that
might occur and their potential impacts
on institutional capacity to recover’’
make establishing an incident response
plan that will allow an institution to
‘‘respond to, and recover from, any
security event materially affecting . . .
customer information’’ impossible.286
The Mortgage Bankers Association
(‘‘MBA’’) suggested ‘‘institutions of
smaller sizes may not necessarily be
capable of addressing all seven of the
proposed goals.’’ 287 Further, the MBA
argued an incident response plan
requirement had ‘‘the potential to
cripple small businesses under the
pressure of repeatedly checking the
boxes for potentially harmless
events.’’ 288
Finally, some commenters raised
questions about what it means for
khammond on DSKJM1Z7X2PROD with RULES3
280 Princeton
University Center for Information
Technology Policy (comment 54, NPRM), at 7.
281 HITRUST (comment 18, NPRM), at 2.
282 South Carolina Department of Consumer
Affairs (comment 47, NPRM), at 2.
283 National Automobile Dealer Association
(comment 46, NPRM), at 38; National Independent
Automobile Dealers Association (comment 48,
NPRM), at 7.
284 National Automobile Dealer Association
(comment 46, NPRM), at 38.
285 National Automobile Dealer Association
(comment 46, NPRM), at 12, 38–39. NPA also asked
for greater detail on what constitutes an ‘‘incident.’’
National Pawnbroker Association (comment 32,
NPRM), at 4.
286 American Council on Education (comment 24,
NPRM), at 15.
287 Mortgage Bankers Association (comment 26,
NPRM), at 4.
288 Mortgage Bankers Association (comment 26,
NPRM), at 4.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
customer information to be in a
financial institution’s ‘‘possession’’ for
purposes of the incident response plan
requirement. ACE argued the
requirement does not adequately
account for customer information held
in cloud storage operated by third
parties, asserting such information is
not technically within the financial
institution’s possession.289 ACE
suggested the provision should apply to
customer information for which the
financial institution is responsible,
instead.290 Relatedly, the NPA
expressed concern pawnbrokers might
be subject to liability under the
Proposed Rule when law enforcement
agencies or their third-party vendors
make public disclosures of customer
information pawnbrokers are obligated
to report.291
The Commission retains the
requirement for financial institution to
develop and implement an incident
response plan, with one modification
described below. The Commission
believes the creation of an incident
response plan is directly related to
safeguarding customer information and
is within its authority under the GLBA.
The requirement to create an incident
response plan focuses on preparing
financial institutions to respond
promptly and appropriately to security
events, and mitigating any weaknesses
in their information systems in the
process. By responding quickly and
promptly mitigating weaknesses,
financial institutions can stop ongoing
or future compromise of customer
information.292 A well-organized
response to a security event can limit
the number of consumers affected by an
outside attacker by promptly identifying
the attack and taking steps to stop the
attack.
The Commission disagrees with the
commenters who stated this
requirement was too burdensome. The
Final Rule requires incident response
plans address ‘‘security event[s]
materially affecting the confidentiality,
integrity, or availability of customer
information in [a financial institution’s]
control.’’ Significantly, the plan must
address events that ‘‘materially’’ affect
customer information. Thus, the
required incident response plan does
289 American Council on Education (comment 24,
NPRM), at 15.
290 Id.
291 National Pawnbroker Association (comment
32, NPRM), at 4.
292 See Remarks of Serge Jorgenson, Safeguards
Workshop Tr., supra note 17, at 52 (observing a
prompt response to an incident can prevent a
‘‘threat actor running around in my environment for
days, months, years, and able to access anything
they want.’’).
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
70297
not require a plan to address every
security event that may occur. The plan
need not include minute details or all
possible scenarios. Instead, the Rule
requires the plan to establish a system—
for example, by laying out clear lines of
responsibility, systems for information
sharing, and methods for evaluating
possible solutions—that will facilitate a
financial institution’s response to
security events regardless of the nature
of the event. A detailed approach may
be appropriate for some financial
institutions, such as those with
especially complicated systems or
personnel hierarchies, but the Rule is
designed to give financial institutions
the flexibility needed to develop plans
that best suit their needs.293
Moreover, the Commission believes
the requirement is clear as to what an
incident response plan should include.
The seven listed requirements for the
incident response plans provide
sufficient guidance to financial
institutions designing incident response
plans while giving them flexibility to
design a plan suited to their
organization. In addition, there are
many resources for designing incident
response plans available for financial
institutions, as well as service providers
that can assist with the design
process.294 Individual institutions can
determine the exact details of the plans.
To address questions about whether
information is in the financial
institution’s ‘‘possession,’’ the
Commission is revising paragraph (h) of
the Final Rule to require financial
institutions develop incident response
plans ‘‘designed to promptly respond to,
and recover from, any security event
materially affecting . . . customer
information in your control.’’ (emphasis
added) Replacing the term ‘‘possession’’
with ‘‘control’’ resolves the questions
raised by ACE and the NPA regarding
293 Although the Commission agrees with the
South Carolina Department of Consumer Affairs
that notification of senior personnel is valuable, the
requirement that the plan address ‘‘the definition of
clear roles, responsibilities and levels of decisionmaking authority’’ will almost always result in
communication of decision-making to senior
personnel authorized to make decisions about the
security response. Coupled with the requirement
the Qualified Individual report to the board or
equivalent body on material events affecting
security, the Commission does not see the need to
make this change.
294 See, e.g., FTC, Data Breach Response: A Guide
for Business (2019), www.ftc.gov/tips-advice/
business-center/guidance/data-breach-responseguide-business; NIST, Guide for Cybersecurity
Event Recovery (2016), nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-184.pdf; Orion
Cassetto, Incident Response Plan 101: How to Build
One, Templates and Examples, Exabeam:
Information Security Blog (November 21, 2018),
www.exabeam.com/incident-response/incidentresponse-plan/ (last visited December 2, 2020).
E:\FR\FM\09DER3.SGM
09DER3
70298
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
whether financial institutions must plan
for security events affecting data that
has been transferred to various kinds of
third parties. Where a financial
institution has voluntarily opted to store
its customer information in the cloud, to
whatever extent the information is no
longer in the ‘‘possession’’ of the
financial institution, it is certainly
within the institution’s ‘‘control.’’ By
contrast, customer information that has
been obtained by a third party such as
a law enforcement agency, over whom
a financial institution has no authority
and of whose actions the financial
institution has no knowledge, cannot
fairly be said to be in the financial
institution’s control. Consequently, the
financial institution need not account
for possible disclosures of that
information by the third party.295
khammond on DSKJM1Z7X2PROD with RULES3
Notification of Security Events to the
Commission
The Commission also requested
comment on whether the Rule should
require financial institutions to report
security events to the Commission.
Several commenters supported this
requirement.296 The Princeton
University Center for Information
Technology Policy noted such a
reporting requirement would ‘‘provide
the Commission with valuable
information about the scope of the
problem and the effectiveness of
security measures across different
entities’’ and ‘‘help the Commission
coordinate responses to shared
threats.’’ 297 The National Association of
Federally-Insured Credit Unions argued
requiring financial institutions to report
security events to the Commission
would provide an ‘‘appropriate
incentive for covered financial
companies to disclose information to
consumers and relevant regulatory
bodies.’’ 298 NAFCU also suggested
notification requirements are important
295 NADA further argued the incident response
plan constitutes a de facto consumer notification
requirement. National Automobile Dealer
Association (comment 46, NPRM), at 39. Financial
institutions have an independent obligation to
perform notification as required by state law,
whether or not they have an incident response plan
in place. The fact that the Rule requires a plan that
sets forth procedures for satisfying that requirement
does not impose any independent notification
requirement on the financial institution.
296 Consumer Reports (comment 52, NPRM), at 6;
Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 7;
Credit Union National Association (comment 30,
NPRM), at 2; Heartland Credit Union Association
(comment 42, NPRM), at 2; National Association of
Federally-Insured Credit Unions (comment 43,
NPRM), at 1–2.
297 Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 7.
298 National Association of Federally-Insured
Credit Unions (comment 43, NPRM), at 1.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
because they ‘‘ensure independent
assessment of whether a security
incident represents a threat to consumer
privacy.’’ 299
Other commenters opposed the
inclusion of a reporting requirement.300
ACE argued such a requirement ‘‘would
simply add another layer on top of an
already crowded list of federal and state
law enforcement contacts and state
breach reporting requirements.’’ 301 ACE
also suggested any notification
requirement should be limited to a more
restricted definition of ‘‘security event’’
than the definition in the Proposed
Rule, so financial institutions would
only be required to report incidents that
could lead to consumer harm.302
The Commission agrees with
commenters that stated a requirement
financial institutions report security
events to the Commission would have
many benefits, including allowing the
Commission to identify emerging threats
and assisting the Commission’s
enforcement of the Rule. In addition,
such a requirement would be unlikely to
create a significant burden on financial
institutions because a security event
that leads to notification to the
Commission is very likely to create
breach notification obligations under
various state laws, and the financial
institution will thus already be engaged
in notifying consumers and state
regulators. The addition of a notification
to the FTC would not require any
significant additional preparation or
effort. However, because the notice of
proposed rulemaking did not set forth a
detailed proposal for a notification
requirement, the Final Rule does not
include such a requirement. Instead, the
Commission is issuing a supplemental
notice of proposed rulemaking (SNPRM)
that proposes adding a requirement
financial institutions notify the
Commission of detected security events
under certain circumstances.303
Proposed Paragraph (i)
Proposed paragraph (i) required a
financial institution’s CISO to ‘‘report in
writing, at least annually, to [the
financial institution’s] board of directors
or equivalent governing body’’ regarding
the following information: (1) The
overall status of the information security
299 National Association of Federally-Insured
Credit Unions (comment 43, NPRM), at 1–2.
300 National Independent Automobile Dealers
Association (comment 48, NPRM), at 7; American
Council on Education (comment 24, NPRM), at 15.
301 American Council on Education (comment 24,
NPRM), at 15.
302 Id.
303 Standards for Safeguarding Customer
Information, SNPRM, published elsewhere in this
issue of the Federal Register.
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
program and financial institution’s
compliance with the Safeguards Rule;
and (2) material matters related to the
information security program,
addressing issues such as risk
assessment, risk management and
control decisions, service provider
arrangements, results of testing, security
events or violations and management’s
responses thereto, and
recommendations for changes in the
information security program.304 For
financial institutions that did not have
a board of directors or equivalent, the
proposal required the CISO to make the
report to a senior officer responsible for
the financial institution’s information
security program.
One commenter supported this
requirement.305 Additionally, several
workshop participants emphasized the
value of communication between
information security leaders and
corporate boards or their equivalent. For
example, workshop participant Michele
Norin stated it is ‘‘important’’ for the
topic of information security to be
discussed at the level of the board or
senior leadership regularly, and at least
once per year.306 Participant Adrienne
Allen agreed annual reporting made
sense as a requirement, but noted for
some financial institutions, particularly
those with an online presence, even
more frequent communication could be
beneficial.307
ACE argued the Proposed Rule
created too much emphasis on a single
annual report and should instead focus
on regular reporting to the Board or
equivalent.308 It also expressed concern
the report required by the Proposed
Rule would be too detailed and would
not allow the Board to see ‘‘the forest for
the trees,’’ 309 the requirements for the
report were too prescriptive, and the
requirements focused too much on
compliance rather than security.310
Similarly, NADA argued the report
would not improve security but would
instead create ‘‘unnecessary liability
exposure for the board/leadership of the
entity.’’ 311 HITRUST suggested
304 Proposed
16 CFR 314.4(i).
Baeza (comment 12, Workshop), at 3–8
(supporting requirement and providing sample
report form and compliance questionnaire); see also
The Clearing House (comment 49, NPRM), at 15–
16 (arguing that Rule should require more
involvement from Board and senior management).
306 Remarks of Michele Norin, Safeguards
Workshop Tr., supra note 17, at 194.
307 Remarks of Adrienne Allen, Safeguards
Workshop Tr., supra note 17, at 199–200.
308 American Council on Education (comment 24,
NPRM), at 16.
309 Id.
310 Id.
311 National Automobile Dealer Association
(comment 46, NPRM), at 41. NADA also argued the
305 Rocio
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
Qualified Individuals should be able to
meet this reporting requirement by
submitting a report from an information
security certification program to the
Board or equivalent body.312
The Commission adopts the proposal
as final, with one modification
discussed below. This provision is
intended to ensure the governing body
of the financial institution is engaged
with and informed about the state of the
financial institution’s information
security program. Likewise, this will
create accountability for the Qualified
Individual by requiring him or her to set
forth the status of the information
security program for the governing
body.313 This will help financial
institutions to ensure their information
security programs are being maintained
appropriately and given the necessary
resources. Written reports will create a
record of decisions made and the
information upon which they were
based, which may aid future decisionmaking.314 Management involvement in
information security programs can
improve the strength of those programs
and help to reduce breaches.315
The Commission disagrees with the
commenters who stated the reporting
reports by third-party Qualified Individuals might
not include useful information and were ‘‘more
likely to be filled with platitudes and/or efforts to
‘upsell’ the dealership on additional CISO
services.’’ Id. at 42. NADA provided no support for
this claim. The Commission notes such a report
would not meet the requirements of this provision,
and the financial institution would be justified in
terminating their relationship with that provider or,
at least, demanding a revised report that did meet
those requirements.
312 HITRUST (comment 18, NPRM), at 4.
313 See Remarks of Karthik Rangarajan,
Safeguards Workshop Tr., supra note 17, at (‘‘If
quarter over quarter, year over year, this watermark
isn’t reducing, then board of directors should be
able to challenge us and say maybe you’re not
mapping your risks correctly, or vice versa if it’s
reducing but we’re seeing more incidents, we’re
seeing potential breaches, things like that, then the
board of directors should be able to say maybe you
don’t have the right risk quantification framework
or the right risk management framework.’’).
314 Workshop participants Adrienne Allen,
Karthik Rangarajan, and Michele Norin each
emphasized this point. See Safeguards Workshop
Tr., supra note 17, pp. 201–09.
315 See Juhee Kwon Jackie Rees Ulmer, & Tawei
Wang, The Association Between Top Management
Involvement and Compensation and Information
Security Breaches, Journal of Information Systems,
Spring 2013, at 219–236 (‘‘. . . the involvement of
an IT executive decreases the probability of
information security breach reports by about 35
percent . . .’’); Julia L. Higgs, Robert E. Pinsker,
Thomas Joseph Smith, & George Young, The
Relationship Between Board-Level Technology
Committees and Reported Security Breaches,
Journal of Information Systems, Fall 2016, at 79–98
(‘‘[A]s a technology committee becomes more
established, its firm is not as likely to be breached.
To obtain further evidence on the perceived value
of a technology committee, this study uses a returns
analysis and finds that the presence of a technology
committee mitigates the negative abnormal stock
returns arising from external breaches.’’).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
requirement would be too prescriptive.
In fact, the language only requires
reporting of (1) the overall status of the
information security program and its
compliance with this Rule; and (2)
material matters related to the
information security program. The
language includes examples of what
material matters might include, such as
risk assessments and security events,
but does not require all of them be
included. The financial institution and
the Qualified Individual will be
responsible for determining what is
material for their organization. The
Commission does not believe these
requirements call for overly detailed
reports.316
Although the Commission agrees a
certification report from a Qualified
Individual could be a part of the annual
report and may cover many material
matters, it may not suffice in all cases;
thus, the Commission declines to
include such a one-size-fits-all
requirement.
As to the suggestion to require
‘‘regular’’ reporting, the Commission
agrees more regular reporting may be
the best approach for many financial
institutions. To this end, the
Commission modifies the requirement
in the final rule to say ‘‘regularly, and
at least annually.’’ 317 Beyond this
modification, the Final Rule adopts
proposed paragraph (i) as proposed.
Board Certification
The Commission specifically sought
comment on whether the Board or
equivalent should be required to certify
the contents of the report. The two
commenters who addressed this
question stated they should not.318 ACE
noted ‘‘governing boards generally will
not have the knowledge and expertise to
316 Indeed, workshop participants discussed a
variety of strategies for meaningful communication
between security personnel and senior leadership.
Participants noted the proper content, style, and
cadence of reporting (beyond the minimum annual
report) will vary depending on, among other things,
the type of financial institution in question and the
level of familiarity of leadership with the relevant
technical issues. See Safeguards Workshop Tr.,
supra note 17, at 194–200.
317 NADA argued reports required by this
provision would be expensive because the Proposed
Rule stated they would need to be prepared by a
‘‘CISO,’’ which NADA takes to mean a highly
compensated expert of the type retained by the
most sophisticated large institutions. National
Automobile Dealer Association (comment 46,
NPRM), at 41. As discussed above, however, the
Rule does not require all financial institutions to
retain such an expert. Instead, the report will be
made by the Qualified Individual, whose expertise
and compensation will vary according to the size
and complexity of a financial institution’s
information system.
318 National Automobile Dealer Association
(comment 46, NPRM), at 41 n.126; American
Council on Education (comment 24, NPRM), at 16.
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
70299
independently certify’’ the technical
aspects of the report and certification
might require the employment of
outside auditors.319 The Commission
agrees senior management of financial
institutions will often lack the technical
expertise to personally attest to its
validity. In addition, the primary
purpose of the required report is to
encourage communication between
information security personnel and
senior management, not to show
compliance with the Rule. Requiring the
governing board to certify the contents
of the report would likely transform the
report into a compliance document and
might reduce its efficacy as a
communication between the Qualified
Individual and the Board. Accordingly,
the Commission declines to adopt this
requirement in the Final Rule.
§ 314.5: Effective Date
The Proposed Rule set a new effective
date for some portions of the Rule.
Proposed § 314.5 provided certain
elements of the information security
program would not be required until six
months after the publication of a final
rule, rather than immediately upon
publication. The paragraphs that would
have a delayed effective date were:
§ 314.4(a), related to the appointment of
a Qualified Individual; § 314.4(b)(1),
relating to conducting a written risk
assessment; § 314.4(c)(1) through (8),
setting forth the new elements of the
information security program;
§ 314.4(d)(2), requiring continuous
monitoring or annual penetration testing
and biannual vulnerability assessment;
§ 314.4(e), requiring training for
personnel; § 314.4(f)(3), requiring
periodic assessment of service
providers; § 314.4(h), requiring a written
incident response plan; and § 314.4(i),
requiring annual written reports from
the Qualified Individual. All other
requirements under the Safeguards Rule
would remain in effect during this sixmonth period. These remaining
requirements largely mirrored the
requirements of the existing Rule.
All commenters that addressed this
provision noted the difficulty of
complying with some of the provisions
of the Proposed Rule, and argued
financial institutions should be given
more time to comply with them. ACE
suggested financial institutions be given
one year to create a plan for compliance
and two years to come into actual
compliance.320 AFSA suggested
compliance not be required for two
319 American Council on Education (comment 24,
NPRM), at 16.
320 American Council on Education (comment 24,
NPRM), at 4–5.
E:\FR\FM\09DER3.SGM
09DER3
70300
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
years.321 ACA International requested
the effective date be one year after
publication of the Rule.322
The Commission agrees some
financial institutions may need longer to
modify their information security
programs to comply with the new
requirements in the Final Rule,
especially given the current pandemic
and the strains it is placing on
businesses. Accordingly, the Final Rule
extends the effective date for these
enumerated provisions to one year after
the publication of this document.
Proposed § 314.6: Exceptions
khammond on DSKJM1Z7X2PROD with RULES3
Proposed § 314.6 exempted financial
institutions that maintain customer
information concerning fewer than five
thousand consumers from certain
requirements of the Proposed Rule,
namely § 314.4(b)(1), requiring a written
risk assessment; § 314.4(d)(2), requiring
continuous monitoring or annual
penetration testing and biannual
vulnerability assessment; § 314.4(h),
requiring a written incident response
plan; and § 314.4(i), requiring an annual
written report by the CISO (as revised,
the Qualified Individual).323 This
proposed section was designed to
reduce the burden on smaller financial
institutions.
The Commission sought comment on
whether it was appropriate to include
such an exemption, whether the specific
exemptions were appropriate, whether
the use of the number of customers
concerning whom the financial
institution retains customer information
is the most effective way to determine
which financial institutions should be
exempted and, if so, whether five
thousand customers was an appropriate
number. After reviewing the comments
received, the Commission retains the
exemption for financial institutions
with fewer than 5,000 customers as
proposed.
Several commenters supported the
inclusion of an exemption for small
financial institutions. Consumer Reports
supported the exemption as
proposed.324 NPA supported the
decision to base this exemption on the
number of customers whose information
the financial institution maintains, but
questioned how the number of
321 American Financial Services Association
(comment 41, NPRM), at 7.
322 ACA International (comment 45, NPRM), at
10–11.
323 Proposed 16 CFR 314.6.
324 Consumer Reports (comment 52, NPRM), at 6;
see also Credit Union National Association
(comment 30, NPRM), at 2 (noting the exemption
will be helpful for smaller businesses, but
suggesting other changes to the Proposed Rule so
the exemption is not required).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
customers would be determined.325
NPA asked whether the number of
customers would be counted on an
annual basis or include all records the
financial institution maintains. It also
asked if each transaction with a
customer would be counted
separately.326
Some commenters argued the number
of customers whose records a financial
institution maintains was the wrong
measure by which to assess whether the
exemption should apply. For example,
commenters suggested the Rule should
take into account businesses with
revenue beneath a certain threshold,327
the number of students enrolled at
covered educational institutions,328 or
the number of individuals employed by
the financial institution.329
Additionally, some commenters
argued the threshold for application of
the exemption should be higher. ACA
International suggested the exemption
should apply to all financial institutions
maintaining records concerning fewer
than 10,000 customers.330 AFSA
suggested a 50,000 customer
threshold.331 NADA 332 and NIADA 333
argued the threshold should be raised to
100,000 customers. Without proposing a
specific alternative, NPA expressed
concern the 5,000-customer threshold
may be too low, noting pawnbrokers
who accept firearms as collateral are
required to keep customer records
related to certain transactions for twenty
years.334
As to the substance of the exemption,
some commenters felt it did not go far
enough to relieve the burden of the rule
for small financial institutions. ACA
International proposed eligible financial
325 National Pawnbrokers Association (comment
32, NPRM), at 6.
326 Id.; see also National Independent Automobile
Dealers Association (comment 48, NPRM), at 3.
327 ACA International (comment 45, NPRM), at
11–12.
328 American Council on Education (comment 24,
NPRM), at 5.
329 Ahmed Aly (comment 22, NPRM).
330 ACA International (comment 45, NPRM), at
11–12.
331 American Financial Services Association
(comment 41, NPRM), at 3–4.
332 National Automobile Dealers Association
(comment 46, NPRM), at 43–44. NADA also
suggested information about customers for which
the nonpublic information has been removed
should not be counted to the total. If the
information is anonymized or otherwise
transformed so it is no longer reasonably linkable
to a customer, that information will not count
towards the exemption. NADA’s example of
retaining only ‘‘name, phone number, address, and
VIN of the vehicle they own,’’ would still count as
customer information under the Rule.
333 National Independent Automobile Dealers
Association (comment 48, NPRM), at 3.
334 National Pawnbrokers Association (comment
32, NPRM), at 6.
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
institutions should also be exempt from
the requirement to designate a single
qualified individual to oversee their
information security programs.335 The
National Federation of Independent
Business argued businesses with 15 or
fewer employees should be exempted
from the Rule entirely and instead held
only to a requirement to take
‘‘commercially reasonable steps’’ to
safeguard customer information.336 The
Small Business Administration Office of
Advocacy suggested, in the absence of
additional information regarding the
impact of the proposed changes on
small businesses, the Rule should
‘‘maintain the status quo’’ for small
entities as defined by the Small
Business Administration’s size
standards.337
On the other hand, other commenters
opposed the inclusion of any
exemption. The Independent
Community Bankers of America noted
the Federal Financial Institutions
Examination Council Interagency
Guidelines Establishing Standards for
Safeguarding Customer Information
(‘‘FFIEC Guidelines’’), which detail how
depository institutions are required to
protect customer information, include
no exemption for smaller institutions
and suggested the Rule should also have
no exemption and apply equally to all
financial institutions.338
Under the existing Rule, there is no
exception for smaller entities. Still, the
Commission continues to believe it is
appropriate to exempt small businesses
from some of the revised Rule’s
requirements. Although the FFIEC
Guidelines do not exempt small
businesses from its requirements, the
FFIEC Guidelines regulate only
depository financial institutions subject
to an entirely different regulatory
regime, including supervision by their
regulatory agencies. While the
provisions from which eligible financial
institutions are exempt have significant
benefits for the security of customer
information and other sensitive data,339
335 ACA
International (comment 45, NPRM), at
12.
336 National Federation of Independent Business
(comment 16, NPRM), at 4.
337 Small Business Administration Office of
Advocacy (comment 28, NPRM), at 6.
338 Independent Community Bankers of America
(comment 35, NPRM), at 4; see also American
Escrow (comment 6, Workshop), at 3 (arguing even
small companies may need to comply with all
portions of the Rule to maintain consumer
confidence); see also Caiting Wang (Comment 6,
Privacy) (suggesting exempted provisions should be
optional for smaller businesses, or the Commission
create a fund to enable small businesses to comply
with these provisions).
339 See, e.g., Remarks of Brian McManamon,
Safeguards Workshop Tr., supra note 17, at 85
(noting continuous monitoring allows organizations
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
those provisions may be less necessary
in situations where the overall volume
of retained data is low. This is true in
part because the potential for
cumulative consumer harm is less
where fewer consumers’ information
may be exposed as the result of a
security incident.340
For similar reasons, the Commission
finds the number of individuals
concerning whom a financial institution
maintains customer information is the
appropriate measure of whether the
exemption should apply to a particular
financial institution. The application of
the exemption should take into account
both the potential burden of compliance
to financial institutions and the risk to
consumers when standards are
relaxed—in other words, the purpose of
the exemption is to avoid imposing
undue burden while assuring customer
information is subject to necessary
protections. Even a very small financial
institution, depending on its business
model, may retain very large quantities
of sensitive customer information.341
Adequate security is necessary to
protect such information, which may
constitute an attractive target for bad
actors such as identity thieves; the value
of the target is correlated with the
volume of information maintained.342
to detect and quickly respond to threats); Remarks
of Frederick Lee, Safeguards Workshop Tr., supra
note 17, at 126–28 (Frederick Lee) (discussing
benefits of penetration testing); Remarks of Tom
Dugas, Safeguards Workshop Tr., supra note 17, at
143 (noting the importance of vulnerability scans);
Remarks of Michele Norin, Safeguards Workshop
Tr., supra note 17, 194–95 (asserting annual
reporting by the Qualified Individual to an
organization’s board or equivalent is beneficial);
Remarks of Adrienne Allen, Safeguards Workshop
Tr., supra note 17, at 201.
340 See Remarks of James Crifasi, Safeguards
Workshop Tr., supra note 17, at 91–92 (noting
companies that control large amounts of consumer
data should in most instances implement the full
range of data security safeguards, whereas small
businesses with less data may need to focus on
cybersecurity basics); see also Remarks of Lee
Waters, Safeguards Workshop Tr., supra note 17, at
91 (‘‘[T]he amount of data [that a business holds]
would definitely have an influence on whether a
business is even going to be attacked.’’); Remarks
of Rocio Baeza, Safeguards Workshop Tr., supra
note 17, at 94 (citing the volume of consumer
records held by an organization as an important
factor in assessing cybersecurity risk).
341 See, e.g., Remarks of James Crifasi, Safeguards
Workshop Tr., supra note 17, at 91–92 (noting small
businesses with an enormous amount of consumer
records need to follow all of the safeguards and
‘‘can’t get away with just doing the basics’’); see
also ACA International (comment 45, NPRM) at 11
(‘‘Many small financial institutions, including a
number of ACA members, have objectively limited
operations in terms of number of employees and
revenues, but handle large volumes of consumer
account data for each of their clients on whose
behalf they are collecting debts.’’).
342 See. e.g., Remarks of Rocio Baeza, Safeguards
Workshop Tr., supra note 17, at 94 (opining ‘‘the
better indicators for cybersecurity risk are going to
be two things: The volume of consumer records that
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
While a business’s revenue or number of
employees may provide a measure of
the burden of compliance for that
business, these figures do not capture
consumer risk. By contrast, the number
of individuals about whom a financial
institution maintains customer
information is a proxy for the level of
security necessary in light of both the
risk of attack and the potential
consumer harm should a security
incident occur.343 In addition, basing
the exemption on the number of
individuals concerning whom a
financial institution maintains customer
information provides an incentive to
financial institutions to reduce the
amount of information they retain. A
financial institution may choose to
dispose of information so it holds
information on few enough consumers
to qualify for exemption.344
The Final Rule adopts this section as
proposed. The Commission continues to
believe the cutoff for financial
institutions maintaining information
concerning 5,000 consumers
appropriately balances the need for
security with the burdens on smaller
businesses. The requirements to which
exempted financial institutions would
still be required to adhere are tailored to
balance the importance of adequately
securing customer information against
the need to limit financial burdens for
small businesses. Many of these
requirements were already in force as
part of the existing Rule—for example,
covered financial institutions were
already required to design and
implement a written information
security program, conduct risk
assessments, perform an initial
assessment of their service providers,
and designate one or more employees to
oversee information security. For
reasons discussed elsewhere in this
document, the new requirements that
apply to exempted financial
institutions, such as the requirement to
designate a single qualified individual
to oversee information security rather
than one or more individuals, will
a financial institution holds and also the rate of
change.’’); Remarks of Lee Waters, Safeguards
Workshop Tr., supra note 17, at 91 (noting the
amount of data a company holds influences
whether it is going to be attacked).
343 See Remarks of Brian McManamon,
Safeguards Workshop Tr., supra note 17, at 89–90
(noting the size of a financial institution and the
amount and nature of the information it holds factor
into an appropriate information security program).
344 The Commission understands this provision to
count all individual consumers about which a
financial institution maintains customer
information, including both current and former
customers. The exemption counts consumers rather
than transactions so a financial institution that had
100 transactions with a single customer would
count only a single consumer.
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
70301
ensure financial institutions of all sizes
continue to adequately protect customer
information in an environment of
increasing cybersecurity risk, while
avoiding the imposition of undue
burden.
IV. Paperwork Reduction Act
The Paperwork Reduction Act
(‘‘PRA’’), 44 U.S.C. 35, requires Federal
agencies to seek and obtain Office of
Management and Budget (OMB)
approval before undertaking a collection
of information directed to ten or more
persons.345 A ‘‘collection of
information’’ occurs when ten or more
persons are asked to report, provide,
disclose, or record information in
response to ‘‘identical questions.’’ 346
Applying these standards, neither the
Safeguards Rule nor the amendments
constitute a ‘‘collection of
information.’’ 347 The Rule calls upon
affected financial institutions to develop
or strengthen their information security
programs in order to provide reasonable
safeguards. Under the Rule, each
financial institution’s safeguards will
vary according to its size and
complexity, the nature and scope of its
activities, and the sensitivity of the
information involved. For example, a
financial institution with numerous
employees would develop and
implement employee training and
management procedures beyond those
that would be appropriate or reasonable
for a sole proprietorship, such as an
individual tax preparer or mortgage
broker. Similarly, a financial institution
that shares customer information with
numerous service providers would need
to take steps to ensure such information
remains protected, while a financial
institution with no service providers
would not need to address this issue.
Thus, although each financial
institution must summarize its
compliance efforts in one or more
written documents, the discretionary
balancing of factors and circumstances
the Rule allows—including the myriad
operational differences among
businesses it contemplated—does not
require entities to answer ‘‘identical
questions’’ and therefore does not
trigger the PRA’s requirements.
The amendments to the Rule do not
change this analysis because they retain
the existing Rule’s process-based
approach, allowing financial
institutions to tailor their programs to
reflect the financial institutions’ size,
complexity, and operations, and to the
345 44
U.S.C. 3502(3)(A)(i).
44 U.S.C. 3502(3)(A).
347 See Standards for Safeguarding Customer
Information, 67 FR 36484, 36491 (May 23, 2002).
346 See
E:\FR\FM\09DER3.SGM
09DER3
70302
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
sensitivity and amount of customer
information they collect. For example,
amended § 314.4(b) would require a
written risk assessment, but each risk
assessment will reflect the particular
structure and operation of the financial
institution and, though each assessment
must include certain criteria, these are
only general guidelines and do not
consist of ‘‘identical questions.’’
Similarly, amended § 314.4(h), which
requires a written incident response
plan, is only an extension of the
preexisting requirement of a written
information security plan and would
necessarily vary significantly based on
factors such as the financial institution’s
internal procedures, which officials
within the financial institution have
decision-making authority, how the
financial institution communicates
internally and externally, and the
structure of the financial institution’s
information systems. Likewise, the
proposed requirement for Qualified
Individuals to produce annual reports
under proposed § 314.4(i) does not
consist of answers to identical
questions, as the content of these reports
would vary considerably between
financial institutions and Qualified
Individuals are given flexibility in
deciding what to include in the reports.
Finally, the modification of the
definition of ‘‘financial institution’’ to
include ‘‘activities incidental to
financial activities’’ and therefore bring
finders under the scope of the Rule do
not constitute a ‘‘collection of
information,’’ and therefore do not
trigger the PRA’s requirements.
khammond on DSKJM1Z7X2PROD with RULES3
V. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA),
as amended by the Small Business
Regulatory Enforcement Fairness Act of
1996, requires an agency to either
provide an Initial Regulatory Flexibility
Analysis (IRFA) with a proposed Rule,
or certify that the proposed Rule will
not have a significant impact on a
substantial number of small entities.348
The Commission published an Initial
Regulatory Flexibility Analysis in order
to inquire into the impact of the
Proposed Rule on small entities. In
response, the Commission received
comments that argued the revision to
the Safeguards Rule would be unduly
burdensome for smaller financial
institutions. The discussion below
summarizes these comments and the
Commission’s response to them.
348 5
U.S.C. 603 et seq.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
1. Description of the Reason for Agency
Action
The Commission issues these
amendments to clarify the Safeguards
Rule by including a definition of
‘‘financial institution’’ and related
examples in the Safeguards Rule rather
than incorporating them from the
Privacy Rule by reference. The
amendments also expand the definition
of ‘‘financial institution’’ in the Rule to
include entities engaged in activities
incidental to financial activities. This
change would bring ‘‘finders’’ within
the scope of the Rule. This change
harmonizes the Rule with other
agencies’ rules and requires finders that
collect consumers’ sensitive financial
information to comply with the
Safeguards Rule’s process-based
approach to protect that data.
In addition, the amendments modify
the Safeguards Rule to include more
detailed requirements for the
information security program required
by the Rule.
2. Issues Raised by Comments in
Response to the IRFA
As stated above, the Commission
received several comments that argued
the revised Safeguards Rule would
impose unduly heavy burdens on
smaller businesses. The Small Business
Administration’s Office of Advocacy
commented it was concerned the FTC
had not gathered sufficient data as to
either the costs or benefits of the
proposed changes for small financial
institutions. The FTC shares the Office
of Advocacy’s interest in ensuring
regulatory changes have an evidentiary
basis. Many of the questions on which
the FTC sought public comment, both in
the regulatory review and in the
proposed rule context, specifically
related to the costs and benefits of
existing and proposed Rule
requirements. Following the initial
round of commenting, the Commission
conducted the FTC Safeguards
Workshop and solicited additional
public comments with the explicit goal
of gathering additional data relating to
the costs and benefits of the proposed
changes.349 As detailed throughout this
document, the Commission believes
there is a strong evidentiary basis for the
issuance of the Final Rule.
The Office of Advocacy also argued
the Proposed Rule’s requirements were
unduly prescriptive and should not be
enacted as they apply to small
businesses until the Commission can
349 See Public Workshop Examining Information
Security for Financial Institutions and Information
Related to Changes to the Safeguards Rule, 85 FR
13082 (Mar. 6, 2020).
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
‘‘ascertain the quantitative impact on
small entities.’’ 350 The Office of
Advocacy, along with other
commenters, argued the amendments
taken together would create a large
burden on smaller financial institutions.
In particular, commenters pointed to the
requirements that financial institutions
appoint a chief information security
officer, customer information be
encrypted, financial institutions utilize
multi-factor authentication, and
financial institutions regularly update
training programs. These comments and
the Commission’s response are
discussed at length above. Most
commenters did not provide any
specific estimates of these expenses, but
two commenters did provide a summary
of their expected expenses.
As discussed in the document, the
Commission believes any burden
imposed by the revised Rule is
substantially mitigated by the fact the
Rule continues to be process-based,
flexible, and based on the financial
institution’s size and complexity. In
addition, the amendments exempt
institutions that maintain information
on fewer than 5,000 consumers from
certain requirements that require
additional written product and might
pose a greater burden on smaller
entities. The Commission believes most
of the entities covered by the exemption
will be small businesses. Finally, the
Commission believes all financial
institutions, including small businesses,
that comply with the current Safeguards
Rule will already be in compliance with
most of the new provisions of the
revised Rule as part of their current
information security program.
In addition, in response to the
comments concerned about the burden
of the amendments, the Commission
extended the effective date from six
months after the publication of the Final
Rule to one year after the publication to
allow financial institutions additional
time to come into compliance with the
revised Rule. In addition, in response to
comments that argued hiring a chief
information security officer would be
prohibitively expensive for small
financial institutions, the Commission
amended the rule to clarify such an
employee was not required for all
financial institutions. The Final Rule is
modified to clarify a financial
institution need only appoint an
individual who is qualified to
coordinate its information security
program, and those qualifications will
vary based on the complexity of the
program and size and nature of the
350 Small Business Administration Office of
Advocacy (comment 28, NPRM), at 6.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
financial institution. The Commission
also clarified employee training
programs need to be updated only as
necessary, to respond to a comment
regular updating would be difficult for
smaller financial institutions.
3. Estimate of Number of Small Entities
to Which the Amendments Will Apply
As previously discussed in the IRFA,
determining a precise estimate of the
number of small entities 351—including
newly covered entities under the
modified definition of financial
institution—is not readily feasible.
Financial institutions already covered
by the Rule as originally promulgated
include lenders, financial advisors, loan
brokers and servicers, collection
agencies, financial advisors, tax
preparers, and real estate settlement
services, to the extent they have
‘‘customer information’’ within the
meaning of the Rule. Finders are also
covered under the Final Rule. However,
it is not known whether any finders are
small entities, and if so, how many there
are. The Commission requested
comment and information on the
number of ‘‘finders’’ that would be
covered by the Rule’s modified
definition of ‘‘financial institution,’’ and
how many of those finders, if any, are
small entities. The Commission received
no comments that addressed this
question.
khammond on DSKJM1Z7X2PROD with RULES3
4. Projected Reporting, Recordkeeping,
and Other Compliance Requirements
The Rule does not impose any
reporting or any specific recordkeeping
requirements as discussed earlier. See
supra Section IV (Paperwork Reduction
Act). With regard to other compliance
requirements, the addition of definitions
and examples from the Privacy Rule is
351 The U.S. Small Business Administration Table
of Small Business Size Standards Matched to North
American Industry Classification System Codes
(‘‘NAICS’’) are generally expressed in either
millions of dollars or number of employees. A size
standard is the largest a business can be and still
qualify as a small business for Federal Government
programs. For the most part, size standards are the
annual receipts or the average employment of a
firm. Depending on the nature of the financial
services an institution provides, the size standard
varies. By way of example, mortgage and
nonmortgage loan brokers (NAICS code 522310) are
classified as small if their annual receipts are $8.0
million or less. Consumer lending institutions
(NAICS code 522291) are classified as small if their
annual receipts are $41.5 million or less.
Commercial banking and savings institutions
(NAICS codes 522110 and 522120) are classified as
small if their assets are $600 million or less. Assets
are determined by averaging the assets reported on
businesses’ four quarterly financial statements for
the preceding year. The 2019 Table of Small
Business Size Standards is available at https://
www.sba.gov/sites/default/files/2019-08/
SBA%20Table%20of%20Size%20Standards_
Effective%20Aug%2019%2C%202019_Rev.pdf.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
not expected to have an impact on
covered financial institutions, including
those that may be small entities. (The
preceding section of this analysis
discusses classes of covered financial
institutions that may qualify as small
entities.) The addition of ‘‘finders’’ to
the definition of financial institutions
imposes the obligations of the Rule on
entities that engage in ‘‘finding’’ activity
and also collect customer information.
The addition of more detailed
requirements may require some
financial institutions to perform
additional risk assessments or
monitoring, or to create additional
safeguards as set forth in the Proposed
Rule. These obligations may require
institutions to retain employees or thirdparty service providers with skills in
information security, but, as discussed
above, the Commission believes most
financial institutions will have already
complied with many parts of the Rule
as part of their information security
programs required under the existing
Rule. There may be additional related
compliance costs (e.g., legal, new
equipment or systems, modifications to
policies or procedures), but, as
discussed above, the Commission
believes these are limited by several
factors, including the flexibility of the
Rule, the existing safeguards in place to
comply with the existing Rule, and the
exemption for financial institutions that
maintain less consumer information.
Although two commenters provided
summaries of the expected expenses for
some financial institutions to comply
with the Rule, those estimates did not
provide sufficient detail to fully
evaluate whether they were accurate or
representative of other financial
institutions and appeared to be based, at
least in part, on a misunderstanding of
the requirement to appoint a Qualified
Individual. The Commission believes,
for most smaller financial institutions,
there are very low-cost solutions for any
additional duties imposed by the Final
Rule. This view is supported by the
comments of several experts at the
Safeguards Rule Workshop.352
352 See, e.g., Remarks of Brian McManamon,
Safeguards Workshop Tr., supra note 17, at 78
(describing virtual CISO services); Matthew Green,
Safeguards Workshop Tr., supra note 17, at 225
(noting website usage of encryption for data in
motion is above 80 percent; ‘‘Let’s Encrypt’’
provides free TLS certificates; and costs have gone
down to the point that if a financial institution is
not using TLS encryption for data in motion, it is
making an unusual decision outside the norm);
Rocio Baeza, Safeguards Workshop Tr., supra note
17, at 106 (‘‘[T]he encryption of data in transit has
been standard. There’s no pushback with that.’’);
Slides Accompanying the Remarks of Lee Waters,
‘‘Information Security Programs and Smaller
Businesses,’’ in Safeguards Workshop Slides, supra
note 72, at 26 (‘‘Estimated Costs of Proposed
PO 00000
Frm 00033
Fmt 4701
Sfmt 4700
70303
The Commission believes the
protection of consumers’ financial
information is of the utmost importance
and the cost of the safeguards required
to provide that protection is justified
and necessary. The Commission
carefully balanced the cost of these
requirements with the need to protect
consumer information and has made
every effort to ensure the Final Rule
retains flexibility so financial
institutions can tailor information
security programs to the size and
complexity of the financial institution,
the nature and scope of its activities,
and the sensitivity of any customer
information at issue.
5. Description of Steps Taken To
Minimize Significant Economic Impact,
if Any, on Small Entities, Including
Alternatives
The standards in the Final Rule allow
a small financial institution to develop
an information security program
appropriate to its size and complexity,
the nature and scope of its activities,
and the sensitivity of any customer
information at issue. The amendments
include certain design standards (e.g., a
company must implement encryption,
authentication, and incident response)
in the Rule, in addition to the
performance standards (reasonable
security) the Rule currently uses. As
discussed, while these design standards
may introduce some additional burden,
the Commission believes many financial
institutions’ existing information
security programs already meet most of
these requirements. In addition, the
requirements in the Final Rule, like
those in the existing Rule, are designed
to allow financial institutions flexibility
in how and whether they should be
implemented. For example, the
requirement encryption be used to
protect customer information in transit
and at rest may be met with effective
alternative compensating controls if
encryption is infeasible for a given
financial institution.
In addition, the amendments exempt
financial institutions that maintain
relatively small amounts of customer
information from certain requirements
of the Final Rule. The exemptions
would apply to financial institutions
that maintain customer information
Changes,’’ estimating costs of multi-factor
authentication to be $50 for smartcard or fingerprint
readers, and $10 each per smartcard); Slides
Accompanying Remarks of Wendy Nather,
Safeguards Workshop Slides, supra note 72, at 37
(chart showing the use of multi-factor
authentication solutions such as Duo Push, phone
call, mobile passcode, SMS passcode, hardware
token, Yubikey passcode, and U2F token in
industries such as financial services and higher
education).
E:\FR\FM\09DER3.SGM
09DER3
70304
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
concerning fewer than ten thousand
consumers. The Commission believes
exempted financial institutions are
generally, but not exclusively, small
entities. Such financial institutions are
not required to perform a written risk
assessment, conduct continuous
monitoring or annual penetration testing
and biannual vulnerability assessment,
prepare a written incident response
plan, or prepare an annual written
report by the Qualified Individual.
These exemptions are intended to
reduce the burden on smaller financial
institutions. The Commission believes
the obligations subject to these
exemptions are the ones most likely to
cause undue burden on smaller
financial institutions.
Exempted financial institutions will
still need to conduct risk assessments,
design and implement a written
information security program with the
required elements, utilize qualified
information security personnel and train
employees, monitor activity of
authorized users, oversee service
providers, and evaluate and adjust their
information security program. These are
core obligations under the Rule any
financial institution that collects
customer information must meet,
regardless of size.
The Commission considered allowing
compliance with a third-party data
security standard, such as the NIST
framework, to act as a safe harbor for
compliance with the Rule. The
Commission, however, determined any
reduction of burden created by allowing
such safe harbors is offset by issues they
would cause. For example, such safe
harbors would require the Commission
to monitor the third-party standard or
standards to determine whether they
continued to align with the Safeguards
Rule. In addition, the Commission
would still have to investigate a
company’s compliance with the outside
standard in any enforcement action. The
Commission also does not agree
compliance with an outside standard is
likely to be less burdensome than
complying with the Safeguards Rule
itself.
VI. Other Matters
Pursuant to the Congressional Review
Act (5 U.S.C. 801 et seq.), the Office of
Information and Regulatory Affairs
designated this rule as not a ‘‘major
rule,’’ as defined by 5 U.S.C. 804(2).
List of Subjects in 16 CFR Part 314
Consumer protection, Credit, Data
protection, Privacy, Trade practices.
For the reasons stated above, the
Federal Trade Commission amends 16
CFR part 314 as follows:
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
PART 314—STANDARDS FOR
SAFEGUARDING CUSTOMER
INFORMATION
1. The authority citation for part 314
continues to read as follows:
■
Authority: 15 U.S.C. 6801(b), 6805(b)(2).
2. In § 314.1, revise paragraph (b) to
read as follows:
■
§ 314.1
Purpose and scope.
*
*
*
*
*
(b) Scope. This part applies to the
handling of customer information by all
financial institutions over which the
Federal Trade Commission (‘‘FTC’’ or
‘‘Commission’’) has jurisdiction.
Namely, this part applies to those
‘‘financial institutions’’ over which the
Commission has rulemaking authority
pursuant to section 501(b) of the
Gramm-Leach-Bliley Act. An entity is a
‘‘financial institution’’ if its business is
engaging in an activity that is financial
in nature or incidental to such financial
activities as described in section 4(k) of
the Bank Holding Company Act of 1956,
12 U.S.C. 1843(k), which incorporates
activities enumerated by the Federal
Reserve Board in 12 CFR 225.28 and
225.86. The ‘‘financial institutions’’
subject to the Commission’s
enforcement authority are those that are
not otherwise subject to the enforcement
authority of another regulator under
section 505 of the Gramm-Leach-Bliley
Act, 15 U.S.C. 6805. More specifically,
those entities include, but are not
limited to, mortgage lenders, ‘‘pay day’’
lenders, finance companies, mortgage
brokers, account servicers, check
cashers, wire transferors, travel agencies
operated in connection with financial
services, collection agencies, credit
counselors and other financial advisors,
tax preparation firms, non-federally
insured credit unions, investment
advisors that are not required to register
with the Securities and Exchange
Commission, and entities acting as
finders. They are referred to in this part
as ‘‘You.’’ This part applies to all
customer information in your
possession, regardless of whether such
information pertains to individuals with
whom you have a customer
relationship, or pertains to the
customers of other financial institutions
that have provided such information to
you.
■ 3. Revise § 314.2 to read as follows:
§ 314.2
Definitions.
(a) Authorized user means any
employee, contractor, agent, customer,
or other person that is authorized to
access any of your information systems
or data.
PO 00000
Frm 00034
Fmt 4701
Sfmt 4700
(b)(1) Consumer means an individual
who obtains or has obtained a financial
product or service from you that is to be
used primarily for personal, family, or
household purposes, or that individual’s
legal representative.
(2) For example:
(i) An individual who applies to you
for credit for personal, family, or
household purposes is a consumer of a
financial service, regardless of whether
the credit is extended.
(ii) An individual who provides
nonpublic personal information to you
in order to obtain a determination about
whether he or she may qualify for a loan
to be used primarily for personal,
family, or household purposes is a
consumer of a financial service,
regardless of whether the loan is
extended.
(iii) An individual who provides
nonpublic personal information to you
in connection with obtaining or seeking
to obtain financial, investment, or
economic advisory services is a
consumer, regardless of whether you
establish a continuing advisory
relationship.
(iv) If you hold ownership or
servicing rights to an individual’s loan
that is used primarily for personal,
family, or household purposes, the
individual is your consumer, even if
you hold those rights in conjunction
with one or more other institutions.
(The individual is also a consumer with
respect to the other financial
institutions involved.) An individual
who has a loan in which you have
ownership or servicing rights is your
consumer, even if you, or another
institution with those rights, hire an
agent to collect on the loan.
(v) An individual who is a consumer
of another financial institution is not
your consumer solely because you act as
agent for, or provide processing or other
services to, that financial institution.
(vi) An individual is not your
consumer solely because he or she has
designated you as trustee for a trust.
(vii) An individual is not your
consumer solely because he or she is a
beneficiary of a trust for which you are
a trustee.
(viii) An individual is not your
consumer solely because he or she is a
participant or a beneficiary of an
employee benefit plan that you sponsor
or for which you act as a trustee or
fiduciary.
(c) Customer means a consumer who
has a customer relationship with you.
(d) Customer information means any
record containing nonpublic personal
information about a customer of a
financial institution, whether in paper,
electronic, or other form, that is handled
E:\FR\FM\09DER3.SGM
09DER3
khammond on DSKJM1Z7X2PROD with RULES3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
or maintained by or on behalf of you or
your affiliates.
(e)(1) Customer relationship means a
continuing relationship between a
consumer and you under which you
provide one or more financial products
or services to the consumer that are to
be used primarily for personal, family,
or household purposes.
(2) For example:
(i) Continuing relationship. A
consumer has a continuing relationship
with you if the consumer:
(A) Has a credit or investment account
with you;
(B) Obtains a loan from you;
(C) Purchases an insurance product
from you;
(D) Holds an investment product
through you, such as when you act as
a custodian for securities or for assets in
an Individual Retirement Arrangement;
(E) Enters into an agreement or
understanding with you whereby you
undertake to arrange or broker a home
mortgage loan, or credit to purchase a
vehicle, for the consumer;
(F) Enters into a lease of personal
property on a non-operating basis with
you;
(G) Obtains financial, investment, or
economic advisory services from you for
a fee;
(H) Becomes your client for the
purpose of obtaining tax preparation or
credit counseling services from you;
(I) Obtains career counseling while
seeking employment with a financial
institution or the finance, accounting, or
audit department of any company (or
while employed by such a financial
institution or department of any
company);
(J) Is obligated on an account that you
purchase from another financial
institution, regardless of whether the
account is in default when purchased,
unless you do not locate the consumer
or attempt to collect any amount from
the consumer on the account;
(K) Obtains real estate settlement
services from you; or
(L) Has a loan for which you own the
servicing rights.
(ii) No continuing relationship. A
consumer does not, however, have a
continuing relationship with you if:
(A) The consumer obtains a financial
product or service from you only in
isolated transactions, such as using your
ATM to withdraw cash from an account
at another financial institution;
purchasing a money order from you;
cashing a check with you; or making a
wire transfer through you;
(B) You sell the consumer’s loan and
do not retain the rights to service that
loan;
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
(C) You sell the consumer airline
tickets, travel insurance, or traveler’s
checks in isolated transactions;
(D) The consumer obtains one-time
personal or real property appraisal
services from you; or
(E) The consumer purchases checks
for a personal checking account from
you.
(f) Encryption means the
transformation of data into a form that
results in a low probability of assigning
meaning without the use of a protective
process or key, consistent with current
cryptographic standards and
accompanied by appropriate safeguards
for cryptographic key material.
(g)(1) Financial product or service
means any product or service that a
financial holding company could offer
by engaging in a financial activity under
section 4(k) of the Bank Holding
Company Act of 1956 (12 U.S.C.
1843(k)).
(2) Financial service includes your
evaluation or brokerage of information
that you collect in connection with a
request or an application from a
consumer for a financial product or
service.
(h)(1) Financial institution means any
institution the business of which is
engaging in an activity that is financial
in nature or incidental to such financial
activities as described in section 4(k) of
the Bank Holding Company Act of 1956,
12 U.S.C. 1843(k). An institution that is
significantly engaged in financial
activities, or significantly engaged in
activities incidental to such financial
activities, is a financial institution.
(2) Examples of financial institutions
are as follows:
(i) A retailer that extends credit by
issuing its own credit card directly to
consumers is a financial institution
because extending credit is a financial
activity listed in 12 CFR 225.28(b)(1)
and referenced in section 4(k)(4)(F) of
the Bank Holding Company Act of 1956
(12 U.S.C. 1843(k)(4)(F)), and issuing
that extension of credit through a
proprietary credit card demonstrates
that a retailer is significantly engaged in
extending credit.
(ii) An automobile dealership that, as
a usual part of its business, leases
automobiles on a nonoperating basis for
longer than 90 days is a financial
institution with respect to its leasing
business because leasing personal
property on a nonoperating basis where
the initial term of the lease is at least 90
days is a financial activity listed in 12
CFR 225.28(b)(3) and referenced in
section 4(k)(4)(F) of the Bank Holding
Company Act, 12 U.S.C. 1843(k)(4)(F).
(iii) A personal property or real estate
appraiser is a financial institution
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
70305
because real and personal property
appraisal is a financial activity listed in
12 CFR 225.28(b)(2)(i) and referenced in
section 4(k)(4)(F) of the Bank Holding
Company Act, 12 U.S.C. 1843(k)(4)(F).
(iv) A career counselor that
specializes in providing career
counseling services to individuals
currently employed by or recently
displaced from a financial organization,
individuals who are seeking
employment with a financial
organization, or individuals who are
currently employed by or seeking
placement with the finance, accounting
or audit departments of any company is
a financial institution because such
career counseling activities are financial
activities listed in 12 CFR
225.28(b)(9)(iii) and referenced in
section 4(k)(4)(F) of the Bank Holding
Company Act, 12 U.S.C. 1843(k)(4)(F).
(v) A business that prints and sells
checks for consumers, either as its sole
business or as one of its product lines,
is a financial institution because
printing and selling checks is a financial
activity that is listed in 12 CFR
225.28(b)(10)(ii) and referenced in
section 4(k)(4)(F) of the Bank Holding
Company Act, 12 U.S.C. 1843(k)(4)(F).
(vi) A business that regularly wires
money to and from consumers is a
financial institution because transferring
money is a financial activity referenced
in section 4(k)(4)(A) of the Bank
Holding Company Act, 12 U.S.C.
1843(k)(4)(A), and regularly providing
that service demonstrates that the
business is significantly engaged in that
activity.
(vii) A check cashing business is a
financial institution because cashing a
check is exchanging money, which is a
financial activity listed in section
4(k)(4)(A) of the Bank Holding Company
Act, 12 U.S.C. 1843(k)(4)(A).
(viii) An accountant or other tax
preparation service that is in the
business of completing income tax
returns is a financial institution because
tax preparation services is a financial
activity listed in 12 CFR 225.28(b)(6)(vi)
and referenced in section 4(k)(4)(G) of
the Bank Holding Company Act, 12
U.S.C. 1843(k)(4)(G).
(ix) A business that operates a travel
agency in connection with financial
services is a financial institution
because operating a travel agency in
connection with financial services is a
financial activity listed in 12 CFR
225.86(b)(2) and referenced in section
4(k)(4)(G) of the Bank Holding Company
Act, 12 U.S.C. 1843(k)(4)(G).
(x) An entity that provides real estate
settlement services is a financial
institution because providing real estate
settlement services is a financial activity
E:\FR\FM\09DER3.SGM
09DER3
khammond on DSKJM1Z7X2PROD with RULES3
70306
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
listed in 12 CFR 225.28(b)(2)(viii) and
referenced in section 4(k)(4)(F) of the
Bank Holding Company Act, 12 U.S.C.
1843(k)(4)(F).
(xi) A mortgage broker is a financial
institution because brokering loans is a
financial activity listed in 12 CFR
225.28(b)(1) and referenced in section
4(k)(4)(F) of the Bank Holding Company
Act, 12 U.S.C. 1843(k)(4)(F).
(xii) An investment advisory company
and a credit counseling service are each
financial institutions because providing
financial and investment advisory
services are financial activities
referenced in section 4(k)(4)(C) of the
Bank Holding Company Act, 12 U.S.C.
1843(k)(4)(C).
(xiii) A company acting as a finder in
bringing together one or more buyers
and sellers of any product or service for
transactions that the parties themselves
negotiate and consummate is a financial
institution because acting as a finder is
an activity that is financial in nature or
incidental to a financial activity listed
in 12 CFR 225.86(d)(1).
(3) Financial institution does not
include:
(i) Any person or entity with respect
to any financial activity that is subject
to the jurisdiction of the Commodity
Futures Trading Commission under the
Commodity Exchange Act (7 U.S.C. 1 et
seq.);
(ii) The Federal Agricultural Mortgage
Corporation or any entity chartered and
operating under the Farm Credit Act of
1971 (12 U.S.C. 2001 et seq.);
(iii) Institutions chartered by Congress
specifically to engage in securitizations,
secondary market sales (including sales
of servicing rights) or similar
transactions related to a transaction of a
consumer, as long as such institutions
do not sell or transfer nonpublic
personal information to a nonaffiliated
third party other than as permitted by
§§ 313.14 and 313.15; or
(iv) Entities that engage in financial
activities but that are not significantly
engaged in those financial activities,
and entities that engage in activities
incidental to financial activities but that
are not significantly engaged in
activities incidental to financial
activities.
(4) Examples of entities that are not
significantly engaged in financial
activities are as follows:
(i) A retailer is not a financial
institution if its only means of
extending credit are occasional ‘‘lay
away’’ and deferred payment plans or
accepting payment by means of credit
cards issued by others.
(ii) A retailer is not a financial
institution merely because it accepts
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
payment in the form of cash, checks, or
credit cards that it did not issue.
(iii) A merchant is not a financial
institution merely because it allows an
individual to ‘‘run a tab.’’
(iv) A grocery store is not a financial
institution merely because it allows
individuals to whom it sells groceries to
cash a check, or write a check for a
higher amount than the grocery
purchase and obtain cash in return.
(i) Information security program
means the administrative, technical, or
physical safeguards you use to access,
collect, distribute, process, protect,
store, use, transmit, dispose of, or
otherwise handle customer information.
(j) Information system means a
discrete set of electronic information
resources organized for the collection,
processing, maintenance, use, sharing,
dissemination or disposition of
electronic information containing
customer information or connected to a
system containing customer
information, as well as any specialized
system such as industrial/process
controls systems, telephone switching
and private branch exchange systems,
and environmental controls systems that
contains customer information or that is
connected to a system that contains
customer information.
(k) Multi-factor authentication means
authentication through verification of at
least two of the following types of
authentication factors:
(1) Knowledge factors, such as a
password;
(2) Possession factors, such as a token;
or
(3) Inherence factors, such as
biometric characteristics.
(l)(1) Nonpublic personal information
means:
(i) Personally identifiable financial
information; and
(ii) Any list, description, or other
grouping of consumers (and publicly
available information pertaining to
them) that is derived using any
personally identifiable financial
information that is not publicly
available.
(2) Nonpublic personal information
does not include:
(i) Publicly available information,
except as included on a list described in
paragraph (l)(1)(ii) of this section; or
(ii) Any list, description, or other
grouping of consumers (and publicly
available information pertaining to
them) that is derived without using any
personally identifiable financial
information that is not publicly
available.
(3) For example:
(i) Nonpublic personal information
includes any list of individuals’ names
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
and street addresses that is derived in
whole or in part using personally
identifiable financial information (that
is not publicly available), such as
account numbers.
(ii) Nonpublic personal information
does not include any list of individuals’
names and addresses that contains only
publicly available information, is not
derived, in whole or in part, using
personally identifiable financial
information that is not publicly
available, and is not disclosed in a
manner that indicates that any of the
individuals on the list is a consumer of
a financial institution.
(m) Penetration testing means a test
methodology in which assessors attempt
to circumvent or defeat the security
features of an information system by
attempting penetration of databases or
controls from outside or inside your
information systems.
(n)(1) Personally identifiable financial
information means any information:
(i) A consumer provides to you to
obtain a financial product or service
from you;
(ii) About a consumer resulting from
any transaction involving a financial
product or service between you and a
consumer; or
(iii) You otherwise obtain about a
consumer in connection with providing
a financial product or service to that
consumer.
(2) For example:
(i) Information included. Personally
identifiable financial information
includes:
(A) Information a consumer provides
to you on an application to obtain a
loan, credit card, or other financial
product or service;
(B) Account balance information,
payment history, overdraft history, and
credit or debit card purchase
information;
(C) The fact that an individual is or
has been one of your customers or has
obtained a financial product or service
from you;
(D) Any information about your
consumer if it is disclosed in a manner
that indicates that the individual is or
has been your consumer;
(E) Any information that a consumer
provides to you or that you or your
agent otherwise obtain in connection
with collecting on, or servicing, a credit
account;
(F) Any information you collect
through an internet ‘‘cookie’’ (an
information collecting device from a
web server); and
(G) Information from a consumer
report.
(ii) Information not included.
Personally identifiable financial
information does not include:
E:\FR\FM\09DER3.SGM
09DER3
khammond on DSKJM1Z7X2PROD with RULES3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
(A) A list of names and addresses of
customers of an entity that is not a
financial institution; and
(B) Information that does not identify
a consumer, such as aggregate
information or blind data that does not
contain personal identifiers such as
account numbers, names, or addresses.
(o)(1) Publicly available information
means any information that you have a
reasonable basis to believe is lawfully
made available to the general public
from:
(i) Federal, State, or local government
records;
(ii) Widely distributed media; or
(iii) Disclosures to the general public
that are required to be made by Federal,
State, or local law.
(2) You have a reasonable basis to
believe that information is lawfully
made available to the general public if
you have taken steps to determine:
(i) That the information is of the type
that is available to the general public;
and
(ii) Whether an individual can direct
that the information not be made
available to the general public and, if so,
that your consumer has not done so.
(3) For example:
(i) Government records. Publicly
available information in government
records includes information in
government real estate records and
security interest filings.
(ii) Widely distributed media. Publicly
available information from widely
distributed media includes information
from a telephone book, a television or
radio program, a newspaper, or a
website that is available to the general
public on an unrestricted basis. A
website is not restricted merely because
an internet service provider or a site
operator requires a fee or a password, so
long as access is available to the general
public.
(iii) Reasonable basis. (A) You have a
reasonable basis to believe that mortgage
information is lawfully made available
to the general public if you have
determined that the information is of
the type included on the public record
in the jurisdiction where the mortgage
would be recorded.
(B) You have a reasonable basis to
believe that an individual’s telephone
number is lawfully made available to
the general public if you have located
the telephone number in the telephone
book or the consumer has informed you
that the telephone number is not
unlisted.
(p) Security event means an event
resulting in unauthorized access to, or
disruption or misuse of, an information
system, information stored on such
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
information system, or customer
information held in physical form.
(q) Service provider means any person
or entity that receives, maintains,
processes, or otherwise is permitted
access to customer information through
its provision of services directly to a
financial institution that is subject to
this part.
(r) You includes each ‘‘financial
institution’’ (but excludes any ‘‘other
person’’) over which the Commission
has enforcement jurisdiction pursuant
to section 505(a)(7) of the GrammLeach-Bliley Act.
■ 4. In § 314.3, revise paragraph (a) to
read as follows:
§ 314.3 Standards for safeguarding
customer information.
(a) Information security program. You
shall develop, implement, and maintain
a comprehensive information security
program that is written in one or more
readily accessible parts and contains
administrative, technical, and physical
safeguards that are appropriate to your
size and complexity, the nature and
scope of your activities, and the
sensitivity of any customer information
at issue. The information security
program shall include the elements set
forth in § 314.4 and shall be reasonably
designed to achieve the objectives of
this part, as set forth in paragraph (b) of
this section.
*
*
*
*
*
■ 5. Revise § 314.4 to read as follows:
§ 314.4
Elements.
In order to develop, implement, and
maintain your information security
program, you shall:
(a) Designate a qualified individual
responsible for overseeing and
implementing your information security
program and enforcing your information
security program (for purposes of this
part, ‘‘Qualified Individual’’). The
Qualified Individual may be employed
by you, an affiliate, or a service
provider. To the extent the requirement
in this paragraph (a) is met using a
service provider or an affiliate, you
shall:
(1) Retain responsibility for
compliance with this part;
(2) Designate a senior member of your
personnel responsible for direction and
oversight of the Qualified Individual;
and
(3) Require the service provider or
affiliate to maintain an information
security program that protects you in
accordance with the requirements of
this part.
(b) Base your information security
program on a risk assessment that
identifies reasonably foreseeable
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
70307
internal and external risks to the
security, confidentiality, and integrity of
customer information that could result
in the unauthorized disclosure, misuse,
alteration, destruction, or other
compromise of such information, and
assesses the sufficiency of any
safeguards in place to control these
risks.
(1) The risk assessment shall be
written and shall include:
(i) Criteria for the evaluation and
categorization of identified security
risks or threats you face;
(ii) Criteria for the assessment of the
confidentiality, integrity, and
availability of your information systems
and customer information, including the
adequacy of the existing controls in the
context of the identified risks or threats
you face; and
(iii) Requirements describing how
identified risks will be mitigated or
accepted based on the risk assessment
and how the information security
program will address the risks.
(2) You shall periodically perform
additional risk assessments that
reexamine the reasonably foreseeable
internal and external risks to the
security, confidentiality, and integrity of
customer information that could result
in the unauthorized disclosure, misuse,
alteration, destruction, or other
compromise of such information, and
reassess the sufficiency of any
safeguards in place to control these
risks.
(c) Design and implement safeguards
to control the risks you identity through
risk assessment, including by:
(1) Implementing and periodically
reviewing access controls, including
technical and, as appropriate, physical
controls to:
(i) Authenticate and permit access
only to authorized users to protect
against the unauthorized acquisition of
customer information; and
(ii) Limit authorized users’ access
only to customer information that they
need to perform their duties and
functions, or, in the case of customers,
to access their own information;
(2) Identify and manage the data,
personnel, devices, systems, and
facilities that enable you to achieve
business purposes in accordance with
their relative importance to business
objectives and your risk strategy;
(3) Protect by encryption all customer
information held or transmitted by you
both in transit over external networks
and at rest. To the extent you determine
that encryption of customer
information, either in transit over
external networks or at rest, is
infeasible, you may instead secure such
customer information using effective
E:\FR\FM\09DER3.SGM
09DER3
khammond on DSKJM1Z7X2PROD with RULES3
70308
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
alternative compensating controls
reviewed and approved by your
Qualified Individual;
(4) Adopt secure development
practices for in-house developed
applications utilized by you for
transmitting, accessing, or storing
customer information and procedures
for evaluating, assessing, or testing the
security of externally developed
applications you utilize to transmit,
access, or store customer information;
(5) Implement multi-factor
authentication for any individual
accessing any information system,
unless your Qualified Individual has
approved in writing the use of
reasonably equivalent or more secure
access controls;
(6)(i) Develop, implement, and
maintain procedures for the secure
disposal of customer information in any
format no later than two years after the
last date the information is used in
connection with the provision of a
product or service to the customer to
which it relates, unless such
information is necessary for business
operations or for other legitimate
business purposes, is otherwise required
to be retained by law or regulation, or
where targeted disposal is not
reasonably feasible due to the manner in
which the information is maintained;
and
(ii) Periodically review your data
retention policy to minimize the
unnecessary retention of data;
(7) Adopt procedures for change
management; and
(8) Implement policies, procedures,
and controls designed to monitor and
log the activity of authorized users and
detect unauthorized access or use of, or
tampering with, customer information
by such users.
(d)(1) Regularly test or otherwise
monitor the effectiveness of the
safeguards’ key controls, systems, and
procedures, including those to detect
actual and attempted attacks on, or
intrusions into, information systems.
(2) For information systems, the
monitoring and testing shall include
continuous monitoring or periodic
penetration testing and vulnerability
assessments. Absent effective
continuous monitoring or other systems
to detect, on an ongoing basis, changes
in information systems that may create
vulnerabilities, you shall conduct:
(i) Annual penetration testing of your
information systems determined each
given year based on relevant identified
risks in accordance with the risk
assessment; and
(ii) Vulnerability assessments,
including any systemic scans or reviews
of information systems reasonably
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
designed to identify publicly known
security vulnerabilities in your
information systems based on the risk
assessment, at least every six months;
and whenever there are material
changes to your operations or business
arrangements; and whenever there are
circumstances you know or have reason
to know may have a material impact on
your information security program.
(e) Implement policies and
procedures to ensure that personnel are
able to enact your information security
program by:
(1) Providing your personnel with
security awareness training that is
updated as necessary to reflect risks
identified by the risk assessment;
(2) Utilizing qualified information
security personnel employed by you or
an affiliate or service provider sufficient
to manage your information security
risks and to perform or oversee the
information security program;
(3) Providing information security
personnel with security updates and
training sufficient to address relevant
security risks; and
(4) Verifying that key information
security personnel take steps to
maintain current knowledge of changing
information security threats and
countermeasures.
(f) Oversee service providers, by:
(1) Taking reasonable steps to select
and retain service providers that are
capable of maintaining appropriate
safeguards for the customer information
at issue;
(2) Requiring your service providers
by contract to implement and maintain
such safeguards; and
(3) Periodically assessing your service
providers based on the risk they present
and the continued adequacy of their
safeguards.
(g) Evaluate and adjust your
information security program in light of
the results of the testing and monitoring
required by paragraph (d) of this
section; any material changes to your
operations or business arrangements;
the results of risk assessments
performed under paragraph (b)(2) of this
section; or any other circumstances that
you know or have reason to know may
have a material impact on your
information security program.
(h) Establish a written incident
response plan designed to promptly
respond to, and recover from, any
security event materially affecting the
confidentiality, integrity, or availability
of customer information in your control.
Such incident response plan shall
address the following areas:
(1) The goals of the incident response
plan;
PO 00000
Frm 00038
Fmt 4701
Sfmt 4700
(2) The internal processes for
responding to a security event;
(3) The definition of clear roles,
responsibilities, and levels of decisionmaking authority;
(4) External and internal
communications and information
sharing;
(5) Identification of requirements for
the remediation of any identified
weaknesses in information systems and
associated controls;
(6) Documentation and reporting
regarding security events and related
incident response activities; and
(7) The evaluation and revision as
necessary of the incident response plan
following a security event.
(i) Require your Qualified Individual
to report in writing, regularly and at
least annually, to your board of directors
or equivalent governing body. If no such
board of directors or equivalent
governing body exists, such report shall
be timely presented to a senior officer
responsible for your information
security program. The report shall
include the following information:
(1) The overall status of the
information security program and your
compliance with this part; and
(2) Material matters related to the
information security program,
addressing issues such as risk
assessment, risk management and
control decisions, service provider
arrangements, results of testing, security
events or violations and management’s
responses thereto, and
recommendations for changes in the
information security program.
■
6. Revise § 314.5 to read as follows:
§ 314.5
Effective date.
Section 314.4(a), (b)(1), (c)(1) through
(8), (d)(2), (e), (f)(3), (h), and (i) are
effective as of December 9, 2022.
■
7. Add § 314.6 to read as follows:
§ 314.6
Exceptions.
Section 314.4(b)(1), (d)(2), (h), and (i)
do not apply to financial institutions
that maintain customer information
concerning fewer than five thousand
consumers.
By direction of the Commission,
Commissioners Phillips and Wilson
dissenting.
April Tabor,
Secretary.
Note: The following appendix will not
appear in the Code of Federal Regulations.
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
Appendix—Statements Issued on
October 27, 2021
khammond on DSKJM1Z7X2PROD with RULES3
Statement of Chair Lina M. Khan Joined by
Commissioner Rebecca Kelly Slaughter
Regarding Regulatory Review of the
Safeguards Rule
Today the FTC is significantly
strengthening the Safeguards Rule,1 first
promulgated by the FTC twenty years ago
pursuant to a Congressional directive to
protect personal information that is stored by
financial institutions. This revamping—the
first time in the Rule’s history—is sorely
needed. In the twenty years since the Rule
was first issued, the complexity of
information security has increased
drastically, the use of computer networks in
every aspect of life has expanded
exponentially, and, most notably, an
unending chain of damaging data breaches
caused by inadequate security have cost
Americans heavily.2 The amendments
adopted today require financial institutions
to develop information security programs
that can meet the challenges of today’s
security environment.
For Americans, the harms stemming from
the types of security vulnerabilities that this
Rule addresses are all too real. Victims of
breaches have their most sensitive
information exposed, making them more
vulnerable to identity theft, phishing attacks,
and other forms of fraud.3 In 2018, almost 10
percent of Americans suffered some form of
identity theft, costing many of them
hundreds of dollars and dozens of hours of
time, an experience that many describe as
distressing.4 For some, the cost is much
higher, with victims losing tens of thousands
of dollars.5
The Rule amendments the FTC is issuing
today are strongly supported by the evidence
in the record.6 The evidence gathered from
1 16 CFR part 314. Pursuant to the Gramm Leach
Bliley Act (‘‘GLB’’ or ‘‘GLBA’’), Public Law 106–
102, 113 Stat. 1338 (1999) (codified as amended in
scattered sections of 12 and 15 U.S.C.), the
Commission promulgated the Safeguards Rule in
2001.
2 See, e.g., 2020 Internet Crime Report, Fed. Bur.
Investigations,at 20 (Mar. 2021) (reporting
consumer loss of over $128 million resulting from
corporate data breaches to those who filed
complaints in 2020 alone); Int’l Bus. Mach, Cost of
a Data Breach, at 4 (2021) (estimating that the
average cost of single data breach has risen to $4.24
million).
3 2013 Identity Fraud Report: Data Breaches
Becoming a Treasure Trove for Fraudsters, Javelin
Strategy, at 1 (Feb. 2013) (reporting that 1 in 4
recipients of a data breach notification become
victims of identity theft); Michelle Singletary, Your
online profile may help identity thieves,
Washington Post (Feb. 28, 2012), https://
www.washingtonpost.com/business/economy/
michelle-singletary-your-online-profile-may-helpidentity-thieves/2012/02/28/gIQAXFjygR_story.html
(reporting that recipients of data breach letters are
9.5% more likely to suffer identity theft).
4 See Erika Harrell, Victims of Identity Theft,
2018, U.S. Dep’t of Just., at 1 (Apr. 2021), https://
bjs.ojp.gov/content/pub/pdf/vit18.pdf.
5 See 2021 Consumer Aftermath Report, Identity
Theft Resource Center (2021), at 6 (finding that in
a study of 427 identity crime victims, 21% of them
suffered losses of over $20,000).
6 The Commission first sought public comments
on the proposed amendments in April 2019. See
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
information security experts, industry
associations, and consumer groups—those
with hands-on experience in the area and
knowledge of the field—decisively show that
the amendments are necessary. Of course, all
of this information supplements the
experience that Commission staff has
obtained over twenty years of enforcing the
Rule, and gained through investigations of
companies’ data security practices under the
FTC’s deception and unfairness authority.
The dissent’s conclusion that these
amendments are unnecessary is belied by
both the reality of rampant data security
breaches as well as the robust evidentiary
record. The recent history of major data
breaches affecting millions of consumers
shows that more needs to be done to protect
consumers’ sensitive information. Despite the
increasing sophistication of cyberattacks,
many businesses continue to offer inadequate
security.7 In particular, the massive Equifax
Privacy of Consumer Financial Information Rule
Under the Gramm-Leach-Bliley Act, 84 FR 13150;
Standards for Safeguarding Customer Information,
84 FR 13158 (April 4, 2019). The agency received
almost 50 comments from consumer groups,
industry associations, and data security experts. See
FTC Seeks Comment on Proposed Amendments to
Safeguards and Privacy Rules, 16 CFR part 314,
Project No. P145407, (FTC–2019–0019) (‘‘2019
Safeguards and Privacy NPRM ’’), https://
www.regulations.gov/docket/FTC-2019-0019/
document. Further, the Commission conducted a
workshop discussing the proposed amendments
with information security professionals and experts,
including IT staff from financial institutions
covered by the Safeguards Rule. See Transcript,
Information Security and Financial Institutions: An
FTC Workshop to Examine Safeguards Rule, Fed.
Trade Comm’n (July 13, 2020) (‘‘Safeguards
Workshop’’), https://www.ftc.gov/system/files/
documents/public_events/1567141/transcript-glbsafeguards-workshop-full.pdf. Connected with the
workshop, the Commission sought and received
another round of public comments on the
amendments. The eleven relevant public comments
relating to the subject matter of the July 13, 2020,
workshop can be found here: Postponement of
Public Workshop Related to Proposed Changes to
the Safeguards Rule, 85 FR 23354 (FTC–2020–0038)
(Apr. 27, 2020) (‘‘Workshop Comment Docket’’),
https://www.regulations.gov/document/FTC-20200038-0001.
7 See, e.g., Electronic Privacy Information Center,
Comment Letter No. 55 on 2019 Safeguards and
Privacy NPRM (FTC–2019–0019), at 3 (Aug. 1,
2019) (citing dramatic increase in data breaches at
financial services firms affecting millions of
consumers), https://www.regulations.gov/comment/
FTC-2019-0019-0055; Consumer Reports, Comment
Letter No. 52 on 2019 Safeguards and Privacy
NPRM (FTC–2019–0019) (Aug. 2, 2019), https://
www.regulations.gov/comment/FTC-2019-00190052 (noting several high profile data breaches at
financial institutions as evidence for the need for
stronger regulation); Inpher, Inc., Comment Letter
No. 50 on 2019 Safeguards and Privacy NPRM
(FTC–2019–0019), at 1 (Aug. 1, 2019), https://
www.regulations.gov/comment/FTC-2019-00190050 (pointing to major breaches at financial
institutions as evidence for the need of stronger
security regulations); Independent Community
Bankers of America, Comment Letter No. 35 on
2019 Safeguards and Privacy NPRM (FTC–2019–
0019) (Aug. 2, 2019), https://www.regulations.gov/
comment/FTC-2019-0019-0035 (noting that FTCregulated financial institutions are subject to less
stringent security requirements than those regulated
by banking agencies, even though many handle the
same types of information as those financial
PO 00000
Frm 00039
Fmt 4701
Sfmt 4700
70309
breach, which the FTC alleged was caused by
inadequate data security that could have
been easily corrected by the company, is a
glaring example of how a financial
institution’s lax security practices can have
devastating consequences for Americans.8
The dissent’s suggestion that our current
framework is sufficient falls flat in the face
of such a stark example of the harm that can
arise from avoidable lax security practices by
covered financial institutions. Moreover, the
dissent’s complaint that the rule is also
informed by evidence arising from breaches
and practices occurring in other types of
industries misses the mark. Not only is there
substantial evidence in the rulemaking
record clearly illustrating security lapses of
financial institutions that are covered by the
Rule,9 but the implication that we shouldn’t
use our broader knowledge of common
security pitfalls is unwise.
The record evidence also shows that the
amendment’s requirements track bedrock
principles of data security and represent
proven elements of effective data security
programs that reduce the risk of breaches.10
institutions); National Consumer Law Center et al.,
Comment Letter No. 58 on 2019 Safeguards and
Privacy NPRM (FTC–2019–0019) (Aug. 2, 2019),
https://www.regulations.gov/document/FTC-20190019-0058 (arguing that the recent Equifax breach
showed the need for strengthening the Safeguards
Rule); Cisco Systems, Inc., Comment Letter No. 51
on 2019 Safeguards and Privacy NPRM (FTC–2019–
0019) (Aug. 2, 2019), https://www.regulations.gov/
document/FTC-2019-0019-0051 (noting that
sophisticated hacking techniques used in state
sponsored attacks are likely to be adopted by ‘‘more
garden variety, less sophisticated hackers.’’);
Safeguards Workshop, at 24–26 (July 13, 2020)
(remarks of Chris Cronin) (stating that many
companies do not conduct complete or adequate
risk assessments). Id. at 38–39 (remarks of Serge
Jorgensen) (noting that businesses’ understanding of
the need for security has improved, but that they
continue to struggle to implement controls across
business units). Id. at 39–41 (remarks of Chris
Cronin) (stating that, ‘‘as a rule,’’ businesses of all
sizes are ‘‘behind’’ on cybersecurity, attributing this
in part to consultants whose advice about
reasonable security is motivated by a desire to
‘‘make the clients happy’’). Id. at 43 (remarks of
Pablo Molina) (citing ‘‘the mounting losses that
come from cybercrime’’ as evidence that many
businesses are ‘‘falling behind’’ cybercriminals). Id.
at 114 (remarks of Brian McManamon) (noting that
‘‘the proposed changes are the minimum necessary
to have an effective security program in place.’’). Id.
at 44 (remarks of Sam Rubin) (noting that, in his
experience, companies make significant
investments in technical security measures but that
investment in personnel to oversee and use those
measures is ‘‘a huge shortcoming that I’m seeing in
the field.’’); The Clearing House Association LLC,
Comment Letter No. 49 on 2019 Safeguards and
Privacy NPRM (FTC–2019–0019), at 7–9 (Aug. 2,
2019), https://www.regulations.gov/comment/FTC2019-0019-0049 (citing a 2018 study by the Center
for Financial Inclusion that showed widespread
data security failures among financial technology
companies around the globe).
8 Press Release, Fed. Trade Comm’n, Equifax to
Pay $575 Million as Part of Settlement with FTC,
CFPB, and States Related to 2017 Data Breach, (July
22, 2019), https://www.ftc.gov/news-events/pressreleases/2019/07/equifax-pay-575-million-partsettlement-ftc-cfpb-states-related.
9 See infra, note 7.
10 See, e.g., for Single Qualified Individual
Requirement: National Consumer Law Center et al.,
E:\FR\FM\09DER3.SGM
Continued
09DER3
khammond on DSKJM1Z7X2PROD with RULES3
70310
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
supra note 7, at 3 (arguing that a clear line of
reporting with a single responsible individual could
have prevented the Equifax consumer data breach);
Safeguards Workshop, at 182–84 (remarks of
Adrienne Allen) (stating that without a single
responsible individual, information security staff
‘‘can fall into traps of each relying on someone else
to make a hard call . . . [In a program without a
single coordinator] issues can sometimes fall
through the cracks.’’). Id. at 184–85 (remarks of
Michele Norin) (‘‘I think it’s extremely important to
have a person in front of the information security
program. I think that there are so many components
to understand, to manage, to keep an eye on. I think
it’s difficult to do that if it’s part of someone else’s
job. And so I found that it’s extremely helpful to
have a person in charge of that program just from
a pure basic management perspective and
understanding perspective.’’); Risk Assessment
Requirement: Id. at 25 (remarks of Chris Cronin)
(stating that evaluating the likelihoods and impacts
of potential security risks and evaluating existing
controls is an important component of a risk
assessment). Id. at 29–30 (remarks of Serge
Jorgensen) (emphasizing the importance of risk
assessments as tools for adjusting existing security
measures to account for both current and future
security threats); Encryption Requirement:
Princeton University Center for Information
Technology Policy, Comment Letter No. 54 on 2019
Safeguards and Privacy NPRM (FTC–2019–0019), at
3 (Aug. 2, 2019), https://www.regulations.gov/
document/FTC-2019-0019-0054 (noting the
effectiveness of encryption); Inpher, Inc., supra note
7, at 4; Safeguards Workshop, at 225 (remarks of
Matthew Green) (noting website usage of encryption
is above 80 percent; ‘‘Let’s Encrypt’’ provides free
TLS certificates; and costs have gone down to the
point that if a financial institution is not using TLS
encryption for data in motion, it is making an
unusual decision outside the norm). Id. at 106
(remarks of Rocio Baeza) (‘‘[T]he encryption of data
in transit has been standard. There’s no pushback
with that.’’); Multifactor Authentication
Requirement: Princeton University Center for
Information Technology Policy, supra note 10, at 6–
7; Electronic Privacy Information Center, supra,
note 7, at 8; National Consumer Law Center et al.,
supra note 7, at 2; Safeguards Workshop, at 102
(remarks of Brian McManamon) (stating that his
company TECH LOCK supports requiring multifactor authentication for users connecting from
internal networks). Id. at 266 (remarks of Matthew
Green) (explaining that passwords are not enough
of an authentication feature but when MFA is used
and deployed, the defenders can win against
attackers). Id. at 239 (describing how because smart
phones have modern secure hardware processors,
biometric sensors and readers built in, increasingly
consumers can get the security they need through
the devices they already have by storing
cryptographic authentication keys on the devices
and then using the phone to activate them);
Incident Response Plan: Credit Union National
Association, Comment Letter No. 30 on 2019
Safeguards and Privacy NPRM (FTC–2019–0019), at
2 (Aug. 1, 2019), https://www.regulations.gov/
document/FTC-2019-0019-0030 (noting that that an
incident response plan ‘‘helps ensure that an entity
is prepared in case of an incident by planning how
it will respond and what is required for the
response.’’). Consumer Reports, supra note 7, at 6
(observing that ‘‘a written incident response plan is
an essential component of a good security
system.’’); HITRUST, Comment Letter No. 18 on
2019 Safeguards and Privacy NPRM (FTC–2019–
0019), at 2 (July 1, 2019), https://
www.regulations.gov/document/FTC-2019-00190018 (commenting that incident response plans can
help organizations ‘‘to better allocate limited
resources.). Safeguards Workshop, at 52 (remarks of
Serge Jorgenson) (observing that a prompt response
to an incident can prevent a ‘‘threat actor running
around in my environment for days, months, years,
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
The amended Rule requires that financial
institutions’ information security plans
address such core concepts as controlling
who is accessing their system,11
understanding their system,12 monitoring
what users do in their system,13 and
protecting the information contained in their
system.14 More particularly, it also requires
encryption of customer information and the
use of multifactor authentication. Adopting
these practices will reduce the chances of a
breach occurring.
In fact, it is likely that the massive breach
at Equifax could have been prevented or
mitigated by adopting practices required by
these amendments. For example, the
Commission’s complaint alleged that the
vulnerability that led to the breach was not
detected for four months because Equifax’s
automated vulnerability scanner was not
configured to scan all of the networks in the
system, something that could have been
prevented if Equifax had performed an
adequate inventory of its system as required
by § 314.4(c)(2) of the amended Rule.15
Equifax allegedly did not encrypt the data of
145 million consumers as required by
§ 314.4(c)(3) of the amended Rule; such
encryption might have prevented the
intruders from misusing individuals’
sensitive information, even if they were able
to obtain it.16 In addition, the complaint
charged that Equifax did not adequately
monitor activity on its network, which
allowed intruders to access and use their
network undetected for months; such
monitoring will be required by
§ 314.4(c)(8).17 Finally, and perhaps most
importantly, Equifax split authority over its
information security program between two
people, which caused failures of
and able to access anything they want.’’); Board
Reporting Requirement: Workshop participants
Adrienne Allen, Karthik Rangarajan, and Michele
Norin each emphasized that such reporting can aid
decision making. See Safeguards Workshop, at 201–
09; see also Rocio Baeza, Comment Letter No. 12
on Workshop Comment Docket (FTC–2020–0038),
at 3–8 (Aug. 12, 2020), https://www.regulations.gov/
comment/FTC-2020-0038-0012 (supporting
requirement and providing sample report form and
compliance questionnaire); Juhee Kwon et al., The
Association Between Top Management Involvement
and Compensation and Information Security
Breaches, J. L. Info. Sys., at 219–236 (2013) (‘‘. . .
the involvement of an IT executive decreases the
probability of information security breach reports
by about 35 percent . . .’’); Julia L. Higgs et al., The
Relationship Between Board-Level Technology
Committees and Reported Security Breaches, J. L.
Info. Sys., at 79–98 (2016) (‘‘[A]s a technology
committee becomes more established, its firm is not
as likely to be breached. To obtain further evidence
on the perceived value of a technology committee,
this study uses a returns analysis and finds that the
presence of a technology committee mitigates the
negative abnormal stock returns arising from
external breaches.’’).
11 16 CFR 314.4(c)(1).
12 16 CFR 314.4(c)(2).
13 16 CFR 314.4(c)(8).
14 16 CFR 314.4(c)(3) and 314.4(c)(5).
15 Compl. for Permanent Injunction & Other
Relief., FTC v. Equifax, Inc., No. 1:19–mi–99999–
UNA (N.D. Ga. July 22, 2019) ¶ 17.
16 Id. ¶ 22.E.
17 Id. ¶ 22.F.
PO 00000
Frm 00040
Fmt 4701
Sfmt 4700
communications and oversight.18 Indeed, the
U.S. House Committee on Oversight and
Government identified Equifax’s organization
as one of the major causes of the breach.19
Appointing a single Qualified Individual as
the coordinator of Equifax’s information
security system, as required by § 314.4(a) of
the amended Rule, could have helped
prevent or limit the scope of one of the
largest breaches in American history. By
implementing the measures required in the
amended Rule, financial institutions will
prevent or mitigate many future breaches,
protecting consumers and their information.
There is also no support for the dissent’s
notion that the amendments eliminate
financial institutions’ flexibility in a way that
will hurt smaller businesses. The
amendments require that information
security programs address certain aspects of
security, but do not prescribe any particular
method for doing so. Specifically, the
amended Rule requires that the information
security program address areas such as access
control, change management, information
disposal, and monitoring user activity, but it
does not require that financial institutions
take any particular action in those areas. In
fact, the Rule recognizes the concerns of
small businesses and adopts appropriate
flexibilities. Section 314.6 of the revised Rule
exempts financial institutions that maintain
information concerning fewer than 5,000
consumers from certain requirements. In
addition, financial institutions with smaller
and simpler systems may determine that
minimal procedures are required in those
areas, and they retain flexibility under these
amendments to follow that route. Moreover,
the record contains significant evidence that
there are free and low-cost solutions for
smaller businesses with more modest data
security needs.20
18 While the dissent questions the requirements in
the Rule regarding elevating security issues to the
top levels of the corporate structure, research
supports these requirements. Boards are becoming
increasingly involved in cybersecurity governance,
as demonstrated by surveys of practitioners and the
growth of literature aimed at educating board
members on cybersecurity. Some studies suggest
that Board attention to data security decisions can
dramatically improve data safeguarding. For
example, one study found a 35% decrease in the
probability of information security breaches when
companies include the Chief Information Security
Officer (or equivalent) in the top management team
and the CISO has access to the board. See Juhee
Kwon et al., supra note 10. see also Safeguards
Workshop, at 201–09.
19 U.S. H. Rep. Comm. on Oversight and Gov.
Reform, Majority Staff Report on The Equifax Data
Breach, 115th Cong., at 55–62 (Dec. 2018).
20 See, e.g., Safeguards Workshop, at 267 (remarks
of Wendy Nather) (‘‘we have a lot more options, a
lot more technologies today than we did before that
are making both of these solutions, both encryption
and MFA, easier to use, more flexible, in some cases
cheaper, and we should be encouraging their
adoption wherever possible.’’). Id. at 265–66
(remarks of Matthew Green) (‘‘I think that we’re in
a great time when we’ve reached the point where
we can actually mandate that encryption be
used. . . . And we’ve reached the point where now
it is something that’s come to be and we can
actually build well.’’). Id. at 229–30 (remarks of
Randy Marchany) (noting that encryption is already
built into the Microsoft Office environment and that
a number of Microsoft products, such as
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
We believe that these amendments
represent a much-needed step forward in
protecting Americans’ data security. Given
growing recognition that the requirements
captured in the Rule represent best practices,
some financial institutions seem to have
already taken appropriate steps to protect
customers’ data and meet the requirements
set out in the amended Rule. It is important,
though, to require those that lag behind to
strengthen their security and prevent future
breaches before they occur, rather than in the
wake of a devastating breach after the damage
has already been done.
khammond on DSKJM1Z7X2PROD with RULES3
Joint Statement of Commissioners Noah
Joshua Phillips and Christine S. Wilson in
the Matter of the Final Rule Amending the
Gramm-Leach-Bliley Act’s Safeguards Rule
In 1999, Congress passed the GrammLeach-Bliley Act, which charged the Federal
Trade Commission (the ‘‘Commission’’) with
promulgating and enforcing a regulation to
ensure that financial firms take care to
safeguard the information they collect from
consumers.1 The Safeguards Rule 2 has
established more data security obligations for
consumer financial data than for data
collected by non-financial firms, a gap that
underlies our view—shared by our
colleagues—that congressional data security
legislation is warranted.
One hallmark of the Safeguards Rule is its
recognition that, in a world of continuously
Spreadsheets, Excel, Docs, and PowerPoint, support
that encryption feature). Id. at 225. Id. at 106
(Remarks of Rocio Baeza) (‘‘[T]he encryption of data
in transit has been standard. There’s no pushback
with that.’’). Id. at 74 (remarks of James Crifasi)
(stating that car dealerships can rely on existing
staff for the role of Qualified Individual). Id. at 78–
79 (remarks of Lee Waters) (stating that any
dealership with any IT staff at all would have
someone who could assume the role of ‘‘qualified
individual,’’ perhaps requiring some additional
research or outside help). Id. at 81–82 (remarks of
Rocio Baeza) (stating that companies may use an
existing employee for the role and ‘‘for any areas
where there may be skill gaps, that can be
supplemented with either certifications or some
type of education.’’). Id. at 89–90 (remarks of Brian
McManamon) (noting that the size of a financial
institution and the amount and nature of the
information that it holds factor into an appropriate
information security program); Presentation Slides,
Inf. Security & Fin. Inst.: An FTC Workshop of GLB
Safeguards, at 27–28 (July 13, 2020) (slides
Accompanying remarks of Rocio Baeza, ‘‘Models for
Complying to the Safeguards Rule Changes)
(‘‘Safeguards Workshop Presentation Slides’’)
https://www.ftc.gov/system/files/documents/
public_events/1567141/slides-glb-workshop.pdf
(describing three different compliance models: Inhouse, outsource, and hybrid, with costs ranging
from $199 per month to more than $15,000 per
month). Safeguards Workshop, at 81–83 (remarks of
Rocio Baeza) (describing three compliance models
in more detail); Safeguards Workshop Presentation
Slides, at 29 (remarks of Brian McManamon,
‘‘Sample Pricing’’) (estimating the cost of
cybersecurity services based on number of
endpoints). Id. at 83–85.
1 Public Law 106–102, 113 Stat. 1338 (1999).
Notably, even as it transferred authority for other
consumer financial regulation to the Consumer
Financial Protection Bureau in the Dodd-Frank Act,
Congress left this rulemaking authority with the
Commission, a vote of confidence in our approach.
15 U.S.C. 6804(a)(1).
2 16 CFR part 314.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
evolving threats and standards, a one-sizefits-all approach to data security may not
work. Under Democratic and Republic
leadership, the Commission has repeatedly
emphasized this principle.3 We have
traditionally eschewed an overly prescriptive
approach, both to data security in general
and to the Safeguards Rule itself.4 The FTC
has never demanded ‘‘perfect’’ security
because the Commission has recognized that
data security is neither cost- nor
consequence-free, and often requires
tradeoffs.5 At the same time, during our
tenure, the Commission has continued to
enforce data security standards vigorously,
including those embodied in the Safeguards
Rule.6
In March 2019, the Commission approved
a Notice of Proposed Rulemaking (‘‘NPRM’’)
proposing additional requirements to the
3 See, e.g., Federal Trade Commission, Statement
Marking the FTC’s 50th Data Security Settlement,
at 1 (Jan. 31, 2014), https://www.ftc.gov/system/
files/documents/cases/140131gmrstatement.pdf
(‘‘FTC Data Security Statement’’) (‘‘Through its
settlements, testimony, and public statements, the
Commission has made clear that it does not require
perfect security; reasonable and appropriate
security is a continuous process of assessing and
addressing risks; there is no one-size-fits-all data
security program; and the mere fact that a breach
occurred does not mean that a company has
violated the law.’’); see also Prepared Statement of
the Federal Trade Commission: Before the
Committee on Homeland Security and
Governmental Affairs Permanent Subcommittee on
Investigations, 116 Cong. 3 (2019) (statement of
Andrew Smith, Director, Bureau of Consumer
Protection) (‘‘[t]here is no one-size-fits-all data
security program . . .’’), https://www.ftc.gov/
system/files/documents/public_statements/
1466607/commission_testimony_re_data_security_
senate_03072019.pdf. Federal Trade Commission,
Stick with Security: A Business Blog Series (Oct.
2017), https://www.ftc.gov/news-events/blogs/
business-blog/2017/10/stick-security-ftc-resourcesyour-business.
4 FTC Notice of Proposed Rulemaking, 84 FR
13158 (Apr. 4, 2019), https://
www.federalregister.gov/documents/2019/04/04/
2019-04981/standards-for-safeguarding-customerinformation (‘‘The Commission continues to believe
that a flexible, non-prescriptive Rule enables
covered organizations to use it to respond to the
changing landscape of security threats, to allow for
innovation in security practices, and to
accommodate technological changes and
advances.’’).
5 Under the FTC’s unfairness authority, the
Commission brings cases when companies under its
jurisdiction fail to employ ‘‘reasonable’’ security.
FTC Data Security Statement, supra note 3 (‘‘The
touchstone of the Commission’s approach to data
security is reasonableness: a company’s data
security measures must be reasonable and
appropriate in light of the sensitivity and volume
of consumer information it holds, the size and
complexity of its business, and the cost of available
tools to improve security and reduce
vulnerabilities.’’).
6 See, e.g., In the matter of Ascension Data &
Analytics, LLC, FTC File No. 1923126 (2020),
https://www.ftc.gov/enforcement/casesproceedings/192-3126/ascension-data-analytics-llcmatter; U.S. v. Mortgage Solutions FCS, Inc., Civ.
Action No. 4:20–cv–110 (N.D. Cal 2020), https://
www.ftc.gov/enforcement/cases-proceedings/1823199/mortgage-solutions-fcs-inc; FTC v. Equifax,
Inc., Civ. Action No. 1:19–cv–03297–TWT (N.D. Ga.
2019), https://www.ftc.gov/enforcement/casesproceedings/172-3203/equifax-inc.
PO 00000
Frm 00041
Fmt 4701
Sfmt 4700
70311
Safeguards Rule. While we recognize the
value in regularly reviewing our rules and
updating them as needed, we dissented then
because the proposal lacked data
demonstrating the need for and efficacy of
the proposed amendments.7
We appreciate Staff’s diligent work on this
rule and many of the modifications made to
the original proposal. The Federal Register
Notice does a commendable job of presenting
the full panoply of comments that the
Commission received. The FTC is at its best
when it seeks input from experts, industry,
and consumer groups; this rulemaking
process reflects a commitment to that
approach. But the comment period did not
produce data demonstrating that the previous
iteration of the rule was inadequate, or that
the costs and consequences of the new
prescriptive obligations will translate into
actual consumer safeguards. That was our
concern, and the comments did not allay it.
In fact, as several commenters observed,
the new prescriptive requirements could
weaken data security by diverting finite
resources towards a check-the-box
compliance exercise and away from risk
management tailored to address the unique
security needs of individual financial
institutions. It is ironic that the revisions
mandate a risk assessment and then order
firms to prioritize specified precautions
ahead of the risks and needs counseled by
that assessment. The revisions also impose
intrusive corporate governance obligations
wholly unsupported by record evidence of
prevalent failures at the senior managerial
level.
For these reasons, which we explain more
fully below, we dissent.
The Record Fails To Provide a Basis for the
New Requirements
We expressed concern in March 2019 that
some of the proposals in the NPRM tracked
issues that arose in cases involving firms not
covered by the Safeguards Rule. That is,
those failures occurred at companies to
which the Safeguards Rule did not apply.
And heightened obligations imposed in a
settlement context, when a company has
engaged in risky and allegedly illegal
behavior, may not be appropriate for all
market participants. We did not see evidence
that covered firms had a systematic
problem—i.e., that the Rule was not
7 Dissenting Statement of Commissioner Noah
Joshua Phillips and Commissioner Christine S.
Wilson, Review of Safeguards Rule (Mar. 5, 2019),
https://www.ftc.gov/system/files/documents/
public_statements/1466705/reg_review_of_
safeguards_rule_cmr_phillips_wilson_dissent.pdf;
See, e.g., Noah Joshua Phillips (@FTCPhillips),
Twitter (Mar. 5, 2019, 3:08 p.m.), https://
twitter.com/FTCPhillips/status/
1103024596247289867 (‘‘A reexamination of the
Rule may indeed be appropriate and necessary; but,
before we borrow from other existing schemes, we
must first understand whether the existing Rule is
inadequate for its purpose and whether the data
supports the efficacy of the alternatives.’’); Christine
S. Wilson, Remarks at NAD 2020, One Step
Forward, Two Steps Back: Sound Policy on
Consumer Protection Fundamentals 7–8 (Oct. 5,
2020), https://www.ftc.gov/system/files/documents/
public_statements/1581434/wilson_remarks_at_
nad_100520.pdf.
E:\FR\FM\09DER3.SGM
09DER3
70312
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES3
working.8 The Commission can—and does—
promote best practices and reasonable care
requirements through speeches, guidance,
reports, and the like, to help financial firms
evaluate whether they are taking proper
precautions.9 But new rules that set concrete
standards for all companies, regardless of
risk, require more justification. Such rules
make companies liable for penalties, and
could focus efforts on compliance to address
penalty deterrence rather than risk.
Dozens of commenters have shared their
views on the Safeguards proposal, and FTC
Staff held a workshop to evaluate the need
to change the Rule. While there is no
shortage of opinions as to the need and
benefits of the proposed changes (nor is there
a shortage of opinions critiquing the new
requirements), this process failed to provide
evidence of market failure or other systemic
problems 10 necessitating the proposed
changes for firms already governed by the
requirements of the Rule. In fact, one
commenter that generally supported the rule
changes noted that it was not clear that the
new rules would have prevented the alleged
8 Commenters on the proposed rules reflected
these same concerns. See, e.g, CTIA (comment 34,
NPRM) at 4, https://www.regulations.gov/comment/
FTC/2019-0019-0034 (observing that most examples
cited in the NPRM are from non-financial firms and
arguing that the FTC’s action in Equifax
demonstrated that the agency is able to use to the
current framework effectively); Global Privacy
Alliance (comment 38, NPRM) at 4, https://
www.regulations.gov/comment/FTC/2019-00190038 (the changes to the rules started not from FTC
experience but rather from state laws); Electronic
Transactions Association (comment 27, NPRM),
https://www.regulations.gov/comment/FTC/20190019-0027 (the current rule is effective and there
are no harms that warrant these changes); National
Automobile Dealers Association (comment 46,
NPRM) at 6, https://www.regulations.gov/comment/
FTC/2019-0019-0046 (‘‘[N]ew requirements for all
financial institutions should not be based on
unrelated enforcement actions that may not be
generally applicable to all financial institutions
subject to the Rule.’’).
9 Federal Trade Commission, Data Security,
https://www.ftc.gov/datasecurity.
10 One study cited by commenters pointed toward
widespread problems among fintech firms
‘‘including misuse of cryptography, use of weak
cryptography, and excessive permission
requirements.’’ The Clearing House Association
LLC (comment 49, NPRM) at 7–9, https://
www.regulations.gov/comment/FTC/2019-00190049 (citing a 2018 study by the Center for
Financial Inclusion, https://content.centerfor
financialinclusion.org/wp-content/uploads/sites/2/
2018/09/CFI43-CFI_Online_Security-Final2018.09.12.pdf). This study included firms from
around the world and did not indicate that this
limited set of issues arose in U.S. firms covered by
the Safeguards Rule. See also National Automobile
Dealers Association (comment 46, NPRM) at 46,
https://www.regulations.gov/comment/FTC/20190019-0046 (‘‘These requirements have largely not
been proven to be necessary or effective.’’).
Participants at the FTC’s July 2020 Workshop
generally agreed that companies could invest more
in security, but the fact of under-investment does
not mean that these changes to the Safeguards Rule
constitute the best course of action. FTC,
Information Security and Financial Institutions: An
FTC Workshop to Examine Safeguards Rule Tr. at
23–70 (July 13, 2020), https://www.ftc.gov/system/
files/documents/public_events/1567141/transcriptglb-safeguards-workshop-full.pdf (‘‘Safeguards
Workshop’’).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
lapses that led to the Equifax breach, the
largest Safeguards case on record.11
That these proposals may constitute best
practices appropriate to certain firms or
situations does not justify imposing them on
every firm and in every situation.12 The FTC
historically has been appropriately cautious
in mandating specific security practices, and
we see no sound basis in the rulemaking
record to change that approach.13
The Revised Safeguards Rule Is Premature
In our 2019 statement, we expressed
concern that the proposals in the NPRM were
premature. They are based in large part on
the New York Department of Financial
Service data security rules,14 adopted in
2016. At the same time, Congress and the
Executive Branch were evaluating new
privacy and data security legislation that may
overlap with the proposed amendments.15
Since our original statement, we have been
provided with no additional information on
the impact and efficacy of the NYDFS rules.16
Without this critical input, we do not believe
adopting wholesale the NYDFS approach is
the prudent course.17 We would have been
better served by monitoring the efficacy,
costs and unintended consequences of the
NYDFS rules during this ramp-up period.
Imposing similar rules on far more firms
across a broader array of industries makes
even less sense.
Congress, with the encouragement of the
Commission, has continued to consider
legislative initiatives in this area. Throughout
2019, 2020 and 2021, we saw the release of
several draft bills addressing data security, as
well as privacy.18 And other developments,
such as data security requirements of the
General Data Protection Regulation 19 and
new cybersecurity incidents 20 ensure that
11 Consumer Reports (comment 52, NPRM),
https://www.regulations.gov/comment/FTC/20190019-0052 at 2. Not all the commenters agreed with
this perspective, and some felt that these rules
would have prevented the Equifax breach. See
National Consumer Law Center and others
(comment 58, NPRM), https://www.regulations.gov/
comment/FTC/2019-0019-0058. Chair Khan and
Commissioner Slaughter focus on the Equifax
breach to justify the adoption of prescriptive and
complex data security measures, measures that
match the sophistication and complexity of the
consumer financial data managed by one of the
largest credit bureaus. But even assuming the new
rules would have prevented it, one (albeit) highprofile breach, without more, should not be
extrapolated to an entire industry with diverse
business models housing varied consumer financial
data. Reasonable safeguards for a company like
Equifax, based on its size and complexity, the
nature and scope of its activities, and the sensitivity
of the information involved, would likely outpace
procedures that would be appropriate or reasonable
for a sole proprietorship or small business.
12 While the Final Rule is based on proposals
from New York State Department of Financial
Services (‘‘NYDFS’’), the FTC imposes its
requirements much more broadly than the NYDFS
Cybersecurity Requirements for Financial Services
Companies, 23 NYCRR Pt. 500. The NYDFS
requirements exempt a much larger cross-section of
organizations from the most onerous, prescriptive,
and expensive provisions in their rule. 23 NYCRR
§ 500.19. Nor do the exceptions in the Final Rule,
while helpful, suffice.
13 Unfortunately, this is not the first time this
Commission has emphasized what we can do over
what we should do. See, e.g., Joint Statement of
Commissioners Noah Joshua Phillips and Christine
S. Wilson, In the matter of Resident Home LLC,
Commission File No. 2023179 (Oct. 7, 2021),
https://www.ftc.gov/system/files/documents/
public_statements/1597270/resident_home_
dissenting_statement_wilson_and_phillips_final_
0.pdf; Joint Statement of Commissioners Noah
Joshua Phillips and Christine S. Wilson, U.S. v.
iSpring Water Systems, LLC, Commission File No.
C4611 (Apr. 12, 2019), https://www.ftc.gov/system/
files/documents/public_statements/1513499/
ispring_water_systems_llc_c4611_modified_joint_
statement_of_commissioners_phillips_and_wilson_
4-12.pdf.
14 Cybersecurity Requirements for Financial
Services Companies, 23 NYCRR Pt. 500 (2016).
15 See Consumer Data Industry Association
(comment 36, NPRM) at 2, https://
www.regulations.gov/document?D=FTC-2019-00190036 (noting that the NY rule is too recent and
Congress is debating new legislation that should be
left to Congress to resolve); National Automobile
Dealers Association (comment 46, NPRM) at 46,
https://www.regulations.gov/comment/FTC-20190019-0046 (The new rules ‘‘are premature as they
are based on untested and new standards in a
rapidly changing environment, and in a context
where federal debate is ongoing.’’); New York
Insurance Association (comment 31, NPRM),
https://www.regulations.gov/comment/FTC-20190019-0031 (it is premature to adopt these rules
without the benefit of the state’s experience).
16 We appreciate the time and resources the
NYDFS invested in commenting on our proposed
rule. Though the NYDFS does say that its rules have
‘‘enhanced cybersecurity protection across the
financial industry and fostered an environment in
which the threat of a cyber attack is taken seriously
at all levels of New York’s financial services firms,’’
it offers no supporting data. New York State
Department of Financial Services (comment 40,
NPRM), https://www.regulations.gov/comment/
FTC-2019-0019-0040.
17 As several commenters pointed out, the NYDFS
rules are more nuanced that the amendments
introduced today. For instance, under the NYDFS
regulations, certain additional requirements only
apply to a category of sensitive data, a limitation
not carried through to the Safeguards Rule. See, e.g.,
U.S. Chamber of Commerce (comment 33, NPRM),
https://www.regulations.gov/comment/FTC-20190019-0033; CTIA (comment 34, NPRM), https://
www.regulations.gov/comment/FTC/2019-00190034; Electronic Transactions Association
(comment 27, NPRM), https://www.regulations.gov/
comment/FTC/2019-0019-0027. These distinctions
only raise more questions and concerns about
basing our regulations on the New York rules.
18 See, e.g., Fourth Amendment is Not for Sale
Act, S. 1265, 117th Cong. (2021); Data Care Act of
2021, S. 919, 117th Cong. (2021); Data Protection
Act of 2021, S. 2134, 117th Cong. (2021); SAFE
DATA Act, S. 2499, 117th Cong. (2021); Consumer
Online Privacy Rights Act, S. 2968, 116th Cong.
(2019). See also, California Privacy Rights Act of
2020, Cal. Civ. Code § 1798.100 et seq.; Virginia
Consumer Data Protection Act, Va. Code § 59.1–575
et seq.; and Colorado Privacy Act, 2021 Colo. ALS
483, 2021 Colo. Ch. 483, 2021 Colo. SB. 190.
19 Council Directive 2016/679, art. 32 2016 O.J.
(L119).
20 See, e.g., Joseph Menn and Christopher Bing,
Hackers of SolarWinds stole data on U.S. sanctions
policy, intelligence probes, Reuters (Oct. 8, 2021),
https://www.reuters.com/world/us/hackerssolarwinds-breach-stole-data-us-sanctions-policyintelligence-probes-2021-10-07/; Stephanie Kelly
and Jessica Resnick-ault, One password allowed
hackers to disrupt Colonial Pipeline, CEO tells
senators, Reuters (June 8, 2021), https://
www.reuters.com/business/colonial-pipeline-ceotells-senate-cyber-defenses-were-compromised-
PO 00000
Frm 00042
Fmt 4701
Sfmt 4700
E:\FR\FM\09DER3.SGM
09DER3
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
these issues will continue to draw
congressional attention. The decisions about
tradeoffs in this space are complex and
significant for consumers, business, and
government; intrusive mandates are best left
to the people’s representatives rather than to
the vagaries of the administrative rulemaking
process.21
khammond on DSKJM1Z7X2PROD with RULES3
The Revised Rules Inhibit Flexibility and
Impose Substantial Costs
The Safeguards Rule originally drafted and
evaluated by the Commission embraced a
flexible approach, emphasizing protections
targeted to a company’s size and risk
profile.22 As we wrote in 2019, these new
rules move us away from that approach; that
loss of flexibility will impose costs without
necessarily improving safeguards for
consumer data, which should be the point of
this exercise.
Commenters and the Commission itself
have noted that there are financial impacts to
these new requirements.23 The Small
Business Administration’s Office of
ahead-hack-2021-06-08; Carly Page, The Accellion
data breach continues to get messier, TechCrunch
(July 8, 2021), https://techcrunch.com/2021/07/08/
the-accellion-data-breach-continues-to-get-messier/;
Peter Valdes-Dapena, Volkswagen hack: 3 million
customers have had their information stolen, CNN
(June 11, 2021), https://www.cnn.com/2021/06/11/
cars/vw-audi-hack-customer-information/
index.html.
21 Sen. Roger Wicker, Rep. Cathy McMorris
Rodgers, & Noah Phillips, FTC must leave privacy
legislating to Congress, Wash. Examiner (Sept. 29,
2021), https://www.washingtonexaminer.com/
opinion/op-eds/ftc-must-leave-privacy-legislatingto-congress. Substance aside, businesses and
consumers need confidence to plan around new
rules. As the recent—and perhaps future—debate
about net neutrality rules has demonstrated, agency
rules are subject to disruptive swings that
undermine such confidence.
22 The Commission itself acknowledges the
importance of flexibility in issuing the Final Rule.
See, e.g., Final Rule at 27 (‘‘The Commission,
however, believes that the elements provide
sufficient flexibilityfor financial institutions to
adopt information security programs suited to the
size, nature, and complexity of their organization
and information systems.’’)
23 See Final Rule; American Council on
Education (comment 24, NPRM) at 13–14, https://
www.regulations.gov/comment/FTC-2019-00190024; Wisconsin Bankers Association (comment 37,
NPRM) at 1–2, https://www.regulations.gov/
comment/FTC-2019-0019-0037; American Financial
Services Association (comment 41, NPRM) at 4,
https://www.regulations.gov/comment/FTC-20190019-0041; National Association of Dealer Counsel
(comment 44, NPRM) at 1, https://
www.regulations.gov/comment/FTC-2019-00190044; National Automobile Dealers Association
(comment 46, NPRM) at 11, https://
www.regulations.gov/comment/FTC-2019-00190046; National Independent Automobile Dealers
Association, (comment 48, NPRM) at 3, https://
www.regulations.gov/comment/FTC-2019-00190048; Gusto and others (comment 11, Workshop) at
2–4, https://www.regulations.gov/comment/FTC2019-0019-0011; National Pawnbrokers Association
(comment 3, NPRM) at 2, https://
www.regulations.gov/comment/FTC-2019-00190032; See also Remarks of James Crifasi, Safeguards
Workshop, supra note 10, Tr. at 72–74, https://
www.ftc.gov/system/files/documents/public_events/
1567141/transcript-glb-safeguards-workshopfull.pdf (study showing that compliance costs are
unaffordable for small businesses).
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
Advocacy stated its belief that the
Commission itself does not appear to
understand fully the economic impact of the
proposed changes to the Safeguards Rule.24
The burden of these new rules may also
reduce competition and innovation, as
smaller firms less able to absorb the financial
costs cede ground to larger firms better
equipped to handle new regulatory
mandates.25
Security itself may also suffer. A series of
specific rules can incentivize companies to
move from a thoughtful assessment of risk
and precautions to a check-the-box exercise
to ensure that they are complying with
regulatory mandates—in other words, from a
focus on real security to an emphasis on rule
compliance.26 One commenter cited data
24 Small Business Administration Office of
Advocacy (comment 28, NPRM) at 3–4, https://
www.regulations.gov/comment/FTC-2019-00190028 (‘‘An agency cannot consider alternatives that
minimize any significant economic impact if the
agency does not know what the economic impact
of the proposed action is.’’).
25 See CTIA (comment 34, NPRM), https://
www.regulations.gov/comment/FTC-2019-00190034 (noting the need for more study on the costs
to competition); U.S. Chamber of Commerce
(comment 33, NPRM) at 4, https://
www.regulations.gov/comment/FTC-2019-00190033 (‘‘Some private organizations can absorb the
added costs, while others cannot.’’). See also
Christine S. Wilson, Remarks at the Future of
Privacy Forum, A Defining Moment for Privacy:
The Time is Ripe for Federal Privacy Legislation 13
(Feb. 6, 2020), https://www.ftc.gov/system/files/
documents/public_statements/1566337/
commissioner_wilson_privacy_forum_speech_0206-2020.pdf (‘‘Importantly, the legislative
framework should also consider competition.
Regulations, by their nature, will impact markets
and competition. GDPR may have lessons to teach
us in this regard. Research indicates that GDPR may
have decreased venture capital investment and
entrenched dominant players in the digital
advertising market.’’); Noah Joshua Phillips,
Prepared Remarks at internet Governance Forum
USA, Keep It: Maintaining Competition in the
Privacy Debate (July 27, 2018), https://www.ftc.gov/
system/files/documents/public_statements/
1395934/phillips_-_internet_governance_forum_727-18.pdf (discussing the competition impacts of
new privacy rules).
26 See U.S. Chamber of Commerce (comment 33,
NPRM), https://www.regulations.gov/comment/
FTC-2019-0019-0033; Consumer Data Industry
Association (comment 36, NPRM), https://
www.regulations.gov/comment/FTC-2019-00190036; Global Privacy Alliance (comment 38,
NPRM), https://www.regulations.gov/comment/
FTC/2019-0019-0038. While some parts of the rule,
such as encryption requirements, allow security
officials to make a written determination that a
different precaution is appropriate, it seems
unlikely that any individual security official will
risk liability to make such a determination and the
specific requirements here will likely become the
default rule. American Council on Education
(comment 24, NPRM) at 12, https://
www.regulations.gov/comment/FTC-2019-00190024 (‘‘In the absence of a clear delineation by the
Commission of what alternatives an institutional
information security executive might approve that
the Commission considers reasonably equivalent,
and assurance that they are reasonably applicable
in our contexts, that pressure release valve in the
requirement seems unlikely to release much
pressure.’’); Software Information & Industry
Association (comment 29, NPRM) at 3, https://
www.regulations.gov/comment/FTC-2019-00190056 (‘‘The mere threat of a per se law violation
PO 00000
Frm 00043
Fmt 4701
Sfmt 4700
70313
demonstrating that when security personnel
are busy with compliance and regulatory
response, they have less time to focus on a
firm’s actual security needs.27 Further,
without the flexibility to prioritize, finite
resources may be diverted to areas of lower
risk but higher regulatory scrutiny; 28
commenters noted the irony of mandating a
risk assessment and then ordering firms to
prioritize specified precautions ahead of the
risks and needs counseled by that
assessment.29 And potentially innovative
security practices that address changing
threats and needs may be discouraged.30 As
will chill these approvals except in the most
ironclad circumstances, thereby potentially
thwarting industry-wide adoption of new and better
security standards.’’); New York Insurance
Association (comment 31, NPRM), https://
www.regulations.gov/comment/FTC-2019-00190031 (‘‘This runs the risk that companies might feel
compelled to encrypt all consumer data regardless
of whether the CISO’s compensating controls would
be second guessed in the event a company were to
lose unencrypted customer information.’’);
Mortgage Bankers Association (comment 26, NPRM)
at 4, https://www.regulations.gov/comment/FTC2019-0019-0026 (noting the obligation to prepare an
incident response plan had ‘‘the potential to cripple
small businesses under the pressure of repeatedly
checking the boxes for potential harmless events.’’).
27 Bank Policy Institute (comment 39, NPRM) at
6, https://www.regulations.gov/comment/FTC-20190019-0039 (‘‘When the sector surveyed its
information security teams in late 2016, CISOs
reported that approximately 40% of their cyber
team’s time was spent on compliance related
matters, not on cybersecurity. Due to one
framework issuance, in particular, the
reconciliation process delayed one firm’s
implementation of a security event monitoring tool
intended to better detect and respond to cyberattacks by 3–6 months. With respect to another
issuance, another firm stated that 91 internal
meetings were held to determine how that issuance
aligned with its program and in gathering data for
eventual regulatory requests.’’).
28 See U.S. Chamber of Commerce (comment 33,
NPRM) at 4, https://www.regulations.gov/comment/
FTC-2019-0019-0033 (‘‘the proposed requirements
would increasingly divert company resources
toward compliance and away from risk
management activities that are tailored to
businesses’ unique security needs.’’); Software
Information & Industry Association (comment 29,
NPRM) at 3, https://www.regulations.gov/comment/
FTC-2019-0019-0056 (‘‘The effect of a prescriptive
approach in this enforcement structure is to place
companies in the position of forced compliance
with potentially unnecessary or inapplicable
requirements without the appropriate process for
these covered entities to explain to a supervisory
authority why it is unnecessary.’’); American
Financial Services Association (comment 41,
NPRM), https://www.regulations.gov/comment/
FTC-2019-0019-0041. In some cases, asking too
much of small businesses for whom all this is a
substantial undertaking may lead them to fail at
even the basic protections. Safeguards Workshop,
supra note 10, Tr. at 118–19 (July 13, 2020), https://
www.ftc.gov/system/files/documents/public_events/
1567141/transcript-glb-safeguards-workshopfull.pdf.
29 See Bank Policy Institute (comment 39, NPRM),
https://www.regulations.gov/comment/FTC-20190019-0039; Money Services Round Table (comment
53, NPRM), https://www.regulations.gov/comment/
FTC-2019-0019-0053.
30 See Consumer Data Industry Association
(comment 36, NPRM) at 7–8, https://
www.regulations.gov/comment/FTC-2019-0019-
E:\FR\FM\09DER3.SGM
Continued
09DER3
70314
Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations
one commenter noted, ‘‘[e]ven today’s best
practices will be overtaken by future changes
in both technology and the capabilities of
threat actors,’’ 31 and these proscriptive rules
lose the ‘‘self-modernizing’’ nature of flexible
requirements,32 locking in place the primacy
of current practices.33
The reduction in flexibility and imposition
of these costs must be justified by a
significant reduction in risk or some other
substantial consumer benefit. But the record
provides scant support for these tradeoffs. Or
as one commenter put it:
[A]s with many of these requirements, we
do not take issue with the notion that there
is merit to this step [requiring monitoring],
and that many financial institutions will
implement some version of this control.
However, by making this an explicit, standalone requirement, the Commission is
enshrining costs and efforts that will be
khammond on DSKJM1Z7X2PROD with RULES3
0036 (minimization requirement can impact
innovative uses more broadly).
31 See Cisco Systems Inc. (comment 51, NPRM) at
3, https://www.regulations.gov/comment/FTC-20190019-0051 (noting also in the context of multi-factor
authentication that there will come a time when it
is no longer the ‘‘appropriate baseline’’ and
‘‘covered entities could find themselves in full
compliance with the rule as long as they use access
control technology no less protective than MFA as
defined in the Proposed Amendments.’’).
32 National Automobile Dealers Association
(comment 46, NPRM), https://www.regulations.gov/
comment/FTC-2019-0019-0046.
33 See CTIA (comment 34, NPRM) at 3–5, https://
www.regulations.gov/comment/FTC-2019-00190034 (flexibility in the rule allowed it to keep up
with evolving threats, whereas new rule could limit
innovation); HITRUST Alliance (comment 18,
NPRM), https://www.regulations.gov/comment/
FTC-2019-0019-0018 (expressing concern about
creating outdated requirements); The American
Financial Services Association (comment 41,
NPRM), https://www.regulations.gov/comment/
FTC-2019-0019-0041.
VerDate Sep<11>2014
18:18 Dec 08, 2021
Jkt 256001
extensive and will likely not be needed in all
circumstances.34
The Rules Involve the FTC in the Internal
Governance Decisions of Covered Firms
The specifics of the proposals also raise
issues, as we expressed in 2019, with regard
to mandating the appropriate level of board
engagement,35 hiring and training
requirements,36 and program accountability
structures.37 We wrote then, and remain
concerned now, that the Commission is
substituting its own judgement about
governance decisions for those of private
companies covered by this Rule.
In certain extraordinary cases involving
clear evidence of management failure, we
have imposed prescriptive governance
obligations on respondents.38 Those rare and
34 National Automobile Dealers Association
(comment 46, NPRM) https://www.regulations.gov/
comment/FTC-2019-0019-0046 (arguing that the
Commission needs additional study into the costs
and benefits); See also Consumer Data Industry
Association (comment 36, NPRM), https://
www.regulations.gov/comment/FTC-2019-00190036 (benefits of new rule not justified by
tradeoffs).
35 American Council on Education (comment 24,
NPRM) at 16, https://www.regulations.gov/
comment/FTC-2019-0019-0024; National
Automobile Dealers Association (comment 46,
NPRM) at 41, https://www.regulations.gov/
comment/FTC-2019-0019-0046.
36 U.S. Chamber of Commerce (comment 33,
NPRM) at 12, https://www.regulations.gov/
comment/FTC-2019-0019-0033; National
Automobile Dealers Association (comment 46,
NPRM) at 34–36, https://www.regulations.gov/
comment/FTC-2019-0019-0046.
37 See Final Rule. See also American Council on
Education (comment 24, NPRM) at 14, https://
www.regulations.gov/comment/FTC-2019-00190024 (critiquing the intrusion on personnel
practices).
38 U.S. v. Facebook, Inc., Civ. Action No. 19–cv–
2184 (D.D.C. July 24, 2019), https://www.ftc.gov/
PO 00000
Frm 00044
Fmt 4701
Sfmt 9990
egregious instances cannot justify a similar
approach in a broad rulemaking absent a real
record of widespread corporate
mismanagement or failure at the senior
management level.
The Commission has elected to proceed
with most of these governance requirements,
forcing the hand of management and shifting
their priorities to avoid the risk of regulatory
action,39 without clear evidence of their need
or efficacy.
Conclusion
Regularly reviewing our rules to ensure
that they address the current environment is
an important part of the FTC’s regular
process. But rules have far-reaching and
frequently unintended impacts in the real
world; when imposing additional legal
obligations in the rulemaking context, we
must do so with great care. The amended
Safeguards Rule replaces a rule that has
worked well for 20 years, a rule that took a
principle-based approach in order to provide
financial institutions flexibility to determine
the appropriate and realistic security
safeguards for their organizations. The record
before us at best fails to convince that the
changes are necessary and at worst raises
concern about the substantial costs and risks
in imposing these amendments. Accordingly,
we dissent.
[FR Doc. 2021–25736 Filed 12–8–21; 8:45 am]
BILLING CODE 6750–01–P
enforcement/cases-proceedings/092-3184/facebookinc.
39 These governance rules may not even promote
security. See Consumer Data Industry Association
(comment 36, NPRM), https://www.regulations.gov/
comment/FTC-2019-0019-0036 (arguing that the
annual reporting will become a checkbox exercise).
E:\FR\FM\09DER3.SGM
09DER3
]]>Agencies
[Federal Register Volume 86, Number 234 (Thursday, December 9, 2021)]
[Rules and Regulations]
[Pages 70272-70314]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25736]
[[Page 70271]]
Vol. 86
Thursday,
No. 234
December 9, 2021
Part III
Federal Trade Commission
-----------------------------------------------------------------------
16 CFR Part 314
Standards for Safeguarding Customer Information; Final Rule
��Federal Register / Vol. 86 , No. 234 / Thursday, December 9, 2021 /
Rules and Regulations��
[[Page 70272]]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 314
RIN 3084-AB35
Standards for Safeguarding Customer Information
AGENCY: Federal Trade Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is
issuing a final rule (``Final Rule'') to amend the Standards for
Safeguarding Customer Information (``Safeguards Rule'' or ``Rule'').
The Final Rule contains five main modifications to the existing Rule.
First, it adds provisions designed to provide covered financial
institutions with more guidance on how to develop and implement
specific aspects of an overall information security program, such as
access controls, authentication, and encryption. Second, it adds
provisions designed to improve the accountability of financial
institutions' information security programs, such as by requiring
periodic reports to boards of directors or governing bodies. Third, it
exempts financial institutions that collect less customer information
from certain requirements. Fourth, it expands the definition of
``financial institution'' to include entities engaged in activities the
Federal Reserve Board determines to be incidental to financial
activities. This change adds ``finders''--companies that bring together
buyers and sellers of a product or service--within the scope of the
Rule. Finally, the Final Rule defines several terms and provides
related examples in the Rule itself rather than incorporates them from
the Privacy of Consumer Financial Information Rule (``Privacy Rule'').
DATES:
Effective date: This rule is effective January 10, 2022.
Applicability date: The provisions set forth in Sec. 314.5 are
applicable beginning December 9, 2022.
FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773),
Katherine McCarron (202-326-2333), or Robin Wetherill (202-326-2220),
Division of Privacy and Identity Protection, Bureau of Consumer
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Background
Congress enacted the Gramm Leach Bliley Act (``GLB'' or ``GLBA'')
in 1999.\1\ The GLBA provides a framework for regulating the privacy
and data security practices of a broad range of financial institutions.
Among other things, the GLBA requires financial institutions to provide
customers with information about the institutions' privacy practices
and about their opt-out rights, and to implement security safeguards
for customer information.
---------------------------------------------------------------------------
\1\ Pubic Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------
Subtitle A of Title V of the GLBA required the Commission and other
Federal agencies to establish standards for financial institutions
relating to administrative, technical, and physical safeguards for
certain information.\2\ Pursuant to the Act's directive, the Commission
promulgated the Safeguards Rule (16 CFR part 314) in 2002. The
Safeguards Rule became effective on May 23, 2003.
---------------------------------------------------------------------------
\2\ See 15 U.S.C. 6801(b), 15 U.S.C. 6805(b)(2).
---------------------------------------------------------------------------
The current Safeguards Rule requires a financial institution to
develop, implement, and maintain a comprehensive information security
program that consists of the administrative, technical, and physical
safeguards the financial institution uses to access, collect,
distribute, process, protect, store, use, transmit, dispose of, or
otherwise handle customer information.\3\ The information security
program must be written in one or more readily accessible parts.\4\ The
safeguards set forth in the program must be appropriate to the size and
complexity of the financial institution, the nature and scope of its
activities, and the sensitivity of any customer information at
issue.\5\ The safeguards must also be reasonably designed to ensure the
security and confidentiality of customer information, protect against
any anticipated threats or hazards to the security or integrity of the
information, and protect against unauthorized access to or use of such
information that could result in substantial harm or inconvenience to
any customer.\6\
---------------------------------------------------------------------------
\3\ 16 CFR 314.2(c).
\4\ 16 CFR 314.3(a).
\5\ 16 CFR 314.3(a), (b).
\6\ 16 CFR 314.3(a), (b).
---------------------------------------------------------------------------
In order to develop, implement, and maintain its information
security program, a financial institution must identify reasonably
foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information that could
result in the unauthorized disclosure, misuse, alteration, destruction,
or other compromise of such information.\7\ The financial institution
must then design and implement safeguards to control the risks
identified through the risk assessment, and must regularly test or
otherwise monitor the effectiveness of the safeguards' key controls,
systems, and procedures.\8\ The Rule also requires the financial
institution to evaluate and adjust its information security program in
light of the results of this testing and monitoring, any material
changes in its operations or business arrangements, or any other
circumstances it knows or has reason to know may have a material impact
on its information security program.\9\ The financial institution must
also designate an employee or employees to coordinate the information
security program.\10\
---------------------------------------------------------------------------
\7\ 16 CFR 314.4(b).
\8\ 16 CFR 314.4(c).
\9\ 16 CFR 314.4(e).
\10\ 16 CFR 314.4(a).
---------------------------------------------------------------------------
Finally, the current Safeguards Rule requires financial
institutions to take reasonable steps to select and retain service
providers capable of maintaining appropriate safeguards for customer
information and require those service providers by contract to
implement and maintain such safeguards.\11\
---------------------------------------------------------------------------
\11\ 16 CFR 314.4(d).
---------------------------------------------------------------------------
II. Regulatory Review of the Safeguards Rule
On September 7, 2016, the Commission solicited comments on the
Safeguards Rule as part of its periodic review of its rules and
guides.\12\ The Commission sought comment on a number of general
issues, including the economic impact and benefits of the Rule;
possible conflicts between the Rule and state, local, or other Federal
laws or regulations; and the effect on the Rule of any technological,
economic, or other industry changes. The Commission received 28
comments from individuals and entities representing a wide range of
viewpoints.\13\ Most commenters agreed there is a continuing need for
the Rule and it benefits consumers and competition.\14\
---------------------------------------------------------------------------
\12\ Safeguards Rule, Request for Comment, 81 FR 61632 (Sept. 7,
2016).
\13\ The 28 public comments received prior to March 15, 2019,
are posted at: https://www.ftc.gov/policy/public-comments/initiative-674.
\14\ See, e.g., Mortgage Bankers Association (comment 39, NPRM);
National Automobile Dealers Association (Comment 40, NPRM); Data &
Marketing Association (comment 38, NPRM); Electronic Transactions
Association (comment 24, NPRM); State Privacy & Security Coalition
(comment 26, NPRM).
---------------------------------------------------------------------------
On April 4, 2019, the Commission issued a notice of proposed
rulemaking (NPRM) setting forth proposed amendments to the Safeguards
Rule (the ``Proposed Rule'').\15\ In response, the Commission received
49 comments from various interested parties
[[Page 70273]]
including industry groups, consumer groups, and individual
consumers.\16\ On July 13, 2020, the Commission held a workshop
concerning the proposed changes and conducted panels with information
security experts discussing subjects related to the Proposed Rule.\17\
The Commission received 11 comments following the workshop.\18\ After
reviewing the initial comments to the Proposed Rule, conducting the
workshop, and then reviewing the comments received following the
workshop, the Commission now issues final amendments to the Safeguards
Rule.
---------------------------------------------------------------------------
\15\ FTC Notice of Proposed Rulemaking, 84 FR 13158 (April 4,
2019).
\16\ The 49 relevant public comments received on or after March
15, 2019, can be found at Regulations.gov. See FTC Seeks Comment on
Proposed Amendments to Safeguards and Privacy Rules, 16 CFR part
314, Project No. P145407, https://www.regulations.gov/docket/FTC-2019-0019/document.
\17\ See FTC, Information Security and Financial Institutions:
An FTC Workshop to Examine Safeguards Rule Tr. (July 13, 2020),
https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf [hereinafter Safeguards
Workshop Tr.].
\18\ The 11 relevant public comments relating to the subject
matter of the July 13, 2020, workshop can be found at https://www.regulations.gov/document/FTC-2020-0038-0001. This document cites
comments using the last name of the individual submitter or the name
of the organization, followed by the number based on the last two
digits of the comment ID number.
---------------------------------------------------------------------------
III. Overview of Final Rule
As noted above, the Final Rule modifies the current Rule in five
primary ways. First, the Final Rule amends the current Rule to include
more detailed requirements for the development and establishment of the
information security program required under the Rule. For example,
while the current Rule requires financial institutions to undertake a
risk assessment and develop and implement safeguards to address the
identified risks, the Final Rule sets forth specific criteria for what
the risk assessment must include, and requires the risk assessment be
set forth in writing. As to particular safeguards, the Final Rule
requires that they address access controls, data inventory and
classification, encryption, secure development practices,
authentication, information disposal procedures, change management,
testing, and incident response. And while the Final Rule retains the
requirement from the current Rule that financial institutions provide
employee training and appropriate oversight of service providers, it
adds mechanisms designed to ensure such training and oversight are
effective. Although the Final Rule has more specific requirements than
the current Rule, it still provides financial institutions the
flexibility to design an information security program appropriate to
the size and complexity of the financial institution, the nature and
scope of its activities, and the sensitivity of any customer
information at issue.
Second, the Final Rule adds requirements designed to improve
accountability of financial institutions' information security
programs. For example, while the current Rule allows a financial
institution to designate one or more employees to be responsible for
the information security program, the Final Rule requires the
designation of a single Qualified Individual. The Final Rule also
requires periodic reports to boards of directors or governing bodies,
which will provide senior management with better awareness of their
financial institutions' information security programs, making it more
likely the programs will receive the required resources and be able to
protect consumer information.
Third, recognizing the impact of the additional requirements on
small businesses, the Final Rule exempts financial institutions that
collect information on fewer than 5,000 consumers from the requirements
of a written risk assessment, incident response plan, and annual
reporting to the Board of Directors.
Fourth, the Final Rule expands the definition of ``financial
institution'' to include entities engaged in activities the Federal
Reserve Board determines to be incidental to financial activities. This
change brings ``finders''--companies that bring together buyers and
sellers of a product or service--within the scope of the Rule. Finders
often collect and maintain very sensitive consumer financial
information, and this change will require them to comply with the
Safeguards Rule's requirements to protect that information. This change
will also bring the Rule into harmony with other Federal agencies'
Safeguards Rules, which include activities incidental to financial
activities in their definition of financial institution.
Finally, the Final Rule includes several definitions and related
examples, including of ``financial institution,'' in the Rule itself
rather than incorporate them from a related FTC rule, the Privacy of
Consumer Financial Information Rule, 16 CFR part 313. This will make
the rule more self-contained and will allow readers to understand its
requirements without referencing the Privacy Rule.
IV. Section-by-Section Analysis
General Comments
The Commission received 49 comments in response to the NPRM for the
Proposed Rule, from a diverse set of stakeholders, including industry
groups, individual businesses, consumer advocacy groups, academics,
information security experts, government agencies, and individual
consumers. It also hosted a workshop on the Proposed Rule, which
included approximately 20 security experts. Some of the comments simply
expressed general support \19\ or general disapproval \20\ of the
Proposed Rule. Many, however, offered detailed responses to specific
proposals in the NPRM. In general, industry groups were opposed to most
or all of the Proposed Rule, and consumer advocacy groups, academics,
and security experts were generally in favor of the amendments. The
comments and workshop record are discussed in the following Section-by-
Section analysis.
---------------------------------------------------------------------------
\19\ See Encore Capital Group (comment 25, NPRM); Justine
Bykowski (comment 12, NPRM); ``Peggy from Bloomington, MN'' (comment
13, NPRM); ``Anonymous'' (comment 20, NPRM).
\20\ ``Jane Q. Citizen'' (comment 14, NPRM).
---------------------------------------------------------------------------
Sec. 314.1: Purpose and Scope
The Purpose and Scope section of the current Rule generally states
the Rule implements the Gramm-Leach-Bliley Act and applies to the
handling of customer information by financial institutions over which
the FTC has jurisdiction. In its NPRM, the Commission proposed adding a
definition of ``financial institution'' modeled on the definition
included in the Commission's Privacy Rule (16 CFR part 313) and a
series of examples providing guidance on what constitutes a financial
institution under the Commission's jurisdiction. Other than expanding
the definition of ``financial institution'' as discussed below, the new
language was not meant to reflect a substantive change to the
Safeguards Rule; rather, it was meant to allow the Rule to be read on
its own, without reference to the Privacy Rule.\21\ The Commission
received no comments that addressed this section specifically, and
[[Page 70274]]
the Commission adopts the language of the Proposed Rule in the Final
Rule.\22\
---------------------------------------------------------------------------
\21\ In a separate final rule, published elsewhere in this issue
of the Federal Register, the Commission is amending the Privacy Rule
to reflect changes made by the Dodd-Frank Act, limiting that rule to
certain auto dealers. Through that proceeding, the Commission is
also removing examples of financial institutions from the Privacy
Rule that are no longer covered under the rule in the wake of these
changes.
\22\ Several commenters addressed the change to the definition
of ``financial institution.'' Those comments are addressed in the
discussion of the definition of ``financial institution'' below.
---------------------------------------------------------------------------
Sec. 314.2: Definitions
The Proposed Rule added a number of definitions to Sec. 314.2. The
Proposed Rule also retained paragraph (a), which states terms used in
the Safeguards Rule have the same meaning as set forth in the Privacy
Rule.
The American Council on Education (ACE) suggested all terms from
the Privacy Rule, such as ``consumer,'' ``customer,'' and ``customer
information,'' be included in the Final Rule in order to make the Final
Rule easier for regulated entities to understand.\23\ On the other
hand, HITRUST recommended no definitions from the Privacy Rule be
duplicated in the Safeguards Rule, reasoning that in the event of a
need to amend the terms, it would require the amendment of two rules
rather than one.\24\
---------------------------------------------------------------------------
\23\ American Council on Education (comment 24, NPRM), at 7.
\24\ HITRUST, (comment 18, NPRM), at 2.
---------------------------------------------------------------------------
The Commission is persuaded including all terms from the Privacy
Rule within the Safeguards Rule will improve clarity and ease of use.
Accordingly, the Commission has determined to delete paragraph (a),
since it is no longer necessary to state all terms in the Safeguards
Rule have the same meaning as in the Privacy Rule. It also adds the
Privacy Rule definitions of ``consumer,'' ``customer,'' ``customer
relationship,'' ``financial product or service,'' ``nonpublic personal
information,'' ``personally identifiable financial information,''
``publicly available information,'' and ``you'' to the definitions in
the Final Rule. No substantive change to these definitions is intended.
Authorized User
The Proposed Rule added a definition for the term ``authorized
user'' as paragraph (b). Proposed paragraph (b) defined an authorized
user of an information system as any employee, contractor, agent or
other person that participates in your business operations and is
authorized to access and use any of your information systems and data.
This term was used in Sec. 314.4(c)(10) of the Proposed Rule, which
required financial institutions to implement policies to monitor the
activity of ``authorized users'' and detect unauthorized access to
customer information.
The Commission received one comment on this proposed definition
from the National Automobile Dealers Association (NADA), which
suggested the term ``authorized user'' was used inconsistently and was
too vague.\25\ NADA pointed out while ``authorized user'' is a defined
term, the term ``authorized individual'' was used in proposed Sec.
313.4(c)(1) (addressing access controls for information systems) and
(c)(3) (addressing access controls for physical data). NADA also argued
the inclusion of ``other person that participates in the business
operations of an entity'' within the definition of ``authorized user''
was unclear and created ambiguity in its application.\26\
---------------------------------------------------------------------------
\25\ National Automobile Dealers Association (comment 46, NPRM),
at 11-12.
\26\ National Automobile Dealers Association (comment 46, NPRM),
at 11-12.
---------------------------------------------------------------------------
The Commission agrees with NADA's points, and, in response,
modifies the Final Rule in two ways. First, the Final Rule replaces the
term ``authorized individual'' with ``authorized user'' in Sec.
313.4(c)(1). As described further below, because the Final Rule
combines Sec. 313.4(c)(3) with Sec. 313.4(c)(1), there is no need to
make a corresponding change to that section.
Second, because the Commission agrees the ambiguities in the
definition of ``authorized user'' from the Proposed Rule could create
confusion, it makes several changes to the definition. It deletes the
phrase ``other person that participates in the business operations of
an entity.'' The Commission agrees this phrase was vague. The
Commission had intended it to cover any person the financial
institution allows to access information systems or data, including,
for example, ``customers'' of the financial institutions. For the
purpose of controlling authorized access and detecting unauthorized
access (which is where the definition of ``authorized user'' appears),
financial institutions should monitor anomalous patterns of usage of
their systems, not only by employees and agents, but also by customers
and other persons authorized to access systems or data. To clarify this
point, the Commission adds ``customer or other person'' to the
definition of ``authorized users.''
The Commission intends that the definition of ``authorized users''
should include anyone who the financial institution authorizes to
access an information system or data, regardless of whether that user
actually uses the data. Thus, for clarity, the Commission has deleted
the requirement that the authorized user be authorized to use the
information system or data. Finally, the definition of authorized user
should include users who can access both ``information systems and
data'' and users authorized to access either information systems or
data. Accordingly, for clarification purposes, the Commission modifies
the definition of authorized user in the Final Rule as any employee,
contractor, agent, customer or other person that is authorized to
access any of your information systems or data.
Security Event
In proposed paragraph (c), the Commission defined security event as
an event resulting in unauthorized access to, or disruption or misuse
of, an information system or information stored on such information
system. This term was used in provisions requiring financial
institutions to establish a written incident response plan designed to
respond to security events. It also appeared in the provision requiring
the coordinator of a financial institution's information security
program to provide an annual report to the financial institution's
governing body; the required report must identify all security events
that took place that year.
Commenters expressed three main concerns with this definition. The
first relates to whether the term ``security event'' should be expanded
to instances in which there is unauthorized access to, or disruption or
misuse of, information in physical form, as opposed to electronic form.
The Proposed Rule used the term ``security event'' instead of
``cybersecurity event'' to clarify that an information security program
encompasses information in both digital and physical forms and that
unauthorized access to paper files, for example, would also be a
security event under the Rule. The Money Services Round Table (MSRT),
however, noted despite the use of the more general ``security'' in the
defined term, the definition itself is limited to events involving
information systems.\27\ The Commission agrees this creates a
contradiction. Accordingly, the Final Rule includes the compromise of
customer information in physical form in the definition of ``security
event.''
---------------------------------------------------------------------------
\27\ Money Services Round Table (comment 53, NPRM), at 5 n.14.
---------------------------------------------------------------------------
Second, some industry groups argued a ``security event'' should
occur only when there is ``unauthorized access'' to an information
system, not in cases in which there has been a ``disruption or misuse''
of such systems (e.g., a ransomware attack).\28\ These
[[Page 70275]]
commenters argued the disruption or misuse of information systems is
not directly related to the protection of customer information and is,
therefore, outside the Commission's statutory authority.\29\ The
Commission disagrees. Requiring a financial institution to protect
against disruption and misuse of its information system is within the
Commission's authority under the GLBA, which directed the Commission to
promulgate a rule that required financial institutions to ``to protect
against any anticipated threats or hazards to the security or
integrity'' of customer information. A disruption or misuse of an
information system will be, in many cases, a threat to the
``integrity'' of customer information. In addition, disruption or
misuse may also indicate the existence of a security weakness that
could be exploited to gain unauthorized access to customer information.
For example, an event in which ransomware placed on a system is used to
encrypt customer information, rendering it useless, raises the
possibility similar software could have been used to exfiltrate
customer information. Accordingly, the Final Rule retains the inclusion
of ``misuse or disruption'' within the definition of ``security
event.''
---------------------------------------------------------------------------
\28\ National Independent Automobile Dealers Association
(comment 48, NPRM), at 4; National Automobile Dealers Association
(comment 46, NPRM), at 12-13; Consumer Data Industry Association
(comment 36, NPRM), at 3-4.
\29\ National Independent Automobile Dealers Association
(comment 48, NPRM), at 4; National Automobile Dealers Association
(comment 46, NPRM), at 12-13.
---------------------------------------------------------------------------
Third, several commenters suggested the definition of ``security
event'' be limited to events in which there is a risk of consumer harm
or some other negative effect.\30\ Similarly, some commenters argued
the definition should exclude events that involve encrypted information
in which the encryption key was not compromised or when there is
evidence the information accessed has not been misused.\31\ The
Commission declines to narrow the provision in this manner. It believes
a financial institution should still engage in its incident response
procedures to determine whether the event indicates a weakness that
could endanger customer information and to respond accordingly. The
financial institution can then take the appropriate steps in response.
Further, Sec. 314.4(h) of the Final Rule, which sets forth the
requirement for an incident response plan, requires the incident
response plan be designed to respond only to security events
``materially affecting the confidentiality, integrity, or availability
of customer information,'' limiting the impact of the definition of
``security event.''
---------------------------------------------------------------------------
\30\ HITRUST (comment 18, NPRM), at 3; American Council on
Education (comment 24, NPRM), at 7; Mortgage Bankers Association
(comment 26, NPRM), at 4-5; Consumer Data Industry Association
(comment 36, NPRM), at 3-4; National Automobile Dealers Association
(comment 46, NPRM), at 12-13; National Independent Automobile
Dealers Association (comment 48, NPRM), at 4.
\31\ Mortgage Bankers Association (comment 48, NPRM), at 4-5;
National Automobile Dealers Association (comment 46, NPRM), at 12-
13; National Independent Automobile Dealers Association (comment 48,
NPRM) at 4; American Council on Education (comment 24, NPRM), at 7.
---------------------------------------------------------------------------
Accordingly, the Final Rule defines security event as an event
resulting in unauthorized access to, or disruption or misuse of, an
information system, information stored on such information system, or
customer information held in physical form. The Proposed Rule placed
this definition as paragraph (c), out of alphabetical order. The Final
Rule adopts it as paragraph (p), placing it in alphabetical order with
the other definitions in Sec. 314.2.
Encryption
Proposed paragraph (e) defined encryption as the transformation of
data into a form that results in a low probability of assigning meaning
without the use of a protective process or key. This term was used in
proposed Sec. 314.4(c)(4), which generally required financial
institutions to encrypt customer information. This definition was
intended to define the process of encryption while not requiring any
particular technology or technique for achieving the protection
provided by encryption.
NADA argued this definition should be made more flexible by adding
an alternative so it would read ``the transformation of data into a
form that results in a low probability of assigning meaning without the
use of a protective process or key or securing information by another
method that renders the data elements unreadable or unusable''
(emphasis added).\32\ On the other hand, others argued the Proposed
Rule's definition did not sufficiently protect customer
information.\33\ For example, the Princeton University Center for
Information Technology Policy (``Princeton Center'') suggested the Rule
should be changed ``to clarify that encryption must be consistent with
current cryptographic standards and accompanied by appropriate
safeguards for cryptographic key material.'' \34\ Similarly, ACE argued
the definition should include ``the transformation of data in
accordance with industry standards.'' \35\
---------------------------------------------------------------------------
\32\ National Automobile Dealers Association (comment 46, NPRM),
at 13.
\33\ American Council on Education (comment 24, NPRM), at 7;
Princeton University Center for Information Technology Policy
(comment 54, NPRM), at 4.
\34\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 4.
\35\ American Council on Education (comment 24, NPRM), at 7.
---------------------------------------------------------------------------
The Commission agrees the proposed definition should be tethered to
some technical standard, without being too prescriptive about what that
standard is. Under the proposed definition, as well as NADA's proposed
definition, financial institutions could have claimed they were
``encrypting'' data if they were aggregating it, scrambling it, or
redacting it in a way that made it possible to re-identify the data
through, for example, the application of common algorithms or programs.
The Commission does not believe this would have provided consumers with
sufficient protection. The Commission also agrees with the commenters
who stated the definition should signal that encryption should be
cryptographically based.
Accordingly, the Final Rule defines encryption as the
transformation of data into a form that results in a low probability of
assigning meaning without the use of a protective process or key,
consistent with current cryptographic standards and accompanied by
appropriate safeguards for cryptographic key material. This definition
does not require any specific process or technology to perform the
encryption but does require that whatever process is used be
sufficiently robust to prevent the deciphering of the information in
most circumstances.
Financial Institution
Incidental Activity
The Proposed Rule made one substantive change to the definition of
``financial institution'' it incorporated from the Privacy Rule. The
change was designed to include entities ``significantly engaged in
activities that are incidental to [] financial activity'' as defined by
the Bank Holding Company Act. This proposed change brought only one
activity into the definition that was not covered before: the act of
``finding'' as defined in 12 CFR 225.86(d)(1). The proposed revision to
paragraph (f) added an example of a financial institution acting as a
finder by ``bringing together one or more buyers and sellers of any
product or service for transactions that the parties themselves
negotiate and consummate.'' This example used the language set forth in
12 CFR 225.86(d)(1), which defines ``finding'' as an activity
incidental to a financial activity under the Bank Holding Company Act.
The Commission
[[Page 70276]]
adopts this proposal without modification.
The change to the definition of ``financial institution'' brings it
into harmony with other agencies' GLB rules.\36\ The change is
supported by the language of the Gramm-Leach-Bliley Act.\37\ The Act
defines a ``financial institution'' as any institution ``the business
of which is engaging in financial activities as described in section
1843(k) of title 12.'' \38\ That section, in turn, describes activities
that are financial in nature as those the Board has determined ``to be
financial in nature or incidental to such financial activity.'' \39\
The Final Rule's definition mirrors this language. The change will not
lead to a significant expansion of the Rule coverage as it expands the
definition only to include entities engaged in activity incidental to
financial activity, as determined by the Federal Reserve Board. The
Board has determined only one activity to be incidental to financial
activity--``acting as a finder.'' \40\
---------------------------------------------------------------------------
\36\ See 12 CFR 1016.3(l) (defining ``financial institution''
for entities regulated by agencies other than the FTC). See also 17
CFR 248.3(n) (defining ``financial institution'' to include ``any
institution the business of which is . . . incidental to . . .
financial activities'' for Security and Exchange Commission's rule
implementing GLBA's safeguard provisions.).
\37\ 15 U.S.C. 6801 et seq.
\38\ 15 U.S.C. 6809(3).
\39\ 12 U.S.C. 1843(k).
\40\ 12 CFR 225.86.
---------------------------------------------------------------------------
Several commenters who addressed this issue supported the inclusion
of activities incidental to financial activities.\41\ Other commenters
expressed concern the proposed change in the definition would expand
the Rule's coverage to businesses that should not be considered
financial institutions.\42\ They argued the definition of the term
``finder'' is too broad and companies that connect buyers and sellers
in non-financial contexts would be swept inappropriately into the
definition of ``financial institution.'' The Association of National
Advertisers argued advertising agencies could be considered ``finders''
because they play a role in connecting buyers and sellers.\43\
---------------------------------------------------------------------------
\41\ Electronic Privacy Information Center (comment 55, NPRM),
at 9; Independent Community Bankers of America (comment 35, NPRM),
at 3; National Automobile Dealers Association (comment 46, NPRM), at
13-16.
\42\ Association of National Advertisers (comment, Workshop), at
4-5; internet Association (comment, Workshop), at 4-5; see also
Anonymous (comment 15, NPRM) (questioning whether any governing body
would oversee any future determinations by the Federal Reserve Board
that activities are incidental to financial activity).
\43\ Association of National Advertisers (comment 5, Workshop),
at 5.
---------------------------------------------------------------------------
In response, the Commission notes the Federal Reserve Board
describes acting as a finder as ``bringing together one or more buyers
and sellers of any product or service for transactions that the parties
themselves negotiate and consummate.'' \44\ The Board sets forth
several activities within the scope of acting as a finder, such as
``[i]dentifying potential parties, making inquiries as to interest,
introducing and referring potential parties to each other, [] arranging
contacts between and meetings of interested parties'' and ``[c]onveying
between interested parties expressions of interest, bids, offers,
orders and confirmations relating to a transaction.'' \45\
---------------------------------------------------------------------------
\44\ 12 CFR 225.86 (d).
\45\ 12 CFR 225.86 (d)(1)(i).
---------------------------------------------------------------------------
Although this language is somewhat broad, its scope is
significantly limited in the context of the Safeguards Rule. First, the
Safeguards Rule applies only to transactions ``for personal, family, or
household purposes.'' \46\ Therefore, only finding services involving
consumer transactions will be covered. Second, the Safeguards Rule
applies only to the information of customers, which are consumers with
which a financial institution has a continuing relationship.\47\
Therefore, it will not apply to finders that have only isolated
interactions with consumers and do not receive information from other
financial institutions about those institutions' customers. This
significantly narrows the types of finders that will have obligations
under the Rule, excluding, the Commission believes, most advertising
agencies and similar businesses that generally do not have continuing
relationships with consumers who are using their services for personal
or household purposes.
---------------------------------------------------------------------------
\46\ See Final Rule 16 CFR 314.2(b)(1).
\47\ 16 CFR 314.1; Final Rule 16 CFR 314.2(c).
---------------------------------------------------------------------------
The Commission believes entities that perform finding services for
consumers with whom they have an ongoing relationship are properly
considered ``financial institutions'' for purposes of the Rule.
Accordingly, the Commission adopts the changes to the definition of
``financial institution'' as proposed.
Other Changes to Definition of ``Financial Institutions''
Other commenters suggested modifying the definition of ``financial
institution'' \48\ in different ways. The Electronic Privacy
Information Center (EPIC) argued the definition should be expanded by
treating more activities as financial activities.\49\ EPIC pointed out
information shared with social media companies, retailers, apps, and
devices generally is not covered under the Safeguards Rule. The
Commission understands the concern that many businesses fall outside
the coverage of the Safeguards Rule, despite handling sensitive
consumer information, but the Commission's authority to regulate
activity under the Safeguards and Privacy Rules is established by the
GLBA. The Rule's application is limited to financial institutions as
defined by that statute and cannot be extended beyond that
definition.\50\ The institutions discussed by EPIC, however, are still
covered by the FTC Act's prohibition against deceptive or unfair
conduct, including with respect to their use and protection of consumer
information.\51\
---------------------------------------------------------------------------
\48\ National Pawnbrokers Association (comment 32, NPRM), at 5-6
(arguing that transaction-reporting vendors be included in
definition); National Consumer Law Center and others (comment 58,
NPRM), at 5 (arguing that consumer reporting agencies be included
explicitly in the definition); see also American Escrow Association
(comment, Workshop), at 2-3 (requesting that the Rule specifically
set out the duties of real estate settlement operations and other
businesses that handle but do not maintain sensitive information);
Beverly Enterprises, LLC (comment 3, NPRM), at 3-4 (requesting that
the Rule specifically set out duties related to online
notarizations); Yangxue Li (comment 5, NPRM) (asking whether Rule
would set forth specific guidelines for different industries);
Slobadon Raybolka (comment 17, NPRM) (suggesting that companies that
perform online background checks be covered by the rule); The
Clearing House (comment 49, NPRM) (suggesting a separate set of more
stringent rules for fintech companies).
\49\ Electronic Privacy Information Center (comment 55, NPRM),
at 9.
\50\ See 15 U.S.C. 6801 (requiring agencies to promulgate Rule
establishing standards for financial institutions); 15 U.S.C.
6809(3) (defining ``financial institutions'' as an ``institution the
business of which is engaging in financial activities as described''
in the Bank Holding Company Act).
\51\ In the Matter of Facebook, Inc., Docket No. C-4365 (Apr.
28, 2020); FTC v. Wyndham Worldwide Corporation, 799 F.3d 236 (3d
Cir. 2015); FTC v. D-Link Systems, Inc., Case No. 3:17-cv-00039-JD
(N.D. Cal. July 2, 2019); In the Matter of Twitter, Inc., Docket No.
C-4316 (Mar. 11, 2011).
---------------------------------------------------------------------------
The National Federation of Independent Business (NFIB) argued
individuals and sole proprietors should be excluded from the definition
of ``financial institution'' because an individual cannot be an
``institution.'' \52\ When the Privacy Rule was promulgated in 2000,
commenters also suggested the definition should exclude sole
proprietors.\53\ The Commission noted there was no basis to exclude
sole proprietors and ``[w]hether or not a
[[Page 70277]]
commercial enterprise is operated by a single individual is not
determinative'' of whether the enterprise is a financial institution.
The Commission has not changed its position on this matter and declines
to make this change to the definition of ``financial institution.''
---------------------------------------------------------------------------
\52\ National Federation of Independent Business (comment 16,
NPRM), at 2-3.
\53\ Privacy Rule, Final Rule, 65 FR 33645 (May 24, 2000) at
33656.
---------------------------------------------------------------------------
The Final Rule adopts this definition as proposed without change.
Information Security Program
Paragraph (i) of the Final Rule adopts the existing Rule's
paragraph (c) and does not alter the definition of ``information
security program.'' The Commission received no comments on this
definition, and accordingly, adopts the current definition in the Final
Rule.
Information System
Proposed paragraph (h) defined information system as a discrete set
of electronic information resources organized for the collection,
processing, maintenance, use, sharing, dissemination or disposition of
electronic information, as well as any specialized system such as
industrial/process controls systems, telephone switching and private
branch exchange systems, and environmental control systems. The term
``information system'' was used throughout the proposed amendments to
designate the systems that must be covered by the information security
program.
The MSRT suggested this definition was too narrow in some respects
and too broad in others.\54\ It argued the definition of ``information
system'' was too narrow because it did not include physical systems or
employees and would exclude them from some of the provisions of the
Rule. Specifically, the MSRT argued that based on this definition, the
penetration tests required by Sec. 314.4(d)(2) would not be required
to test ``potential human vulnerabilities'' such as social engineering
or phishing.\55\ The Commission does not agree. Penetration testing, as
defined by the Final Rule, is a process through which testers ``attempt
to circumvent or defeat the security features of an information
system.'' \56\ One way such security features are tested is through
social engineering and phishing.\57\ The fact that the testing involves
employees with access to the information system, rather than just the
system itself, does not exclude such tests from the definition of
``penetration testing.'' Attempted social engineering and phishing are
important parts of testing the security of information systems and
would not be excluded by this definition.
---------------------------------------------------------------------------
\54\ Money Services Round Table (comment 53, NPRM), at 5-6.
\55\ Id. at 5.
\56\ Final Rule Sec. 314.2(j).
\57\ Indeed, Workshop participant Scott Wallace noted, in
conducting penetration testing, ``the first thing [he does]'' is
generally to ``prepare for the phishing campaign.'' Remarks of Scott
Wallace, Safeguards Workshop Tr., supra note 17, at 131-32.
---------------------------------------------------------------------------
The MSRT also argued the definition was too broad, and was joined
by other commenters in this concern.\58\ These commenters shared a
concern the proposed definition would include systems that are in no
way connected to customer information and would require financial
institutions to include all systems in their possession, regardless of
their involvement with customer information. The Commission agrees the
definition should be limited to those systems that either contain
customer information or are connected to systems that contain customer
information, and adds that limitation to the Final Rule. The Rule does
not limit the definition to only those systems that contain customer
information, because a common source of data breaches is a
vulnerability in a connected system that an attacker exploits to gain
access to the company's network and move within the network to obtain
access to the system containing sensitive information.\59\ Accordingly,
the definition of information system in the Final Rule is modified to a
discrete set of electronic information resources organized for the
collection, processing, maintenance, use, sharing, dissemination or
disposition of electronic information containing customer information
or any such system connected to a system containing customer
information, as well as any specialized system such as industrial/
process controls systems, telephone switching and private branch
exchange systems, and environmental controls systems, that contains
customer information or that is connected to a system that contains
customer information.
---------------------------------------------------------------------------
\58\ Money Services Round Table (comment 53, NPRM), at 5;
Consumer Data Industry Association (comment 36, NPRM), at 4;
American Council on Education (comment 24, NPRM), at 7-8.
\59\ See Remarks of Serge Jorgensen, Safeguards Workshop Tr.,
supra note 17, at 58-59 (noting cybersecurity attacks can take
advantage of systems that are connected to the systems in which
sensitive information is stored); Remarks of Tom Dugas, Safeguards
Workshop Tr., supra note 17, at 138 (noting a vulnerability in one
system can result in the exposure of information maintained in
another system); see also Remarks of Rocio Baeza, Safeguards
Workshop Tr., supra note 17, at 106-07 (noting the heightened
importance of encryption in a context where numerous systems are
connected); Remarks of James Crifasi, Safeguards Workshop Tr., supra
note 17, at 107-08 (same).
---------------------------------------------------------------------------
Multi-Factor Authentication
Proposed paragraph (i) defined multi-factor authentication as
authentication through verification of at least two of the following
types of authentication factors: Knowledge factors, such as a password;
possession factors, such as a token; or inherence factors, such as
biometric characteristics. This term was used in proposed Sec.
314.4(c)(6),\60\ which required financial institutions to implement
multi-factor authentication for individuals accessing networks that
contain customer information.
---------------------------------------------------------------------------
\60\ Section 314.4(c)(5) in the Final Rule.
---------------------------------------------------------------------------
Several commenters argued the definition should explicitly include
SMS text messages as an acceptable example of a possession factor or
otherwise to be explicitly allowed.\61\ The Proposed Rule did not
include SMS text messages as an example of a possession factor.\62\
Most commenters who addressed this issue interpreted this exclusion
from the examples as forbidding financial institutions from using SMS
text messages as a possession factor for multi-factor authentication.
That is not the effect of this exclusion, however. The language of the
definition neither prohibits nor recommends use of SMS text messages.
Indeed, SMS text messages are not addressed at all. In some cases, use
of SMS text messages as a factor may be the best solution because of
its low cost and easy use, if its risks do not outweigh those benefits
under the circumstances.\63\ In other instances, however, the use of
SMS text messages may not be a reasonable solution, such as when
extremely sensitive information can be obtained through the access
method being controlled, or when a more secure method can be used for a
comparable price. A financial institution will need to evaluate the
balance of risks for its situation. If, however, the Commission were to
explicitly allow use of SMS text messages, this could be considered a
safe harbor that would not require the company to consider risks
associated with use of SMS text as a factor in a particular use case.
Accordingly, the Final Rule does not include SMS text
[[Page 70278]]
messages in the examples of possession factors.
---------------------------------------------------------------------------
\61\ Electronic Transactions Association (comment 27, NPRM), at
4; U.S. Chamber of Commerce (comment 33, NPRM), at 9; CTIA (comment
34, NPRM), at 7-9; Global Privacy Alliance (comment 38, NPRM), at 9;
National Automobile Dealers Association (comment 46, NPRM), at 29;
National Independent Automobile Dealers Association (comment 48,
NPRM), at 6.
\62\ See, e.g., NIST Special Publication 800-63B, Digital
Identity Guidelines, 5.1.3.3 (restricting use of verification using
the Public Switched Telephone Network (SMS or voice) as an ``out-of-
band'' factor for multi-factor authentication).
\63\ See, e.g., Remarks of Wendy Nather, Safeguards Workshop
Tr., supra note 17, at 231-32.
---------------------------------------------------------------------------
The final Rule adopts the proposed definition of ``multi-factor
authentication'' without change as paragraph (k) of this section.
Penetration Testing
Proposed paragraph (j) defined penetration testing as a test
methodology in which assessors attempt to circumvent or defeat the
security features of an information system by attempting penetration of
databases or controls from outside or inside your information systems.
This term was used in proposed Sec. 314.4(d)(2), which required
financial institutions to continually monitor the effectiveness of
their safeguards or to engage in annual penetration testing. The
Commission received no comments concerning this definition. The Final
Rule adopts the definition from the Proposed Rule as paragraph (m) of
this section.
Personally Identifiable Financial Information
To minimize cross-referencing to the Privacy Rule, as noted above,
the Commission is adding several definitions to the Final Rule. One of
these definitions is ``personally identifiable financial information,''
which is identical to the definition currently contained in the Privacy
Rule. This term is included within the ambit of ``customer
information,'' in both the existing Rule and the Final Rule.
The Princeton Center suggested expanding the definition of
``personally identifiable financial information'' from the Privacy Rule
to include ``aggregate information or blind data that does not contain
personal identifiers such as account numbers, names, or addresses.''
\64\ The Princeton Center further suggested clarifying that, for
information to not be considered ``personally identifiable financial
information,'' the financial institution must be required to
demonstrate the information is not ``reasonably linkable'' to
individuals.
---------------------------------------------------------------------------
\64\ Princeton University Center for Information Technology
Policy (comment 54, NPRM) at 9-10.
---------------------------------------------------------------------------
The Commission does not believe this amendment is necessary. The
definition of ``personally identifiable financial information'' is
already a broad one.\65\ It includes not just information associated
with types of personal information such as a name or address or account
number, but also information linked to a persistent identifier (``any
information you collect through an Internet `cookie' (an information
collecting device from a web server'')).\66\ While there may be some
merit to limiting the exception for aggregate information or blind data
to data that cannot be reasonably linkable to an individual, for
purposes of a rule that can be periodically updated to keep up with
changing technology, the current approach is more concrete and
enforceable, and less subject to differences in interpretation.
---------------------------------------------------------------------------
\65\ See 16 CFR 313.3(o)(1).
\66\ 16 CFR 313.3(o)(2)(i)(F).
---------------------------------------------------------------------------
Service Provider
Proposed paragraph (k) adopted the existing Rule's definition and
does not alter the definition of ``service provider.'' The Commission
received no comments on this definition and adopts it as paragraph (q)
of the Final Rule.
Sec. 314.3: Standards for Safeguarding Customer Information
Proposed Sec. 314.3, which required financial institutions to
develop an information security program (paragraph (a)) and set forth
the objectives of the Rule (paragraph (b)), was largely identical to
the existing Rule. It changed only the requirement that ``safeguards''
be based on the elements set forth in Sec. 314.4, by replacing
``safeguards'' with ``information security program.'' The Commission
received no comments on this proposal and adopts it without change in
the Final Rule.
Sec. 314.4: Elements
Proposed Sec. 314.4 altered the current Rule's required elements
of an information security program and added several new elements.
General Comments
The Commission received many comments addressing the new elements,
both in favor of the changes and opposed to them. The comments in favor
of the changes generally argued these changes would protect consumers
by improving the data security of institutions that hold their
information.\67\ Most of the comments opposed to the proposed elements
fell into several categories, objecting: (1) The proposed changes were
too prescriptive and did not allow financial institutions sufficient
flexibility in managing their information security; (2) the proposed
amendments would be too expensive for financial institutions,
particularly smaller institutions, to adopt; and (3) some of the
requirements should not apply to all customer information but should be
limited to some subset of especially ``sensitive'' customer
information. The Commission does not agree with these comments for the
reasons discussed below, and accordingly, retains the general approach
of the Proposed Rule in the Final Rule.
---------------------------------------------------------------------------
\67\ See, e.g., New York Department of Financial Service
(comment 40, NPRM), at 1 (arguing the Proposed Rule would ``further
advance efforts to protect financial institutions and consumers from
cybercriminals.''); Princeton University Center for Information
Technology Policy (comment 54, NPRM), at 1 (stating the Proposed
Rule ``would significantly reduce data security risks for the
customers of financial institutions.''); National Consumer Law
Center and others (comment 58, NPRM), at 2 (stating requirements of
Proposed Rule are ``reasonable and common-sense measures that any
company dealing with large amounts of consumer personal information
should take.'').
---------------------------------------------------------------------------
Flexibility
Many industry groups argued the new proposed elements were too
prescriptive, lacked flexibility, would quickly become outdated, and
would force financial institutions to engage in activities that would
not enhance security.\68\ For example, the Electronics Transactions
Association argued the Proposed Rule would ``limit the ability of
industry to develop new and innovative approaches to information
security.'' \69\ Similarly, CTIA commented the Proposed Rule would
create a ``prescriptive core of requirements that covered businesses
must follow, irrespective of whether risk assessments show they are
necessary.'' \70\
---------------------------------------------------------------------------
\68\ See, e.g., HITRUST (comment 18, NPRM), at 1-2; American
Council on Education (comment 24, NPRM), at 2-4; Cristian Munarriz
(comment 21, NPRM); Electronic Transactions Association (comment 27,
NPRM), at 1-2; National Pawnbrokers Association (comment 32, NPRM),
at 3; CTIA (comment 34, NPRM), at 5; Consumer Data Industry
Association (comment 36, NPRM), at 2; Wisconsin Bankers Association
(comment 37, NPRM), at 1-2; Global Privacy Alliance (comment 38,
NPRM), at 5-6; Bank Policy Institute (comment 39, NPRM), at 2;
American Financial Services Association (comment 41, NPRM), at 4;
National Association of Dealer Counsel (comment 44, NPRM), at 1; ACA
International, (comment 45, NPRM), at 4; National Automobile Dealers
Association (comment 46, NPRM), at 11; National Independent
Automobile Dealers Association (comment 48, NPRM), at 2-3; Money
Services Round Table (comment 53, NPRM), at 1-4; Software &
Information Industry Association (comment 56, NPRM), at 1-3; Gusto
and others (comment 11, Workshop), at 2; Association of National
Advertisers (comment 5, Workshop), at 1-3; internet Association
(comment 9, Workshop), at 2-3.
\69\ Electronic Transactions Association (comment 27, NPRM), at
1-2.
\70\ CTIA (comment 34, NPRM), at 5.
---------------------------------------------------------------------------
The Commission, however, believes the elements provide sufficient
flexibility for financial institutions to adopt information security
programs suited to the size, nature, and complexity of their
organization and information systems. The elements for the information
security programs set forth in this section are high-level principles
that set forth basic issues the
[[Page 70279]]
programs must address, and do not prescribe how they will be addressed.
For example, the requirement that the information security program be
based on a risk assessment sets forth only three general items the
assessment must address: (1) Criteria for evaluating risks faced by the
financial institution; (2) criteria for assessing the security of its
information systems; and (3) how the identified risks will be
addressed. Other than meeting these basic requirements, financial
institutions are free to perform their risk assessments in whatever way
they choose, using whatever method or approach works best for them, as
long as the method identifies reasonably foreseeable risks. The other
elements are similarly flexible. The two elements that are more
prescriptive, encryption and multi-factor authentication, allow
financial institutions to adopt alternative solutions when necessary.
Comments concerning individual elements are addressed separately in the
more detailed analysis below.
Cost
Another common theme among the comments from industry groups was
the proposed information security program elements would be
prohibitively expensive, especially for smaller businesses.\71\
Commenters argued the Proposed Rule would have required financial
institutions to implement expensive changes to their systems and hire
highly-compensated professionals to do so.\72\ Industry groups were
particularly concerned about the requirement that financial
institutions designate a single qualified individual to coordinate
their information security programs, arguing this would require hiring
professionals that were both expensive, with salaries of more than
$100,000 suggested by some, and in limited supply.\73\ Overall, several
commenters argued some financial institutions would be unable to afford
to bring themselves into compliance with the Proposed Rule.\74\
---------------------------------------------------------------------------
\71\ American Council on Education (comment 24, NPRM), at 13-14;
Wisconsin Bankers Association (comment 37, NPRM), at 1-2; American
Financial Services Association (comment 41, NPRM), at 4; National
Association of Dealer Counsel (comment 44, NPRM), at 1; National
Automobile Dealers Association (comment 46, NPRM), at 11; National
Independent Automobile Dealers Association, (comment 48, NPRM), at
3; Gusto and others (comment 11, Workshop), at 2-4; National
Pawnbrokers Association (comment 3, NPRM), at 2; see also Remarks of
James Crifasi, Safeguards Workshop Tr., supra note 17, at 72-74
(describing study that found compliance would be expensive for
automobile dealers).
\72\ See, e.g., Slides Accompanying Remarks of James Crifasi,
FTC, ``NADA Cost Study: Average Cost Per U.S. Franchised
Dealership,'' Event Materials, Information Security and Financial
Institutions: An FTC Workshop to Examine Safeguards Rule (July 13,
2020) https://www.ftc.gov/system/files/documents/public_events/1567141/slides-glb-workshop.pdf (hereinafter Safeguards Workshop
Slides), at 25 (estimating an upfront cost of $293,975 per
dealership, and an recurring annual cost of $276,925); see also
Remarks of James Crifasi, Safeguards Workshop Tr., supra note 17, at
72-75; Remarks of Brian McManamon, Safeguards Workshop Tr., supra
note 17, at 78 (estimating the average annual salary of a CISO can
range from $180,000 to upwards of $400,000); Slides Accompanying
Remarks of Lee Waters, ``Estimated Costs of Proposed Changes,''
Safeguards Workshop Slides, at 26 (estimating the annual costs of a
security program to include: Multi-factor authentication, $50 for
smart card readers, and $10 each for smart cards; a CISO, either an
in-house CISO, $180,000, an in-house cybersecurity analyst, $76,000,
or an outsourced cybersecurity contractor, between $120,000 and
$240,000; penetration testing, average cost $4,800; and physical
security, $215,000 for construction, and $10,000 to $20,000 for new
or upgraded locks); see also Remarks of Lee Waters, Safeguards
Workshop Tr., supra note 17, at 75-76.
\73\ See, e.g., Slides Accompanying Remarks of Lee Waters,
``Estimated Costs of Proposed Changes,'' Safeguards Workshop Slides,
supra note 72, at 26 (estimating costs of an in-house CISO to be
$180,000 annually, and an in-house cybersecurity analyst to be
$76,000 annually; and estimating an outsourced cybersecurity
contractor would cost between $120,000 to $240,000 annually); see
also Remarks of Lee Waters, Safeguards Workshop Tr., supra note 17,
at 75-76; Remarks of Brian McManamon, Safeguards Workshop Tr., supra
note 17, at 78 (estimating that the average annual salary of a CISO
can range from $180,000 to upwards of $400,000).
\74\ See Remarks of Lee Waters, Safeguards Workshop Tr., supra
note 17, at 119-20 (noting when small businesses have to spend money
to hire third-party vendors and security experts to comply with
regulations, that affects consumer prices and small business profit
margins); Slides Accompanying Remarks of James Crifasi, ``NADA Cost
Study: Average Cost Per U.S. Franchised Dealership,'' Safeguards
Workshop Slides, supra note 72, at 25; see also Remarks of James
Crifasi, supra note 17, at 73 (noting the requirements ``start
becoming a little bit unaffordable here.'').
---------------------------------------------------------------------------
The Commission recognizes properly securing information systems can
be an expensive and technically difficult task. However, the Commission
believes the additional costs imposed by the Proposed Rule are
mitigated for several reasons and, ultimately, those costs are
justified in order to protect customer information as required by the
GLBA.\75\ First, for almost 20 years, financial institutions have been
required under the current Safeguards Rule to have information security
programs in place. The current Safeguards Rule requires financial
institutions to ``develop, implement, and maintain a comprehensive
[written] information security program . . . appropriate to [the
financial institutions'] size and complexity, the nature and scope of
[their] activities, and the sensitivity of any customer information at
issue.'' \76\ This comprehensive program must be coordinated by one or
more individuals and based on a risk assessment.\77\ As such, financial
institutions complying with the current Rule will not be required to
establish an information security program from scratch. Instead, they
can compare their existing programs to the revised Rule, and address
any gaps. The Commission believes many of the requirements set forth in
the Final Rule are so fundamental to any information security program
that the information security programs of many financial institutions
will already include them if those programs are in compliance with the
current Safeguards Rule.
---------------------------------------------------------------------------
\75\ The Small Business Administration's Office of Advocacy
commented it was concerned the FTC had not gathered sufficient data
as to either the costs or benefits of the proposed changes for small
financial institutions. Office of Advocacy, U.S. Small Business
Administration (comment 28, NPRM), at 3-4. The FTC shares the Office
of Advocacy's interest in ensuring that regulatory changes have an
evidentiary basis. Many of the questions on which the FTC sought
public comment, both in the regulatory review and in the proposed
Rule context, specifically related to the costs and benefits of
existing and proposed Rule requirements. Following the initial round
of commenting, the Commission conducted the FTC Safeguards Workshop
and solicited additional public comments with the explicit goal of
gathering additional data relating to the costs and benefits of the
proposed changes. See Public Workshop Examining Information Security
for Financial Institutions and Information Related to Changes to the
Safeguards Rule, 85 FR 13082 (Mar. 6, 2020). As detailed throughout
this document, the Commission believes there is a strong evidentiary
basis for the issuance of the final Rule.
\76\ 16 CFR 314.3.
\77\ 16 CFR 314.4.
---------------------------------------------------------------------------
Second, a number of commenters who raised concerns about the costs
imposed by the Rule believed the Proposed Rule would have required the
hiring of a highly-compensated expert to serve as a Chief Information
Security Officer (CISO).\78\ It is correct the Proposed Rule would have
modified the current requirement of designating an ``employee or
employees to coordinate your information security program'' by
requiring the designation of a single qualified individual responsible
for
[[Page 70280]]
overseeing and implementing the security program. This individual was
referred to in the Proposed Rule as a Chief Information Security
Officer or ``CISO.'' As discussed in detail below, the Final Rule does
not use this term, though the concept is the same: The person
designated to coordinate the information security program need only be
``qualified.'' No particular level of education, experience, or
certification is prescribed by the Rule. Accordingly, financial
institutions may designate any qualified individual who is appropriate
for their business. Only if the complexity or size of their information
systems require the services of an expert will the financial
institution need to hire such an individual.\79\
---------------------------------------------------------------------------
\78\ Several speakers at the Safeguards Workshop also raised
this concern. See, e.g., Slides Accompanying Remarks of James
Crifasi, ``NADA Cost Study: Average Cost Per U.S. Franchised
Dealership,'' in Safeguards Workshop Slides, supra note 72, at 25
(estimating appointing a CISO to increase program accountability
would be a one-time, up-front cost of $27,500, with a recurring
annual cost of $51,000); Remarks of James Crifasi, Safeguards
Workshop Tr., supra note 17, at 72-75; Slides Accompanying Remarks
of Lee Waters, ``Estimated Costs of Proposed Changes,'' in
Safeguards Workshop Slides, supra note 72, at 26 (estimating costs
of an in-house CISO to be $180,000 annually, and an in-house
cybersecurity analyst to be $76,000 annually; and estimating that an
outsourced cybersecurity contractor would cost between $120,000 to
$240,000 annually); Remarks of Lee Waters, Safeguards Workshop Tr.,
supra note 17, at 75-76; Remarks of Brian McManamon, Safeguards
Workshop Tr., supra note 17, at 78 (estimating that the average
annual salary of a CISO can range from $180,000 to upwards of
$400,000).
\79\ See, e.g., Remarks of Brian McManamon, Safeguards Workshop
Tr., supra note 17, at 89-90 (noting the size of a financial
institution and the amount and nature of the information it holds
factor into an appropriate information security program); see also
Slides Accompanying Remarks of Rocio Baeza, ``Models for Complying
to the Safeguards Rule Changes,'' in Safeguards Workshop Slides,
supra note 72, at 27-28 (describing three different compliance
models: In-house, outsource, and hybrid, with costs ranging from
$199 per month to more than $15,000 per month); Remarks of Rocio
Baeza, Safeguards Workshop Tr., supra note 17, at 81-83 (describing
three compliance models in more detail).
---------------------------------------------------------------------------
Finally, the Commission believes while large financial institutions
may well incur substantial costs to implement complex information
security programs, there are much more affordable solutions available
for financial institutions with smaller and simpler information
systems. For example, there are very low-cost or even free
vulnerability assessment programs available: ``virtual CISO'' services
enable a third party to provide security support for many companies,
splitting the cost of information security professionals among them;
many applications and hardware have built-in encryption requirements;
\80\ and there are affordable multi-factor authentication solutions
aimed at businesses of various sizes.
---------------------------------------------------------------------------
\80\ See Remarks of Brian McManamon, Safeguards Workshop Tr.,
supra note 17, at 78 (describing virtual CISO services).
---------------------------------------------------------------------------
Considering these points, although there will undoubtedly be
expenses involved for some, or even many, financial institutions to
update their programs, the Commission believes these expenses are
justified because of the vital importance of protecting customer
information collected, maintained, and processed by financial
institutions. Congress recognized the importance of securing consumers'
sensitive financial information when it passed the GLBA, which required
the FTC to promulgate the Safeguards Rule. The importance, as well as
the difficulty, of protecting customer information has only increased
in the more than twenty years since the passage of the GLBA. The
Commission believes the amendments to the Safeguards Rule are necessary
to ensure the purposes of the GLBA are satisfied, and so consumers can
have confidence financial institutions are providing reasonable
safeguards to protect their information.
``Sensitive'' Customer Information
Several industry groups also suggested significant portions of the
Proposed Rule should not apply to all customer information, but rather
only to some subset of particularly ``sensitive'' customer information,
such as account numbers or social security numbers.\81\ These
commenters generally argued the definition of ``customer information''
is too broad, as it will include information the commenters felt is not
particularly sensitive, such as name and address, and does not justify
extensive safeguards.\82\
---------------------------------------------------------------------------
\81\ See, e.g., Electronic Transactions Association (comment 27,
NPRM), at 2-4; CTIA (comment 34, NPRM), at 10; Global Privacy
Alliance (comment 38, NPRM), at 7-8; American Financial Services
Association (comment 41, NPRM), at 5; ACA International (comment 45,
NPRM), at 13; Money Services Round Table (comment 53, NPRM), at 6-7.
\82\ See, e.g., Electronic Transactions Association (comment 27,
NPRM), at 2; Global Privacy Alliance (comment 38, NPRM), at 7.
---------------------------------------------------------------------------
The Commission does not agree that some portion of customer
information is not entitled to the protections required by the Final
Rule. The Safeguards Rule defines ``customer information'' as ``any
record containing nonpublic personal information'' about a customer
handled or maintained by or on behalf of a financial institution.\83\
The Final Rule defines ``nonpublic personal information'' as
``personally identifiable financial information,'' but does not include
information that is ``publicly available.'' Although this definition is
broad, the Commission believes information covered by it is rightfully
considered sensitive and should be protected accordingly. The
businesses regulated by the Safeguards Rule are not just any
businesses, but are financial institutions and are responsible for
handling and maintaining financial information that is both important
to consumers and valuable to attackers who try to obtain the
information for financial gain. Even the fact that a consumer is a
customer of a particular financial institution is generally nonpublic
and can be sensitive. For example, the revelation of a customer
relationship between a consumer and a particular type of financial
institution, such as debt collectors or payday lenders, may make those
customers' information more vulnerable to compromise by facilitating
social engineering or similar attacks. The nature of the relationship
between customers and their financial institutions makes all nonpublic
information held by the financial institution inherently sensitive and
worthy of the level of protection set forth in the Rule.
---------------------------------------------------------------------------
\83\ 16 CFR 314.2(b).
---------------------------------------------------------------------------
Although the Commission believes all customer information should be
safeguarded by financial institutions and declines to exclude any
portion of that information from protection under any of the provisions
of the Rule, it notes the Rule does contemplate financial institutions
will consider the sensitivity of particular information in designing
their information security programs and safeguards. The elements
required by this section are generally flexible enough to allow
financial institutions to treat various pieces of information
differently. For example, paragraph (c)(1) requires information
security programs to include safeguards that address access control of
customer information. The paragraph requires financial institutions to
develop measures to ensure only authorized users access customer
information, but does not prescribe any particular measures that must
be adopted. When designing these measures, a financial institution may
design a system in which more sensitive information is protected by
more stringent access controls. Even in the more specific provisions of
the Rule, there is flexibility to address the relative sensitivity of
information. For example, in Sec. 313.4(c)(5)'s requirement that
customer information be protected by multi-factor authentication,
financial institutions have flexibility to implement the multi-factor
authentication depending on the sensitivity of the information. The
financial institution may select factors such as SMS text messages to
access less sensitive information, but determine more sensitive
information should be protected by other, more secure, factors for
authentication.
Third-Party Standards and Frameworks
In addition, in the NPRM, the Commission asked whether the
Safeguards Rule should incorporate outside standards, such as the
National Institute of Standards and Technology (``NIST'') framework,
either as required elements of an information security program or as a
safe harbor that would
[[Page 70281]]
treat compliance with such a standard as compliance with the Safeguards
Rule. Some commenters advocated for the adoption of an outside standard
into the Safeguards Rule.\84\ Cisco Systems, Inc. suggested the
Safeguards Rule should be connected to NIST guidance, arguing this
would allow the Rule to evolve as NIST's guidance evolves.\85\ An
anonymous commenter suggested the Rule should comply with
``international standard ISO/IEC 27001.'' \86\ The National Consumer
Law Center argued certain financial institutions with particularly
sensitive customer information should be required to comply with
guidelines issued by NIST and the Federal Financial Institutions
Examination Council (FFIEC).\87\ Other commenters acknowledged the
value of outside standards but were opposed to the Rule requiring
compliance with them.\88\
---------------------------------------------------------------------------
\84\ Cisco Systems, Inc. (comment 51, NPRM), at 4; National
Consumer Law Center and others (comment 58), at 2; Anonymous
(comment 2, Workshop).
\85\ Cisco Systems, Inc. (Comment 51, NPRM), at 4.
\86\ Anonymous (comment 2, Workshop). The ISO/IEC 27001 standard
is an information security standard issued by the International
Organization for Standardization. See ISO/IEC 27001 Information
Security Management, ISO, https://www.iso.org/isoiec-27001-information-security.html (last accessed 15 Dec. 2020).
\87\ National Consumer Law Center and others (comment 58, NPRM),
at 2.
\88\ HITRUST (comment 18, NPRM), at 2; see also Consumer Reports
(comment 52, NPRM), at 6-7 (discouraging the adoption of outside
standards as a safe harbor for companies).
---------------------------------------------------------------------------
Some commenters suggested while compliance with outside standards
should not be required, compliance should serve as a ``safe harbor''
for compliance with the Rule.\89\ On the other hand, Consumer Reports
noted while such standards can be helpful guidance, they should not be
a safe harbor for compliance with the Rule because financial
institutions must take steps to ensure they are responding to changing
information security threats regardless of the requirements of an
outside framework.\90\
---------------------------------------------------------------------------
\89\ Mortgage Bankers Association (comment 26, NPRM), at 2
(suggesting Rule be modified so financial institutions that use the
NIST Cybersecurity Framework would be in de facto compliance with
the Rule); see also National Pawnbrokers Association (comment 32,
NPRM), at 6-7 (advocating for the adoption of safe harbors for small
financial institutions without detailing what should be required to
qualify for the safe harbor).
\90\ Consumer Reports (comment 52, NPRM), at 6-7.
---------------------------------------------------------------------------
The Commission declines to change the Rule to incorporate or
reference a particular security standard or framework for a variety of
reasons. First, it is not clear the more detailed frameworks would
apply well to financial institutions of various sizes and industries.
In addition, mandating companies follow a particular security standard
or framework would reduce the flexibility built into the Rule.
Similarly, the Commission declines to make compliance with an outside
standard a safe harbor for the Rule. In such a scenario, the use of
safe harbors would not greatly enhance regulatory stability or
predictability for financial institutions because the Commission would
be required to actively monitor whether those standards continued to
provide equivalent protections for Safeguards compliance and modify the
Rule if a standard became inadequate. In addition, in investigating
possible violations of the Rule, the Commission would be required to
independently verify whether the financial institution had in fact
complied with the outside framework, which would require substantial
effort and expense on the part of the Commission and the target of the
investigation.
Specific Elements
In addition to these generally applicable comments, commenters
addressed many of the individual elements set forth by this section.
These elements are discussed in more detail below.
Paragraph (a)--Designation of a Single Qualified Individual
Proposed paragraph (a) changed the current requirement that
institutions designate an ``employee or employees to coordinate your
information security program'' to instead require the financial
institution to designate ``a qualified individual responsible for
overseeing and implementing your information security program and
enforcing your information security program.'' \91\ This individual was
referenced in the Proposed Rule as a Chief Information Security Officer
or ``CISO.''
---------------------------------------------------------------------------
\91\ Section 314.4(a).
---------------------------------------------------------------------------
The notice of proposed rulemaking for the Proposed Rule emphasized
the use of the term ``CISO'' was for clarity in the Proposed Rule.\92\
Despite the use of the term ``CISO,'' the Proposed Rule did not require
financial institutions to actually grant that title to the designated
individual. Commenters that responded to this proposal, however,
generally assumed the person designated to coordinate and oversee a
financial institution's information security program would be required
to have the qualifications, duties, responsibilities, and accompanying
pay of a CISO as that position is generally understood in the
information security field.\93\ The position of CISO is generally
limited to large companies with fairly complex information security
systems, so the salary of this position is often very high.\94\
Accordingly, many commenters argued hiring a CISO would be
prohibitively expensive for many financial institutions.\95\
Additionally, commenters argued the hiring of such an in-demand
professional would be difficult because of a general shortage of such
professionals available for hiring.\96\
---------------------------------------------------------------------------
\92\ 84 FR 13165.
\93\ U.S. Chamber of Commerce (comment 33, NPRM), at 10;
National Automobile Dealers Association (comment 46), at 17-19;
National Independent Automobile Dealers Association (comment 48,
NPRM), at 5; ACA International (Comment 45, NPRM), at 8.
\94\ See. e.g., Brian McManamon, Safeguards Workshop Tr., supra
note 17, at 78 (estimating the average annual salary of a CISO can
range from $180,000 to upwards of $400,000).
\95\ National Automobile Dealers Association (comment 46, NPRM),
at 17-19; National Independent Automobile Dealers Association
(comment 48, NPRM), at 5; U.S. Chamber of Commerce (comment 33,
NPRM), at 10; ACA International (comment 45, NPRM), at 8.
\96\ National Automobile Dealers Association (comment 46, NPRM),
at 18-19; U.S. Chamber of Commerce (comment 33, NPRM), at 10; ACA
International (comment 45, NPRM), at 8.
---------------------------------------------------------------------------
By using the term ``CISO,'' the Commission did not intend to
require all financial institutions hire a highly qualified professional
with an extremely high salary, regardless of the financial
institutions' size or complexity. The Proposed Rule required only that
financial institutions designate a ``qualified individual'' to oversee
and enforce their information security program, without specifying any
particular level of experience, education, or compensation, or
requiring any particular duties outside of overseeing the financial
institution's information security program and other requirements
specifically set forth in the Rule.\97\ The use of the term ``CISO'' in
the Proposed Rule, however, caused confusion about the requirements of
this section. Accordingly, the Final Rule replaces the term ``CISO''
with ``Qualified Individual'' to refer to the individual designated
under this section of the Rule.
---------------------------------------------------------------------------
\97\ 84 FR 13175.
---------------------------------------------------------------------------
The use of the term ``Qualified Individual'' is meant to clarify
the only requirement for this designated individual is that he or she
be qualified to oversee and enforce the financial institution's
information security program. What qualifications are necessary will
depend upon the size and complexity of a financial institution's
information system and the volume and sensitivity of the customer
information the financial institution
[[Page 70282]]
possesses or processes. The Qualified Individual of a financial
institution with a very small and simple information system will need
less training and expertise than a Qualified Individual for a financial
institution with a large, complex information system. The exact
qualifications will depend on the nature of the financial institution's
information system. Each financial institution will need to evaluate
its own information security needs and designate an individual with
appropriate qualifications to meet those needs.
The Commission believes, in many cases, financial institutions'
current coordinators, whether their own employees or third-party
contractors, may be qualified for this role.\98\ Because the current
Safeguards Rule requires financial institutions to designate an
``employee or employees to coordinate your information security
program,'' financial institutions in compliance with that Rule will
already have one or more information security coordinators. Although
the current Rule does not expressly require that these coordinators be
qualified for that position, the current Rule requires a financial
institution to maintain ``appropriate'' safeguards, regularly test
those safeguards, and evaluate and adjust the information security
program in light of that testing.\99\ In order to effectively comply
with these ongoing requirements, a financial institution's coordinator
must have some level of information security training and knowledge
and, therefore, will likely be an appropriate Qualified Individual
under the Final Rule. Accordingly, in many cases this amendment to the
Rule will not require any additional hiring expenses.
---------------------------------------------------------------------------
\98\ Remarks of James Crifasi, Safeguards Workshop Tr., supra
note 17, at 74 (stating car dealerships can rely on existing staff
for this role); Remarks of Lee Waters, Safeguards Workshop Tr.,
supra note 17, at 78-79 (stating any dealership with any IT staff at
all would have someone who could assume the role of ``qualified
individual,'' perhaps requiring some additional research or outside
help); Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note
17, at 81-82 (stating companies may use an existing employee for the
role and ``for any areas where there may be skill gaps, that can be
supplemented with either certifications or some type of
education.'').
\99\ 16 CFR 314.4.
---------------------------------------------------------------------------
In addition to explicitly requiring that the information security
program coordinator be qualified for the role, the Commission proposed
to require the designation of a single employee, as opposed to the
multiple coordinators allowed by the existing Rule. Some commenters
objected to this proposal on the grounds that it would interfere with
financial institutions' flexibility in organizing their information
security personnel.\100\ For example, the Consumer Data Industry
Association (``CDIA'') commented the designation of a single
coordinator would interfere with financial institutions' ability to
organize their program ``to share responsibilities among different
personnel with different strengths.'' \101\ Similarly, ACA
International argued this requirement would prevent financial
institutions from having multiple staff members share responsibilities
for information security programs.\102\
---------------------------------------------------------------------------
\100\ National Independent Automobile Dealers Association
(comment 48, NPRM), at 5; Consumer Data Industry Association
(comment 36, NPRM), at 5; National Association of Dealer Counsel
(comment 44, NPRM), at 2; ACA International (comment 45, NPRM), at
7-8; Money Services Round Table (comment 53, NPRM), at 10; Gusto and
others (Comment 11, Workshop), at 2; see also Remarks of James
Crifasi, Safeguards Workshop TR, supra note 17, at 74 (stating
``when we're talking about a small and medium business [. . .] we
really need to see that `qualified individual' be a mix of folks'').
\101\ Consumer Data Industry Association (comment 36, NPRM), at
5.
\102\ ACA International (comment 45, NPRM), at 7-8. NPA raised
similar concerns. National Pawnbrokers Association (comment 3,
Workshop), at 2.
---------------------------------------------------------------------------
Other commenters argued the designation of a single individual as
the coordinator of the information security program provides no proven
benefits over the use of multiple coordinators.\103\ Similarly, NADA
argued that, while the appointment of a single qualified individual
might improve accountability, improving accountability does not improve
security.\104\ On the other hand, a group of consumer and advocacy
groups including the National Consumer Law Center (``NCLC'') argued
appointing a single individual as the coordinator of the information
security program can increase security and prevent security events
based on lack of accountability and poor coordination.\105\
---------------------------------------------------------------------------
\103\ Consumer Data Industry Association (comment 36, NPRM), at
5; National Automobile Dealers Association (comment 46, NPRM), at
19; ACA International (comment 45, NPRM), at 8.
\104\ National Automobile Dealers Association (comment 46,
NPRM), at 19.
\105\ National Consumer Law Center and others (comment 58,
NPRM), at 3 (arguing that a clear line of reporting with a single
responsible individual could have prevented the Equifax consumer
data breach).
---------------------------------------------------------------------------
The Commission retains the requirement to designate a single
qualified individual, because it believes there are clear benefits to
the designation of a single coordinator. Designating a single
coordinator to oversee an information security program clarifies lines
of reporting in enforcing the program, can avoid gaps in responsibility
in managing data security, and improve communication.\106\
---------------------------------------------------------------------------
\106\ Remarks of Adrienne Allen, Safeguards Workshop Tr., supra
note 17, at 182-84 (stating that without a single responsible
individual, information security staff ``can fall into traps of each
relying on someone else to make a hard call . . . [In a program
without a single coordinator] issues can sometimes fall through the
cracks.''); Remarks of Michele Norin, Safeguards Workshop Tr., supra
note 17, at 184-85 (``I think it's extremely important to have a
person in front of the information security program. I think that
there are so many components to understand, to manage, to keep an
eye on. I think it's difficult to do that if it's part of someone
else's job. And so I found that it's extremely helpful to have a
person in charge of that program just from a pure basic management
perspective and understanding perspective.'').
---------------------------------------------------------------------------
The Commission disagrees with the commenter who stated improved
accountability does not lead to improved security. The goal of
improving accountability is to ensure information security staff and
financial institution management give the necessary attention and
resources to information security. In addition, an individual that has
clear responsibility for the strength of a financial institution's
information security program will be accountable to improve the program
and ensure it protects customer information.\107\
---------------------------------------------------------------------------
\107\ See, e.g., Federal Trade Commission Staff Comment on the
Preliminary Draft for the NIST Privacy Framework: A Tool for
Improving Privacy through Enterprise Risk Management (Oct. 24,
2019), at 12-14 (suggesting NIST clarify that one person should be
in charge of the program). https://www.ftc.gov/system/files/documents/advocacy_documents/ftc-staff-comment-preliminary-draft-nist-privacy-framework/p205400nistprivacyframeworkcomment.pdf.
---------------------------------------------------------------------------
The major breach that occurred at national consumer reporting
agency Equifax in 2017 demonstrates the importance of clear lines of
reporting and accountability in management of information security
programs. The U.S. House Committee on Oversight and Government Reform
issued a report on the breach that identified Equifax's organization as
one of the major causes of the breach.\108\ The report indicated
Equifax's division of responsibility for information security between
two individuals that reported to two different company officers
contributed to failures of communication, oversight, and enforcement
that led to millions of consumers' data being compromised.\109\
Increasing accountability for individuals and organizations can
directly lead to improved security for customer information.
---------------------------------------------------------------------------
\108\ U.S. House, Committee on Oversight and Government Reform,
Majority Staff Report, The Equifax Data Breach, at 55-62, 115th
Congress (Dec. 2018).
\109\ Id.
---------------------------------------------------------------------------
Finally, the Commission does not believe the requirement to
designate a single Qualified Individual would
[[Page 70283]]
prevent the approach of having multiple people responsible for
different aspects of the program, as some commenters asserted. While
the Qualified Individual appointed as the coordinator of the
information security program would have ultimate responsibility for
overseeing and managing the information security program, financial
institutions may still assign particular duties and responsibilities to
other staff members.\110\ A financial institution may organize its
personnel in teams or share decision making between individuals.
Moreover, the Rule does not require this be the Qualified Individual's
sole job--he or she may have other duties. The Rule requires only that
one individual assume the ultimate responsibility for overseeing and
enforcing the program.
---------------------------------------------------------------------------
\110\ See Remarks of Adrienne Allen, Safeguards Workshop Tr.,
supra note 17, at 189-90 (noting that, even where there is a single
point person, decision makers rarely operate ``in a vacuum.'').
---------------------------------------------------------------------------
Accordingly, the Final Rule requires designation of a single
Qualified Individual, as proposed, but no longer uses the term
``CISO.''
Third-Party Coordinators
The Proposed Rule stated that the Qualified Individual would not
need to be an employee of the financial institution, but could be an
employee of an affiliate or a service provider. This change was
intended to accommodate financial institutions that may prefer to
retain an outside expert, lack the resources to employ a qualified
person to oversee a program, or decide to pool resources with
affiliates to share staff to manage information security. The Proposed
Rule required, however, that to the extent a financial institution used
a service provider or affiliate, the financial institution must still:
(1) Retain responsibility for compliance with the Rule; (2) designate a
senior member of its personnel to be responsible for direction and
oversight of the Qualified Individual; and (3) require the service
provider or affiliate to maintain an information security program that
protects the financial institution in accordance with the Rule.
The Commission received one comment on this aspect of the
provision. NADA argued that, because a senior member of a financial
institution's personnel must be responsible for the oversight of a
third-party Qualified Individual, the supervising individual would need
to be an expert in information security, and the financial institution
would still be required to hire an expensive employee to supervise the
third-party Qualified Individual.\111\ The Rule, however, does not
require individuals responsible for overseeing third-party Qualified
Individuals to be information security experts themselves. The senior
personnel that oversees the third-party Qualified Individual is charged
with supervising and monitoring the third-party so the financial
institution is aware of its data security needs and the safeguards
being used to protect its information systems. This person does not
need to be qualified to coordinate the information security program him
or herself. Technical staff are frequently supervised by employees or
officers with limited technical expertise.\112\ The Rule requires only
the same responsibilities a supervisor would have in overseeing an in-
house information security coordinator of a financial institution.
Accordingly, the Commission adopts the proposed paragraph without
modification.
---------------------------------------------------------------------------
\111\ National Automobile Dealers Association (comment 46,
NPRM), at 18.
\112\ See Remarks of James Crifasi, Safeguards Workshop Tr.,
supra note 17, at 79-80 (stating that, in his work as a third-party
information security service provider, he is often overseen by
executives without technical backgrounds); see also Remarks of Rocio
Baeza, Safeguards Workshop Tr., supra note 17, at 105-06 (noting
distinction in how executives and technical staff may understand
their organizations' use of encryption); Remarks of Karthik
Rangarajan, Safeguards Workshop Tr., supra note 17, at 196
(discussing challenges inherent in discussing technical issues with
board members who lack a technical background)and at 211 (noting
organizations can successfully manage their relationships with
third-party service providers without ``becom[ing] experts'' in the
services provided).
---------------------------------------------------------------------------
Proposed Paragraph (b)
The NPRM proposed amending paragraph (b) to clarify a financial
institution must base its information security program on the findings
of its risk assessment by adding an explicit statement that financial
institutions' ``information security program [shall be based] on a risk
assessment.'' \113\ In addition, the Proposed Rule removed existing
Sec. 314.4(b)'s requirement that the risk assessment must include
consideration of specific risks \114\ because these specific risks are
set forth elsewhere in the Proposed Rule.\115\ The Commission received
no comments on this paragraph and adopts paragraph (b) as proposed.
---------------------------------------------------------------------------
\113\ Proposed 16 CFR 314.4(b).
\114\ Proposed 16 CFR 314.4(b)(1), (2), and (3).
\115\ See, e.g., Proposed 16 CFR 314.4(c)(2) and (10) and (e).
---------------------------------------------------------------------------
Written Risk Assessment
Paragraph (b)(1) of the Proposed Rule required the risk assessment
be written and include: (1) Criteria for the evaluation and
categorization of identified security risks or threats the financial
institution faces; (2) criteria for the assessment of the
confidentiality, integrity, and availability of the financial
institution's information systems and customer information, including
the adequacy of the existing controls in the context of the identified
risks or threats to the financial institution; and (3) requirements
describing how identified risks will be mitigated or accepted based on
the risk assessment and how the information security program will
address the financial institution's risks. Commenters raised several
concerns about the Proposed Rule's provisions on risk assessment, none
of which merit changes to the Proposed Rule.
First, some commenters objected to the level of specificity of the
Proposed Rule, with some arguing the requirements were too specific,
and others arguing the requirements were not specific enough. With
respect to the Proposed Rule being too specific, commenters such as ACA
and U.S. Chamber of Commerce argued it removed financial institutions'
flexibility in performing risk assessments.\116\ The U.S. Chamber of
Commerce contended, because the criteria are too specific, a risk
assessment performed using them would not be ``sufficiently risk
based.'' \117\ CDIA expressed concern it was unclear ``what level of
specificity is required'' in the written risk assessment and if
detailed risk assessments are required, they ``could themselves become
a roadmap for a security breach.'' \118\
---------------------------------------------------------------------------
\116\ ACA International (comment 45, NPRM), at 12; U.S. Chamber
of Commerce (comment 33, NPRM), at 10.
\117\ U.S. Chamber of Commerce (comment 33, NPRM), at 10.
\118\ Consumer Data Industry Association (comment 36, NPRM), at
5.
---------------------------------------------------------------------------
In contrast, several other commenters recommended the Rule set
forth more specific criteria for risk assessments. Inpher suggested the
Commission add a requirement that risk assessments require financial
institutions to examine ``technologies that are deployed by [financial
institutions'] information security systems, and evaluate the
feasibility'' of adopting ``privacy enhancing technologies'' that would
better address vulnerabilities and thwart threats.\119\ Inpher also
recommended the Rule require financial institutions to conduct privacy
impact assessments with ``specific guidelines to review internal data
protection standards and adherence to fair information
[[Page 70284]]
principles.'' \120\ The Princeton Center suggested the Rule require
risk assessments to include threat modeling and adopt the concept of
defense in depth.\121\ HALOCK Security Labs recommended the Rule
specifically require ``a) That risk assessments should evaluate the
likelihood of magnitudes of harm that result from threats and errors,
b) That risk assessments should explicitly estimate foreseeable harm to
consumers as well as to the covered financial institutions, c) That
risk mitigating controls are commensurate with the risks they address,
[and] d) That risk assessments estimate likelihoods and impacts using
available data.'' \122\
---------------------------------------------------------------------------
\119\ Inpher, Inc. (comment 50, NPRM), at 4.
\120\ Id.
\121\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 2.
\122\ HALOCK Security Labs (comment 4, Workshop) at 2. See Rocio
Baeza (comment 12, Workshop) at 2-3 (suggesting a detailed list of
requirements for the risk assessment).
---------------------------------------------------------------------------
The Commission believes the Proposed Rule's provisions on risk
assessment strike the right balance between specificity and
flexibility. The amendments provide only a high-level list of criteria
the risk assessment must address. They essentially require that the
financial institution identify and evaluate risks to its systems,
evaluate the adequacy of its existing controls for addressing these
risks, and identify how these risks can be mitigated. These are core
requirements of any risk-assessment.\123\ The Rule does not require any
specific methodology or approach for performing the assessment.
Financial institutions are free to perform the risk assessment using
the method most suitable for their organization as long as that method
meets the general requirements set forth in the Rule. \124\ And while
the Commission agrees the additional requirements suggested by some
commenters may be beneficial in many, or even most, risk assessments,
it believes a more flexible requirement will better allow financial
institutions to find the risk assessment method that best fits their
organization and will better accommodate changes in recommended
approaches in the future.
---------------------------------------------------------------------------
\123\ See, e.g., Remarks of Chris Cronin, Safeguards Workshop
Tr., supra note 17, at 25 (stating that evaluating the likelihoods
and impacts of potential security risks and evaluating existing
controls is an important component of a risk assessment); Remarks of
Serge Jorgensen, Safeguards Workshop Tr., supra note 17, at 29-30
(emphasizing the importance of risk assessments as tools for
adjusting existing security measures to account for both current and
future security threats); Nat. Inst. of Sci. & Tech., U.S. Dept. of
Com., Special Publication 800-30 Rev. 1, Guide for Conducting Risk
Assessments 1 (2012) (describing the purpose of risk assessments as
the identification of and prioritization of risk in order to inform
decision making and risk response).
\124\ ACA International further argued because risk assessment
criteria are generally understood, they do not need to be included
in the Final Rule. ACA International (comment 45, NPRM). The
Commission believes it is helpful to be clear about the criteria the
risk assessment must contain, even if those criteria are commonly
understood.
---------------------------------------------------------------------------
In response to CDIA's concern about the risk assessment providing a
roadmap for bad actors, certainly, the written risk assessment will
include details about a financial institution's systems that could
assist an attacker if obtained by the attacker. Accordingly, the risk
assessment should be protected as any other sensitive information would
be. The Commission does not view this concern as a reason not to create
such a document. Indeed, the concern would apply to any written
document that provides information regarding a financial institution's
information security procedures, from a network diagram to written
security code.
Second, some commenters argued implementing the risk-assessment
provision as proposed would be too expensive and difficult for
financial institutions.\125\ For example, NADA argued the contemplated
risk assessment would be very costly because the criteria set out in
paragraph (b)(1) are ``well outside the scope of expertise of anyone
but the most sophisticated IT professionals.'' \126\ In response,
although the Commission declines to modify the provision, it addresses
NADA's concern in Sec. 314.6 by exempting financial institutions that
maintain information concerning fewer than 5,000 consumers from the
specific requirements of paragraph (b)(1), and from the requirement to
memorialize the risk assessment in writing. For those financial
institutions that do not qualify for this exemption, the Commission
believes they will be able to perform the required risk assessment in a
manner that is practical and affordable for their institution. There
are many resources available to financial institutions to aid in risk
assessment, including service providers that can assist institutions of
various sizes.\127\
---------------------------------------------------------------------------
\125\ National Association of Dealer Counsel (comment 44, NPRM),
at 3; National Automobile Dealers Association (comment 46, NPRM), at
20.
\126\ National Automobile Dealers Association (comment 46,
NPRM), at 20.
\127\ See, e.g., Slides Accompanying Remarks of Rocio Baeza, in
Safeguards Workshop Slides, supra note 72, at 27-28 (describing
three different compliance models: In-house, outsource, and hybrid,
with costs ranging from $199 per month to more than $15,000 per
month); Slides Accompanying the Remarks of Brian McManamon, ``Sample
Pricing,'' in Safeguards Workshop Slides, supra note 72, at 29
(estimating the cost of cybersecurity services based on number of
endpoints: $2K-$5K per month for 25-250 endpoints; $5K-$15K for 250-
750 endpoints; $15K-$30K for 750-1,000 endpoints; and $30K-$50K for
1,500-2,500 endpoints); see also Remarks of Brian McManamon,
Safeguards Workshop Tr., supra note 17, at 83-85.
---------------------------------------------------------------------------
While acknowledging there will be some cost to conducting a risk
assessment, the Commission believes a properly conducted risk
assessment is an essential part of a financial institution's
information security program. The entire Safeguards Rule, both as it
currently exists and as amended, requires that the information security
program be based on a risk assessment. An information security program
cannot properly guard against risks to customer information if those
risks have not been identified and assessed.\128\ The Commission
believes this requirement properly emphasizes the importance of robust
risk assessments, while providing financial institutions sufficient
flexibility in performing these assessments. Finally, the Commission
notes, because the current Rule also requires that a risk assessment be
performed, financial institutions that have complied with the current
Rule have already conducted a risk assessment. And, even if that risk
assessment was not memorialized in writing, the work conducted for that
risk assessment should be useful in performing future risk assessments.
---------------------------------------------------------------------------
\128\ See Remarks of Chris Cronin, Safeguards Workshop Tr.,
supra note 17, at 48-49 (noting all information security frameworks
and guidelines are based on risk analysis).
---------------------------------------------------------------------------
Third, NADA objected to the requirement that the risk assessment
describe how each identified risk will be ``mitigated or accepted,''
arguing it is not clear when it is appropriate to ``accept a risk.''
\129\ NADA argued that documenting a decision to accept a risk would
``create a record that can be distorted and second guessed after the
fact,'' and ``context is lost when it is written and reviewed after an
incident has occurred.'' \130\ The Rule does not require a financial
institution to mitigate every risk identified, no matter how remote or
insignificant. Instead, the Rule allows a financial institution to
accept a risk, if its assessment of the risk reveals that the chance it
will produce a security event is very small, if the consequences of the
risk are minimal, or the cost of mitigating the risk far outweighs the
benefit. In those cases, the financial institution may choose to accept
the risk. A financial institution concerned that its decision to accept
a risk will later be questioned may choose to set forth whatever
context or
[[Page 70285]]
explanation it sees fit in the written assessment.
---------------------------------------------------------------------------
\129\ National Automobile Dealers Association (comment 46, NPRM)
at 20.
\130\ Id.
---------------------------------------------------------------------------
Finally, while several commenters supported the idea of conducting
``periodic'' risk assessments as required by the Proposed Rule,\131\
NADA objected it is unclear how often financial institutions need to
conduct risk assessments under this section. \132\ In order to be
effective, a risk assessment must be subject to periodic reevaluation
to adapt to changes in both financial institutions' information systems
and changes in threats to the security of those systems. The Commission
declines, however, to set forth a specific schedule for risk
assessments. The Commission believes it would not be appropriate to set
forth an inflexible schedule for periodic risk assessments because each
financial institution must set its own schedule based on the needs and
resources of its institution.
---------------------------------------------------------------------------
\131\ Inpher, Inc. (comment 50, NPRM), at 3; Global Privacy
Alliance (comment 38, NPRM), at 11.
\132\ National Automobile Dealers Association (comment 46,
NPRM), at 20.
---------------------------------------------------------------------------
The Final Rule adopts Sec. 314.4(b) as proposed.
Paragraph (c)
Proposed paragraph (c) retained the existing Rule's requirement for
financial institutions to design and implement safeguards to control
the risks identified in the risk assessment. In addition, it added more
detailed requirements for what the safeguards must address (e.g.,
access controls, data inventory, disposal, change management,
monitoring). These specific requirements represent elements of an
information security program that the Commission views as essential and
should be addressed by all financial institutions.\133\
---------------------------------------------------------------------------
\133\ NADA disagreed with the Commission's statement in the NPRM
for the Proposed Rule that ``most financial institutions already
implement'' the specific requirements in paragraph (c), stating that
many financial institutions ``do not currently implement some or all
of these measures.'' National Automobile Dealers Association
(comment 46, NPRM), at 20. The Commission continues to believe most
financial institutions institute some form of most of these
measures, such as access control, secure disposal, and monitoring
authorized users, based on its enforcement and business outreach
experience. While NADA's statement that some financial institutions
implement none of the measures may be true, this underlines the
necessity of making these elements explicit requirements under the
Rule, as these elements are necessary for a reasonable information
security program for all financial institutions. Indeed, a financial
institution that utilizes none of these elements and exercises no
access control, no secure disposal procedures, and does not monitor
users of its systems is unlikely to be in compliance with the
current Rule.
---------------------------------------------------------------------------
As a preliminary matter, Global Privacy Alliance (GPA) argued all
of these elements should be made optional and financial institutions
should be required only to take these elements ``into consideration''
when designing their information security programs.\134\ While the
Commission agrees it is important that the Rule allow financial
institutions flexibility in designing their information security
programs, these elements are such important parts of information
security that each program must address them. For example, an
information security program that has no access controls or does not
contain any measures to monitor the activities of users on the systems
cannot be said to be protecting the financial institution's systems.
The Final Rule, therefore, continues to require each information
security program to contain safeguards that address these elements,
with modifications described below.
---------------------------------------------------------------------------
\134\ Global Privacy Alliance (comment 38, NPRM), at 6.
---------------------------------------------------------------------------
Access Controls
Proposed paragraph (c)(1) required financial institutions to
``place access controls on information systems, including controls to
authenticate and permit access only to authorized individuals to
protect against the unauthorized acquisition of customer information
and to periodically review such access controls.''
Commenters suggested a number of modifications to this provision.
First, GPA argued this provision should require controls on access to
information, rather than on information systems.\135\ Second, several
commenters suggested adding further safeguards to the ``access
control'' requirement. For example, the Princeton Center argued the
Rule should adopt the ``Principle of Least Privilege,'' a principle
that no user should have access greater than is necessary for
legitimate business purposes.\136\ Reynolds and Reynolds Company
(Reynolds) suggested the Rule clarify that financial institutions must
``vet, control, and monitor user access to sensitive information.''
\137\ Consumer Reports argued paragraph (c)(1) should be amended to
control access not just to authorized users, but to further limit
access to when such access is reasonably necessary.\138\ ACE argued
that any requirement for physical access control allow financial
institutions to determine which locations should have restricted
access, rather than limiting physical access to every building and
office within, say, a college campus.\139\ Finally, some commenters
argued the proposed language was too vague,\140\ particularly as it
applied to vendor-supplied services.\141\
---------------------------------------------------------------------------
\135\ Global Privacy Alliance (comment 38, NPRM), at 9-10.
\136\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 4-5.
\137\ Reynolds and Reynolds Company (comment 7, Workshop), at 7.
\138\ Consumer Reports (comment 52, NPRM), at 7.
\139\ American Council on Education (comment 24, NPRM), at 10.
\140\ National Automobile Dealers Association (comment 46,
NPRM), at 23; National Independent Automobile Dealers Association
(comment 48, NPRM), at 5; American Council on Education (comment 24,
NPRM), at 10;
\141\ National Independent Automobile Dealers Association
(comment 48, NPRM), at 5; American Council on Education (comment 24,
NPRM), at 10.
---------------------------------------------------------------------------
In response to the comments, the Commission makes a number of
changes to this provision in the Final Rule. First, the Commission
clarifies that the Rule requires access controls, not just for
information systems, but for all customer information, whether it is
housed in information systems or in physical locations. To streamline
the Rule, the Final Rule combines the separate physical access controls
requirement found in proposed paragraph (c)(3) with this paragraph.
Physical access controls will generally be most important in situations
in which sensitive customer information is kept in physical form (such
as hard-copy loan applications, or printed consumer reports). It may
also require physical restrictions to access machines that contain
customer information (e.g., locked doors and/or key card access to a
computer lab).\142\ The Commission declines to make any changes in
response to ACE's concern that every physical location will need to be
protected--as the Rule states, physical controls must be implemented to
protect unauthorized access to customer information. Where no customer
information exists, the Rule would not require physical controls.
---------------------------------------------------------------------------
\142\ NIADA suggested instituting physical access controls would
cost a dealership $215,000 because each computer would need to have
its own lockable cubicle and there would need to be lockable offices
for all desks. See Remarks of Lee Waters, Safeguards Workshop Tr.,
supra note 17, at 76. As originally promulgated, the Rule already
requires financial institutions implement ``physical safeguards that
are appropriate to your size and complexity.'' 16 CFR 314.3. The
Final Rule's requirement is consistent with that longstanding
requirement. If computers have technical safeguards preventing
unauthorized users from accessing customer information, they usually
will not need to be in a lockable area, particularly if they are not
generally left unattended and are not likely to be stolen.
Similarly, desks would need to be in lockable offices only if they
contain accessible paper records. A lockable file cabinet may be a
more economical solution.
---------------------------------------------------------------------------
Second, the Commission agrees with the commenters who advocated
that the Rule implement the principle of least privilege. The
Commission does not believe it is appropriate, for example, for larger
companies to give all
[[Page 70286]]
employees and service providers access to all customer information.
Such overbroad access could create additional harm in the event of an
intruder gaining access to a system by impersonating an employee or
service provider. Accordingly, the Commission clarifies this in the
Final Rule by adding a requirement that not only must a financial
institution implement access controls, but it should also restrict
access only to customer information needed to perform a specific
function.
As to the suggestion the Commission impose monitoring requirements
for access, that requirement exists in paragraph (c)(8). And as to the
suggestion the requirement is too vague as to service providers, the
Commission believes the Final Rule is clear: When a vendor accesses the
financial institution's data or information systems, the financial
institution must ensure appropriate access controls are in place.
Separately, under paragraph (f), the financial institution must
reasonably oversee the vendor's safeguards, which would necessarily
include access controls for the vendor's system.
Finally, as to the suggestion the provision is vague generally, as
discussed above, the Final Rule seeks to preserve flexibility in its
provisions, both so that financial institutions can design programs
appropriate for their systems and so that changes in technology or
security practices will not render the Rule obsolete. The Commission
believes maintaining less prescriptive requirements is the best way to
achieve the goal of flexibility and protecting customer
information.\143\
---------------------------------------------------------------------------
\143\ NPA expressed concern about the effect of the Rule on
pawnbrokers who the commenter stated are required by law to allow
law enforcement access to their physical records. National
Pawnbrokers Association (comment 32, NPRM), at 7. Nothing in the
Rule conflicts with any such requirements. Law enforcement
appropriately accessing customer information under a law that
requires that access would be considered authorized use under those
circumstances.
---------------------------------------------------------------------------
Accordingly, the Commission combines paragraphs (c)(1) and (3) from
the Proposed Rule into revised paragraph (c)(1) of the Final Rule,
which requires implementing and periodically reviewing access controls
on customer information, including technical and, as appropriate,
physical controls to (1) authenticate and permit access only to
authorized users to protect against the unauthorized acquisition of
customer information and (2) limit authorized users' access only to
customer information that they need to perform their duties and
functions, or, in the case of customers, to access their own
information.\144\
---------------------------------------------------------------------------
\144\ As noted above, the Commission is also changing the term
``authorized individuals'' to ``authorized users.''
---------------------------------------------------------------------------
System Inventory
In the NPRM, the Commission proposed to require the financial
institution to ``[i]dentify and manage the data, personnel, devices,
systems, and facilities that enable [the financial institution] to
achieve business purposes in accordance with their relative importance
to business objectives and [the financial institution's] risk
strategy.'' \145\ This requirement was designed to ensure the financial
institution inventoried the data in its possession, inventoried the
systems on which that data is collected, stored, or transmitted, and
had a full understanding of the relevant portions of its information
systems and their relative importance.\146\ The Commission retains this
provision in the Final Rule without modification.
---------------------------------------------------------------------------
\145\ Proposed 16 CFR 314.4(c)(2).
\146\ See, e.g., Complaint at 11, FTC v. Wyndham Worldwide
Corp., No. CV 2:12-cv-01365-SPL (D. Ariz. June 26, 2012) (alleging
company failed to provide reasonable security by, among other
things, failing to inventory computers connected to its network).
---------------------------------------------------------------------------
Commenters raised two general objections to this provision. First,
some commenters argued it was too vague and that it was not clear how
such an inventory should be conducted or what systems should be
included.\147\ The Commission believes the language provides effective
guidance while still allowing a variety of approaches by financial
institutions in identifying systems involved in their businesses. This
provision requires a financial institution to identify all ``data,
personnel, devices, systems, and facilities'' that are a part of its
business and to determine their importance to the financial
institution. This inventory of systems must include all systems that
are a part of the business so the financial institution can locate all
customer information it controls, the systems connected to that
information, and how they are connected. This inventory forms the basis
of an information security program because a system cannot be protected
if the financial institution does not understand its structure or know
what data is stored in its systems.
---------------------------------------------------------------------------
\147\ National Automobile Dealers Association (comment 46,
NPRM), at 23-24; American Financial Services Association (comment
41, NPRM), at 5; American Council on Education (comment 24, NPRM),
at 10.
---------------------------------------------------------------------------
Second, ACE suggested the scope of this provision should be limited
to systems ``directly related to the privacy and security of `customer
information.' '' \148\ The Commission declines to make this change
because the purpose of this provision is to allow financial
institutions to obtain a clear picture of their systems and to identify
where customer information is kept and how it can be accessed. An
inventory must examine all systems in order to identify all systems
that contain customer information or are connected to systems that do.
If a financial institution does not first examine all systems and
instead limits the inventory to systems it considers to be directly
related to security, it could give an incomplete picture of the
financial institution's systems and could result in some customer
information or ways to connect to that information being
overlooked.\149\
---------------------------------------------------------------------------
\148\ American Council on Education (comment 24, NPRM), at 10.
\149\ Another commenter criticized proposed paragraph (c)(2)
because some financial institutions ``have no control'' over which
networks they transmit customer information. National Pawnbrokers
Association (comment 32, NPRM), at 7. Paragraph (c)(2) does not
require a financial system to identify all networks over which it
may transmit customer information. See also, infra, this document's
discussion of NPA's comments on Sec. 314.4(f) of the Final Rule,
noting financial institutions are generally not required to oversee
other entities' service providers over which they have no control.
---------------------------------------------------------------------------
The Commission adopts paragraph (c)(2) of the Proposed Rule as
final, without modifications.
Access to Physical Location
Proposed paragraph (c)(3) would have required that financial
institutions restrict access to physical locations containing customer
information only to authorized individuals. The Final Rule combines
this section with proposed paragraph (c)(1) in order to eliminate
redundancy and clarify that access controls must consider both
electronic and physical access.
Encryption
Proposed paragraph (c)(4) required financial institutions to
encrypt all customer information, both in transit over external
networks and at rest. The Proposed Rule allowed financial institutions
to use alternative means to protect customer information, subject to
review and approval by the financial institution's Qualified
Individual.
Several commenters supported the inclusion of an encryption
requirement.\150\ In fact, some suggested
[[Page 70287]]
the Proposed Rule did not go far enough in requiring encryption. Inpher
suggested the Rule should require encryption of customer information
when in use, in addition to when in transit or at rest.\151\ The
Princeton Center suggested requiring encryption of data while in
transit over internal networks, in addition to requiring it for
external networks, noting the blurring of the distinction between
internal and external networks.\152\
---------------------------------------------------------------------------
\150\ Inpher, Inc. (comment 50, NPRM), at 4; Princeton
University Center for Information Technology Policy (comment 54,
NPRM), at 3; Electronic Privacy Information Center (comment 55,
NPRM), at 8; National Consumer Law Center and others (comment 58,
NPRM), at 3.
\151\ Inpher, Inc. (comment 50, NPRM), at 4.
\152\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 3.
---------------------------------------------------------------------------
In contrast, others argued encryption could be too expensive and
technically challenging for some financial institutions and should not
be required in all cases.\153\ Indeed, GPA argued the Rule should not
require encryption at all, financial institutions should be free to
adopt other protective measures for customer information, and the Rule
should allow financial institutions to ``determine the controls that
are most appropriate for protecting the sensitive information that they
handle.'' \154\ Similarly, some commenters argued financial
institutions should be required to encrypt customer information only
when the risk to the customer information justifies it.\155\ Others
suggested encryption in more limited circumstances, such as on systems
``to which unauthorized individuals may have access,'' \156\ for
sensitive data,\157\ or for data in transit.\158\ The Mortgage Bankers
Association argued encryption at rest is unnecessary because customer
information at rest in a financial institution's system is sufficiently
protected by controlling access to the system.\159\ Two commenters
stated guidelines issued by the Federal Financial Institutions
Examination Council (FFIEC) do not require most banks to encrypt data
at rest, unless the institution's risk assessment indicates such
encryption is necessary.\160\
---------------------------------------------------------------------------
\153\ National Pawnbrokers Association (comment 32, NPRM), at 3;
U.S. Chamber of Commerce (comment 33, NPRM), at 11; CTIA (comment
34, NPRM) at 10; Wisconsin Bankers Association (comment 37, NPRM),
at 2.
\154\ Global Privacy Alliance (comment 38, NPRM), at 7-8.
\155\ Bank Policy Institute (comment 39, NPRM), at 14; Mortgage
Bankers Association (comment 26, NPRM), at 6; Global Privacy
Alliance (comment 38, NPRM), at 7-8.
\156\ Bank Policy Institute (comment 39, NPRM), at 14.
\157\ U.S. Chamber of Commerce (comment 33, NPRM), at 11;
American Financial Services Association (comment 41, NPRM), at 5;
ACA International (comment 45, NPRM), at 13; CTIA (comment 34,
NPRM), at 10.
\158\ Mortgage Bankers Association (comment 26, NPRM), at 6;
Wisconsin Bankers Association (comment 37, NPRM), at 2; American
Financial Services Association (comment 41, NPRM), at 5; Ken
Shaurette (comment 19, NPRM), (suggesting the Commission consider
whether ``databases, applications and operating systems are prepared
to fully support full encryption without significant performance
impact or ability to continue to function.''); National Automobile
Dealers Association (comment 46, NPRM), at 25-26 (arguing the terms
``at rest'' and ``in transit'' are unclear).
\159\ Mortgage Bankers Association (comment 26, NPRM), at 6.
\160\ Wisconsin Bankers Association (comment 37, NPRM), at 2
(discussing FFIEC Information Technology Booklet); American
Financial Services Association (comment 41, NPRM), at 5 (discussing
FFIEC Cybersecurity Assessment Tool).
---------------------------------------------------------------------------
The Commission declines to modify the encryption requirement from
the Proposed Rule. As to the comments that suggest the requirement
should be relaxed, the Commission notes there are numerous free or low
cost encryption solutions available to financial institutions,
particularly for data in transit,\161\ that make encryption a feasible
solution in most situations. For data at rest, encryption is now
cheaper, more flexible, and easier than ever before.\162\ In many
cases, widely used software and hardware have built-in encryption
capabilities.\163\
---------------------------------------------------------------------------
\161\ See Remarks of Matthew Green, Safeguards Workshop Tr,
supra note 17, at 225 (noting website usage of encryption is above
80 percent; ``Let's Encrypt'' provides free TLS certificates; and
costs have gone down to the point that if a financial institution is
not using TLS encryption for data in motion, it is making an unusual
decision outside the norm); Remarks of Rocio Baeza, Safeguards
Workshop Tr., supra note 17, at 106 (``[T]he encryption of data in
transit has been standard. There's no pushback with that.''); see
also National Pawnbrokers Association (comment 3, Workshop), at 2
(``[I]n states that allow us to use technology for the receipt of
information from consumer customers and software to print our pawn
tickets and store information, we believe our members have access
through their software providers to protections that comply with the
Safeguards Rule.'').
\162\ See Remarks of Wendy Nather, Safeguards Workshop Tr.,
supra note 17, at 267 (``we have a lot more options, a lot more
technologies today than we did before that are making both of these
solutions, both encryption and MFA, easier to use, more flexible, in
some cases cheaper, and we should be encouraging their adoption
wherever possible.''); Remarks of Matthew Green, Safeguards Workshop
Tr., supra note 17, at 265-66 (``I think that we're in a great time
when we've reached the point where we can actually mandate that
encryption be used. I mean, years ago--I've been in this field for
15, you know, 20 years now, I guess. And, you know, encryption used
to be this exotic thing that was very, very difficult to use, very
expensive and not really feasible for securing information security
systems. And we've reached the point where now it is something
that's come to be and we can actually build well. So I'm really
happy about that.'').
\163\ See Remarks of Randy Marchany, Safeguards Workshop Tr.,
supra note 17, at 229-30 (noting encryption is already built into
the Microsoft Office environment and a number of Microsoft products,
such as Spreadsheets, Excel, Docs, and PowerPoint, support that
encryption feature). Other applications that have encryption built
in include database applications; app platforms iOS and Android; and
development frameworks for web applications on banking sites.
---------------------------------------------------------------------------
In response to the argument that the Rule should not require
encryption at rest because FFIEC guidelines do not require it, the
Commission notes the Safeguards Rule is very different from the
guidelines issued by the FFIEC. The depository financial institutions
regulated by the banking agencies are subject to regular examinations
by their regulator. The guidelines created by the FFIEC are designed to
be used by the examiner, as part of those examinations, to evaluate the
security of the financial institution; the examiner thus has a direct
role in regularly verifying the financial institution has taken
appropriate steps to protect its customer information. In contrast, the
Safeguards Rule regulates covered financial institutions directly and
must be usable by those entities to determine appropriate information
security without any interaction between the financial institution and
the Commission. The Commission does not have the ability to examine
each financial institution and work with that institution to ensure
their information security is appropriate. Therefore, a requirement
that institutions encrypt information by default is appropriate for the
Safeguards Rule, as the Commission believes encryption of customer
information at rest is appropriate in most cases.
Finally, while some commenters suggested eliminating the encryption
requirement for certain types of data (e.g., non-sensitive) or certain
categories of data (e.g., data at rest), the Commission notes, as
discussed in more detail above, the fact that an individual is a
customer of a financial institution alone may be sensitive. In any
event, the Rule provides financial institutions with flexibility to
adopt alternatives to encryption with the approval of the Qualified
Individual.
Similarly, the Commission declines to extend the encryption
requirement to data in use or to data transmitted over internal
networks, as some commenters suggested. The Commission does not believe
the technology that would encrypt data while in use (as opposed to in
transit or at rest) has been adopted widely enough at this time to
justify mandating its use by all financial institutions under the FTC's
jurisdiction. As to encryption of data transmitted over internal
networks, the Commission acknowledges, due to changes in network design
and the growth of cloud and mobile computing, the distinction between
internal and external networks is less clear than it once was. However,
the Commission believes requiring all financial institutions to encrypt
all communications over internal networks would be unduly burdensome at
this
[[Page 70288]]
time. There remain significant costs and technical hurdles to
encrypting transmissions on internal networks that would not be
reasonable to impose on all financial institutions, especially smaller
institutions with simpler systems that might realize less benefit from
this approach. While the Commission encourages financial institutions
to consider whether it would be appropriate for them to encrypt the
transmission of customer information over internal networks, it
declines to require this for all financial institutions.\164\
---------------------------------------------------------------------------
\164\ The Commission believes transmissions of customer
information to remote users or to cloud service providers should be
treated as external transmissions, as those transmissions are sent
out of the financial institution's systems.
---------------------------------------------------------------------------
Commenters pointed to three additional concerns about encryption,
none of which the Commission finds persuasive. First, the Bank Policy
Institute commented the encryption requirement would in fact weaken
security by blocking surveillance of the information by the financial
institution and requiring the ``broad distribution'' of encryption
keys.\165\ The Commission does not believe an encryption requirement
would weaken security. Encryption is almost universally recommended by
security experts and included in most security standards.\166\ Further,
new tools have been developed to address the issue the Bank Policy
Institute has raised. Many financial institutions have monitoring tools
on the edge of their networks to monitor data leaving the network. It
used to be the case these network monitoring tools could not see the
content of encrypted data as it left the corporate network and was
transmitted to the internet. However, there are now tools available
that can see the data as it departs the network, even if the data is
encrypted.\167\ Any marginal security costs of encryption are far
outweighed by the benefits of rendering customer information
unreadable.
---------------------------------------------------------------------------
\165\ Bank Policy Institute (comment 39, NPRM), at 13-14.
\166\ See, e.g., Payment Card Industry (PCI) Data Security
Standard Requirements and Security Assessment Procedures Version
3.2.1, PCI Security Standards Council (May 2018), https://www.pcisecuritystandards.org/document_library (last accessed 30 Nov.
2020) (Requirement 4 encrypt transmission of cardholder data across
open, public networks).
\167\ See, e.g., Encrypted Traffic Management, Broadcom Inc.,
https://www.broadcom.com/products/cyber-security/network/encrypted-traffic-management (last accessed 30 Nov. 2020); SSL Visibility, F5,
Inc., https://www.f5.com/solutions/application-security/ssl-visibility (last accessed 30 Nov. 2020).
---------------------------------------------------------------------------
Second, some commenters argued financial institutions should be
able to implement alternatives to encryption without obtaining approval
from the Qualified Individual.\168\ The New York Insurance Association
expressed concern financial institutions might feel they need to
encrypt all customer information because of the risk that the
alternative controls approved by the Qualified Individual would be
``second guessed'' in the event unencrypted data is compromised.\169\
The Commission, however, believes this concern is a core element of
information security based on risk assessment. Every aspect of an
information security program is based on the judgment of the financial
institution and its staff. The Qualified Individual's decision
concerning alternate controls, like other decisions by the financial
institution and its staff, will be subject to review in any enforcement
action to determine whether the decision was appropriate. If the
Qualified Individual is not required to make a formal decision, it is
much more likely a decision not to encrypt information will be made
even if there is no compensating control, or even made without the
Qualified Individual's knowledge.
---------------------------------------------------------------------------
\168\ Bank Policy Institute (comment 39, NPRM), at 14; New York
Insurance Association (comment 31, NPRM), at 1.
\169\ New York Insurance Association (comment 31, NPRM) at 1.
---------------------------------------------------------------------------
Third, the National Pawnbrokers Association (``NPA'') expressed
concern that if pawnbrokers are required to encrypt customer
information they may fall out of compliance with state and local
regulations concerning transaction reporting.\170\ NPA stated
pawnbrokers are often required by state or local law to report every
pawn transaction, along with nonpublic personally identifiable consumer
information, to law enforcement, and the agencies that receive this
information ``prefer to take this information electronically and in
unencrypted forms.'' \171\ The Commission believes if transmitting the
information in unencrypted form is a preference of the agencies and not
a requirement, then pawnbrokers can comply with both the Safeguards
Rule and these laws by encrypting any transmissions that include
customer information. If there are cases where a required transmission
of customer information cannot be encrypted for technical reasons, then
the pawnbroker's Qualified Individual will need to work with the law
enforcement agency to implement alternative compensating controls to
ensure the customer information remains secure during these
transmissions.\172\
---------------------------------------------------------------------------
\170\ National Pawnbrokers Association (comment 3, Workshop), at
2-3.
\171\ Id. at 2.
\172\ NADA suggested it is not clear how the encryption
requirement will apply to customer information held on a service
provider's system or on the systems of the subcontractors of the
service provider. National Automobile Dealers Association (comment
46, NPRM), at 21-22. The Commission believes the Final Rule lays out
a financial institution's obligations in this situation: It requires
customer information be encrypted unless infeasible. Section
314.4(e), in turn, requires financial institutions to require
service providers to implement and maintain appropriate safeguards
by contract and to periodically assess the continued adequacy of
those measures. A financial institution that uses a service provider
to store and process customer information must require that service
provider to encrypt that information and periodically determine
whether it continues to do so. If it is infeasible for the service
provider to meet these requirements then the financial institution's
Qualified Individual must work with the service provider to develop
compensating controls or cease doing business with the service
provider.
---------------------------------------------------------------------------
The Final Rule adopts this paragraph as paragraph (c)(3) without
revision.
Secure Development Practices
Proposed paragraph (c)(5) required financial institutions to
``[a]dopt secure development practices for in-house developed
applications utilized'' for ``transmitting, accessing, or storing
customer information.'' In this paragraph, the Commission proposed
requiring financial institutions to address the security of software
they develop to handle customer information, as distinct from the
security of their networks that contain customer information.\173\ In
addition, the Proposed Rule required ``procedures for evaluating,
assessing, or testing the security of externally developed applications
[financial institutions] utilize to transmit, access, or store customer
information.'' This provision required financial institutions to take
steps to verify that applications they use to handle customer
information are secure.\174\
---------------------------------------------------------------------------
\173\ See, e.g., Complaint, FTC v. D-Link Systems, Inc., No.
3:17-CV-00039-JD (N.D. Cal. March 20, 2017) (alleging company failed
to provide reasonable security when it failed to adequately test the
software on its devices).
\174\ See, e.g., Complaint, Lenovo, FTC No. 152-3134 (January 2,
2018) (alleging company failed to provide reasonable security by
failing to properly assess and address security risks caused by
third-party software).
---------------------------------------------------------------------------
Some commenters argued evaluating the security of externally
developed software would be too expensive or impractical for some
financial institutions,\175\ while others raised different concerns.
The American Council on Education suggested, in cases in which a
financial institution cannot obtain access to a software provider's
code or technical
[[Page 70289]]
infrastructure, then evaluating the security of its software is
infeasible.\176\ NADA further suggested in order to evaluate the
security of software, financial institutions would need to hire an
expensive IT professional.\177\
---------------------------------------------------------------------------
\175\ American Council on Education (comment 24, NPRM), at 11;
National Automobile Dealers Association (comment 46, NPRM), at 26-
27.
\176\ American Council on Education (comment 24, NPRM), at 11.
\177\ National Automobile Dealers Association (comment 46,
NPRM), at 26-27.
---------------------------------------------------------------------------
The Commission does not agree with these assertions. Evaluating the
security of software does not require access to the source code of that
software or access to the provider's infrastructure. For example, a
provider can supply the steps it took to ensure the software was
secure, whether it uses encryption to transmit information, and the
results of any testing it conducted. In addition, there are third party
services that assess software. An institution can also set up automated
searches regarding vulnerabilities, patches, and updates to software
listed on the financial institution's inventory. The exact nature of
the evaluation required will depend on the size of the financial
institution and the amount and sensitivity of customer information
associated with the software. If the software will be used to handle
large amounts of extremely sensitive information, then a more thorough
evaluation will be warranted. Likewise, the nature of the software used
will also affect the evaluation. Software that has been thoroughly
tested by third parties may need little more than a review of the test
results, while software that has not been widely used and tested will
require closer examination.
The Commission adopts proposed paragraph (c)(5) as paragraph (c)(4)
of the Final Rule.
Multi-Factor Authentication
Proposed paragraph (c)(6) required financial institutions to
``implement multi-factor authentication for any individual accessing
customer information'' or ``internal networks that contain customer
information.'' \178\ The Proposed Rule would have allowed financial
institutions to adopt a method other than multi-factor authentication
that offers reasonably equivalent or more secure access controls with
the written permission of its Qualified Individual. In the Final Rule,
the Commission retains the general requirements of proposed paragraph
(c)(6) as paragraph (c)(5), with some modifications described below.
---------------------------------------------------------------------------
\178\ Proposed 16 CFR 314.4(c)(6).
---------------------------------------------------------------------------
Although several commenters expressed support for including a
multi-factor authentication requirement in the Final Rule,\179\ others
opposed such a requirement. For example, ACE argued a blanket
requirement mandating multi-factor authentication for all institutions
of all sizes and complexities is not the best solution.\180\ The
National Independent Automobile Dealers Association (NIADA) commented
the costs of multi-factor authentication would be too high for some
financial institutions because it would need to be built into their
information systems from scratch.\181\ NIADA also argued adopting
multi-factor authentication would disrupt a financial institution's
activities as employees had to ``jump through multiple hoops to log
in.'' \182\ Cisco Systems, Inc. argued that while multi-factor
authentication is an effective safeguard, it should not be specifically
required by the Rule because, while it is currently good security
practice, in the future multi-factor authentication may become
outdated, and that allowing financial institutions to satisfy the Rule
in this way could result in inadequate protection.\183\
---------------------------------------------------------------------------
\179\ Justine Bykowski (comment 12, NPRM); Princeton University
Center for Information Technology Policy (comment 54, NPRM), at 6-7;
Electronic Privacy Information Center (comment 55, NPRM), at 8;
National Consumer Law Center and others (comment 58, NPRM), at 2;
see also Remarks of Wendy Nather, Safeguards Workshop Tr., supra
note 17, at 240-41 (discussing the security poverty line).
\180\ American Council on Education (comment 24, NPRM), at 11-
12.
\181\ National Independent Automobile Dealers Association
(comment 48, NPRM), at 6; see also Ken Shaurette (comment 19, NPRM)
(questioning whether multi-factor authentication is appropriate for
all financial institutions).
\182\ National Independent Automobile Dealers Association
(comment 48, NPRM), at 6.
\183\ Cisco Systems, Inc. (comment 51, NPRM), at 2-4.
---------------------------------------------------------------------------
Other commenters did not dispute the benefits of multi-factor
authentication generally, but argued the Rule should limit the multi-
factor authentication requirement. Some of these commenters stated the
Rule should only require multi-factor authentication when the financial
institution's risk assessment justifies it.\184\ Others argued there
should be a distinction between internal access and external access.
For example, some commenters argued the Rule should not require multi-
factor authentication when a user accesses customer information from an
internal network,\185\ because there are other controls on internal
access that make multi-factor authentication unnecessary.\186\ Another
commenter stated requiring multi-factor authentication when a customer
accesses their information from an external network could create
problems for some institutions.\187\ Finally, the Princeton Center
argued the Rule should be amended to clarify that multi-factor
authentication should be required for internal and external
networks.\188\
---------------------------------------------------------------------------
\184\ Bank Policy Institute (comment 39, NPRM), at 11-13; Global
Privacy Alliance (comment 38, NPRM), at 8.
\185\ Electronic Transactions Association (comment 27, NPRM), at
3 n.1; U.S. Chamber of Commerce (comment 33, NPRM), at 11; CTIA
(comment 34, NPRM), at 11; Global Privacy Alliance (comment 38,
NPRM), at 8; Bank Policy Institute (comment 39, NPRM), at 12;
National Automobile Dealers Association (comment 46, NPRM), at 28;
National Independent Automobile Dealers Association (comment 48,
NPRM), at 6; New York Insurance Association (comment 31, NPRM), at
1.
\186\ CTIA (comment 34, NPRM), at 11; Electronic Transactions
Association (comment 27, NPRM), at 3 n.1; U.S. Chamber of Commerce
(comment 33, NPRM), at 11.
\187\ American Council on Education (comment 24, NPRM), at 11.
\188\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 6-7; see also Remarks of Brian
McManamon, Safeguards Workshop Tr., supra note 17, at 102 (stating
his company TECH LOCK supports requiring multi-factor authentication
for users connecting from internal networks).
---------------------------------------------------------------------------
Finally, CTIA took issue with the proposed requirement that the
Qualified Individual be permitted to approve ``reasonably equivalent or
more secure'' controls if multi-factor authentication is not feasible,
suggesting instead that Qualified Individuals be permitted to approve
``effective alternative compensating controls.'' \189\
---------------------------------------------------------------------------
\189\ CTIA (comment 34, NPRM), at 11-12; see also Electronic
Transactions Association (comment 27, NPRM) at 3 (suggesting use of
the term ``alternative compensating controls'').
---------------------------------------------------------------------------
The Commission disagrees with the commenters who stated the Rule
should not include a multi-factor authentication requirement. As to
costs, many affordable multi-factor authentication solutions are
available in the marketplace.\190\ Most financial institutions will be
able to find a solution that is both affordable and workable for their
organization. In the cases when that it is not possible, the
[[Page 70290]]
Rule allows financial institutions to adopt reasonably equivalent
controls.\191\
---------------------------------------------------------------------------
\190\ See, e.g., Slides Accompanying Remarks of Brian McManamon,
``MFA/2FA Pricing (Duo),'' in Safeguards Workshop Slides, supra note
72, at 30 (setting forth prices for multi-factor/two-factor services
from Duo, including free services for up to ten users); Remarks of
Brian McManamon, Safeguards Workshop Tr., supra note 17, at 102-03;
Slides Accompanying Remarks of Lee Waters, ``Estimated Costs of
Proposed Changes,'' in Safeguards Workshop Slides, supra note 72, at
26 estimating costs of MFA to be $50 for smartcard or fingerprint
readers, and $10 each per smartcard); Slides Accompanying Remarks of
Wendy Nather, ``Authentication Methods by Industry,'' in Safeguards
Workshop Slides, supra note 72, at 37 (chart showing the use of MFA
solutions such as Duo Push, phone call, mobile passcode, SMS
passcode, hardware token, Yubikey passcode, and U2F token in
industries such as financial services and higher education); Remarks
of Wendy Nather, Safeguards Workshop Tr., supra note 17, at 233-34.
\191\ See also Remarks of James Crifasi, Safeguards Workshop
Tr., supra note 17, at 103-04 (noting even where legacy systems do
not support multi-factor authentication, alternative measures can be
used and ``it's things that can easily be done.'')
---------------------------------------------------------------------------
As to potential disruptions requiring multi-factor authentication
may cause, the Commission notes that many organizations, both financial
institutions and otherwise, currently require employees to use multi-
factor authentication without major disruption.\192\ Many multi-factor
authentication systems are available that do not materially increase
the time it takes to log into a system as compared to the use of only a
password.\193\ In short, multi-factor authentication is an extremely
effective way to prevent unauthorized access to a financial
institution's information system,\194\ and its benefits generally
outweigh any increased time it takes to log into a system. In those
situations when the need for quick access outweighs the security
benefits of multi-factor authentication, the Rule allows the use of
reasonably equivalent controls.
---------------------------------------------------------------------------
\192\ See, e.g., Remarks of Randy Marchany, Safeguards Workshop
Tr., supra note 17, at 236-38 (describing how Virginia Tech
implemented multi-factor authentication in 2016 for its more than
156,000 users); Slides Accompanying Remarks of Wendy Nather,
``Authentication Methods by Industry,'' in Safeguards Workshop
Slides, supra note 72, at 37 demonstrating the types of multi-factor
authentication used by health care, financial services, higher
education and the Federal Government); Remarks of Wendy Nather,
Safeguards Workshop Tr., supra note 17, at 233-35.
\193\ See Remarks of Wendy Nather, Safeguards Workshop Tr.,
supra note 17, at 234 (describing how a phone call to a landline is
popular in some segments).
\194\ See, e.g., Remarks of Matthew Green, Safeguards Workshop
Tr., supra note 17, at 266 (explaining passwords are not enough of
an authentication feature but when MFA is used and deployed, the
defenders can win against attackers); id. at 239 (describing how
because smart phones have modern secure hardware processors,
biometric sensors and readers built in, increasingly consumers can
get the security they need through the devices they already have by
storing cryptographic authentication keys on the devices and then
using the phone to activate them).
---------------------------------------------------------------------------
Finally, although the Commission agrees the Rule should not lock
financial institutions into using outmoded or obsolete technologies,
the basic structure of using multiple factors to identify a user is
unlikely to be rendered obsolete in the near future. The Rule's
definition of multi-factor authentication addresses only this principle
and does not require any particular technology or technique to achieve
it. This should allow it to accommodate most changes in information
security practices. In the event of an unforeseen change to the
information security environment that would discount the value of
multi-factor authentication, the Commission will adjust the Rule
accordingly.\195\
---------------------------------------------------------------------------
\195\ The Mortgage Bankers Association expressed concern the
Proposed Rule would not allow the use of a single-sign on process,
where a user is given access to multiple applications with the use
of one set of credentials. Mortgage Bankers Association (comment 26,
NPRM), at 7. The Commission does not view the Rule as preventing
such a system, if the user has used multi-factor authentication to
access the system and the system is designed to ensure any user of a
given application has been subjected to multi-factor authentication.
---------------------------------------------------------------------------
The Commission agrees with the commenter who stated multi-factor
authentication is justified both when external users, such as
customers, and internal users, such as employees, access an information
system. Multi-factor authentication can prevent many attacks focused on
using stolen passwords from both employees and customers to access
customer information. Other common attacks on information systems, such
as social engineering or brute force password attacks, target employee
credentials and use those credentials to get access to an information
system.\196\ These attacks can usually be stopped through the use of
multi-factor authentication. Accordingly, the Final Rule requires
multi-factor authentication whenever any individual--employee, customer
or otherwise--accesses an information system. If a financial
institution determines it is not the best solution for its information
system, it may adopt reasonably equivalent controls with the approval
of the Qualified Individual.
---------------------------------------------------------------------------
\196\ See Remarks of Pablo Molina, Safeguards Workshop Tr.,
supra note 17, at 30 (mentioning ``phishing,'' or social
engineering, as a common type of cybersecurity attack); Remarks of
Lee Waters, Safeguards Workshop, supra note 17, at 91 (same);
Remarks of Michele Norin, Safeguards Workshop Tr., supra note 17, at
179 (same); see also Cyber Div., Fed. Bureau of Investigation,
Private Industry Notification No. 20200303-001, Cyber Criminals
Conduct Business Email Compromise through Exploitation of Cloud-
Based Email Services, Costing U.S. Businesses Over Two Billion
Dollars, (March 2020), https://www.ic3.gov/media/news/2020/200707-4.pdf, at 1-2, (last accessed 1 Dec. 2020) (``Between January 2014
and October 2019, the Internet Crime Complaint Center (IC3) received
complaints totaling over $2.1 billion in actual losses from
[Business Email Compromise (``BEC'')] scams targeting the largest
[cloud-based email] platforms. Losses from BEC scams overall have
increased every year since IC3 began tracking the scam in 2013 and
have been reported in all 50 states and in 177 countries.'').
---------------------------------------------------------------------------
The Commission recognizes the language of the Proposed Rule may
have created some confusion by its use of the term ``internal
networks'' to define the systems affected by the multi-factor
authentication requirement, instead of the term ``information systems''
as used other places in the Rule.\197\ In addition, the Commission
agrees with commenters that argued separating the multi-factor
authentication into two sentences created confusion.\198\ Accordingly,
the Commission modifies paragraph (c)(5) of the Final Rule, which was
proposed as paragraph (c)(6), to require financial institutions to
``[i]mplement multi-factor authentication for any individual accessing
any information system, unless your Qualified Individual has approved
in writing the use of reasonably equivalent or more secure access
controls.''
---------------------------------------------------------------------------
\197\ Consumer Data Industry Association (comment 36, NPRM), at
6-7; Cisco Systems, Inc. (comment 51, NPRM), at 3-4.
\198\ Bank Policy Institute (comment 39, NPRM), at 11.
---------------------------------------------------------------------------
Finally, the Commission declines to adopt CTIA's proposed
alternative that would allow Qualified Individuals to approve
``effective alternative compensating controls,'' even if they are not
``reasonably equivalent or more secure'' than multi-factor
authentication. Given the important role multi-factor authentication
has in access control, any alternative measure should provide at least
as much protection as multi-factor authentication.\199\
---------------------------------------------------------------------------
\199\ NADA argued, for financial institutions that have
appointed a third party to act as their information security
coordinator, this provision would require the institution to turn
over decisionmaking to someone ``with no stake in the business
outcome.'' National Automobile Dealers Association (comment 46,
NPRM), at 29-30. This concern misinterprets the role of the
Qualified Individual. Whether the Qualified Individual is inside the
company or at a third-party company, that individual will report to
and be supervised by senior management of a financial institution
(unless the Qualified Individual is the head of the financial
institution). If a Qualified Individual recommends a safeguard that
would not be practical for the business, the financial institution
is not required to adopt this safeguard but can use an alternative
adequate safeguard that will be functional. Indeed, when it comes to
third parties, the Rule specifically requires someone in the
financial institution direct and oversee the third party.
---------------------------------------------------------------------------
Audit Trails
Proposed paragraph (c)(7) required information security programs to
include audit trails designed to detect and respond to security
events.\200\ Audit trails are chronological logs that show who has
accessed an information system and what activities the user engaged in
during a given period.\201\
---------------------------------------------------------------------------
\200\ Proposed 16 CFR 314.4(c)(7).
\201\ See Information Technology Laboratory Computer Security
Resource Center, Glossary, National Institute of Standards and
Technology, https://csrc.nist.gov/glossary/term/audit-trail (last
accessed Dec. 2, 2020).
---------------------------------------------------------------------------
Some commenters supported this requirement.\202\ The Princeton
Center noted audit trails are ``crucial to designing effective security
measures
[[Page 70291]]
that allow institutions to detect and respond to security incidents.''
\203\ It also stated audit trails ``help understand who has accessed
the system and what activities the user has engaged in.'' \204\
---------------------------------------------------------------------------
\202\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 8; Electronic Privacy Information
Center (comment 55, NPRM), at 8.
\203\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 8.
\204\ Id.
---------------------------------------------------------------------------
Other commenters argued this requirement imposed unclear
obligations or would not improve security.\205\ For example, GPA
commented the Proposed Rule conflated the use of logs to reconstruct
past events and the active use of logs to monitor user activity.\206\
The American Financial Services Association argued adding logging
capabilities to some legacy systems would be expensive and
difficult.\207\ Another commenter argued the increased use of cloud
storage would mean that financial institutions might not have access to
any audit trails.\208\ In addition, NADA argued it did not believe
maintenance of logs would increase security but would instead create
records that could be sought by parties ``seeking to place blame'' for
breaches.\209\
---------------------------------------------------------------------------
\205\ National Automobile Dealers Association (comment 46,
NPRM), at 30-31; National Independent Automobile Dealers Association
(comment 48, NPRM), at 6; American Financial Services Association
(comment 41, NPRM), at 6; Global Privacy Alliance (comment 38,
NPRM), at 11.
\206\ Global Privacy Alliance (comment 38, NPRM), at 11.
\207\ American Financial Services Association (comment 41,
NPRM), at 6.
\208\ American Council of Education (comment 24, NPRM), at 12.
\209\ National Automobile Dealers Association (comment 46,
NPRM), at 30-31.
---------------------------------------------------------------------------
The Commission believes logging user activity is a crucial
component of information security because in the event of a security
event it allows financial institutions to understand what was accessed
and when. However, the term ``audit trails'' may have been unclear in
this context. In order to clarify that logging user activity is a part
of the user monitoring process, the Final Rule does not include
paragraph (c)(7) of the Proposed Rule and instead modifies the user
monitoring provision to include a requirement to log user
activity.\210\ By putting the ``monitoring'' and ``logging''
requirements together, the Final Rule provides greater clarity on the
comment raised by the GPA: Financial institutions are expected to use
logging to ``monitor'' active users and reconstruct past events.
---------------------------------------------------------------------------
\210\ See Final Rule, 16 CFR 314.4(c)(8).
---------------------------------------------------------------------------
Disposal Procedures
Proposed paragraph (c)(8) required financial institutions to
develop procedures for the secure disposal of customer information that
is no longer necessary for their business operations or other
legitimate business purposes.\211\ The Proposed Rule allowed the
retention of information when retaining the information is required by
law or where targeted disposal is not feasible.
---------------------------------------------------------------------------
\211\ Proposed 16 CFR 314.4(c)(8).
---------------------------------------------------------------------------
Some commenters supported the inclusion of a disposal requirement
as proposed or suggested that the disposal requirements should be
strengthened.\212\ Consumer Reports argued financial institutions
should be required to dispose of customer information when it is no
longer needed for the business purpose for which it was gathered.\213\
The Princeton Center suggested the Rule require disposal after a set
period unless the company can demonstrate a current need for the data
and that financial institutions periodically review their data
practices to minimize their data retention.\214\
---------------------------------------------------------------------------
\212\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 8; Electronic Privacy Information
Center (comment 55, NPRM), at 8; Consumer Reports (comment 52,
NPRM), at 7.
\213\ Consumer Reports (comment 52, NPRM), at 7-8.
\214\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 8-9.
---------------------------------------------------------------------------
Several other commenters opposed the disposal requirement as set
forth in the Proposed Rule. Some argued the requirement to dispose of
information goes beyond the Commission's authority under the GLB
Act.\215\ NADA argued the GLB Act does not ``contain[ ] any authority
to require financial institutions to delete any information'' and a
requirement to have procedures to delete information for which a
company has no legitimate business purpose would constitute a ``new
privacy regime.'' \216\ The American Financial Services Association
(AFSA) stated the requirement was too prescriptive and the Rule should
allow financial institutions to retain information as long as that
retention complies with the retention policy created by the financial
institution.\217\ AFSA further argued the proposed requirement exceeds
the Federal banking standards, pointing to the FFIEC Cybersecurity
Assessment Tool, which sets disposal of records ``according to
documented requirements and within expected time frames'' as a baseline
requirement for access and data management.\218\
---------------------------------------------------------------------------
\215\ National Automobile Dealers Association (comment 46,
NPRM), at 31; National Independent Automobile Dealers Association
(comment 48, NPRM), at 6.
\216\ National Automobile Dealers Association (comment 46,
NPRM), at 31-32.
\217\ American Financial Service Association (comment 41, NPRM),
at 6.
\218\ Cybersecurity Assessment Tool, FFIEC, https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017_Cybersecurity_Maturity_June2.pdf at 37 (last
visited December 3, 2020).
---------------------------------------------------------------------------
Yet other commenters suggested modifying the requirement. NADA
argued that if there was to be a disposal requirement, then it should
be modeled after the Disposal Rule, which requires businesses to
properly dispose of consumer reports, but does not have an explicit
requirement to dispose of information on any particular schedule.\219\
ACE suggested modifying the Proposed Rule to require disposal of
information only where there is no longer any ``legitimate purpose''
rather than any ``legitimate business purpose.'' \220\ It argued in
some cases a financial institution may have legitimate purposes for
retaining information that are not readily defined as ``business''
purposes, such as the retention of data by educational institutions for
institutional research or student analytics.\221\
---------------------------------------------------------------------------
\219\ National Automobile Dealers Association (comment 46,
NPRM), at 32.
\220\ American Council on Education (comment 24, NPRM), at 12.
\221\ Id.
---------------------------------------------------------------------------
The Commission believes requiring the disposal of customer
information for which the financial information has no legitimate
business purpose is within the authority granted by the GLB Act to
protect the security of customer information. The disposal of records,
both physical and digital, can result in exposure of customer
information if not performed properly.\222\ Similarly, if records are
retained when they are no longer necessary, there is a risk those
records will be subject to unauthorized access. The risk of
unauthorized access may be reasonable where the retention of data
provides some benefit. In situations where the information is no longer
needed for a legitimate business purpose, though, the risk to the
customer information becomes unreasonable because the retention is no
longer benefiting the customer or financial institution. Disposing of
unneeded customer information, therefore, is a vital part of protecting
customer information and serves the purpose of the GLB Act.\223\
---------------------------------------------------------------------------
\222\ See, e.g., Complaint, Rite Aid Corp., FTC No. 072-3121
(November 22, 2010) (alleging company failed to provide reasonable
data security when it failed to implement policies and procedures to
dispose securely of personal information).
\223\ As to the Princeton Center's suggestion financial
institutions periodically review their disposal practices (Princeton
University Center for Information Technology Policy (comment 54,
NPRM), at 8-9), the Commission believes this requirement is already
encompassed in the requirement contained in Sec. 314.4(g) to
periodically review their safeguards overall.
---------------------------------------------------------------------------
[[Page 70292]]
The Commission disagrees with commenters who suggested narrowing
the disposal requirement or doing away with it altogether. As noted
above, although no disposal requirement appears in FFIEC guidelines,
those guidelines represent a different regulatory approach and are not
an appropriate model for the Safeguards Rule.
Finally, as to setting retention periods or narrowing the
legitimate business purposes for which financial institutions may
retain customer information, the Commission recognizes financial
institutions need some flexibility. Whereas customers may want to, for
example, access and transfer older data in some circumstances, in other
circumstances, retaining such data would not be consistent with any
legitimate business purpose. The Commission believes the Princeton
Center's recommendation that companies be required to delete
information after a set period unless the information is still needed
for a legitimate business purpose properly balances the needs of
financial institutions with the need to protect customer information.
Thus, the Commission modifies proposed paragraph (c)(6) to require the
deletion of customer information two years after the last time the
information is used in connection with providing a product or service
to the customer unless the information is required for a legitimate
business purpose as paragraph (c)(6)(i) of the Final Rule. In addition,
paragraph (c)(6)(ii) of the Final Rule requires financial institutions
to periodically review their policies to minimize the unnecessary
retention of information.
Change Management
Proposed paragraph (c)(9) required financial institutions to adopt
procedures for change management.\224\ Change management procedures
govern the addition, removal, or modification of elements of an
information system.\225\ This paragraph required financial institutions
to develop procedures to assess the security of devices, networks, and
other items to be added to their information system, or the effect of
removing such items or otherwise modifying the information system. For
example, a financial institution that adds additional servers or other
machines to its information system would need to evaluate the security
of the new devices and the effect of adding them to the existing
network.
---------------------------------------------------------------------------
\224\ Proposed 16 CFR 314.4(c)(9).
\225\ See, e.g., Change Management, Rutgers OIT Information
Security Office, https://rusecure.rutgers.edu/content/change-management (last accessed 1 Dec. 2020).
---------------------------------------------------------------------------
Some commenters supported this requirement,\226\ while others
stated it was too broad and would impose unnecessary burdens on
financial institutions.\227\ In particular, NADA argued financial
institutions that have not made changes in their systems ``for some
time'' should not be required to create procedures for change
management.\228\ ACE argued including a change management requirement
is unnecessary because such a requirement is ``generally incorporated
into an organization's IT operations'' for non-security purposes and
the security considerations of those changes will be considered as part
of those procedures.\229\
---------------------------------------------------------------------------
\226\ Electronic Privacy Information Center (comment 55, NPRM),
at 8; National Consumer Law Center and others, (comment 58, NPRM) at
3.
\227\ American Council on Education (comment 24, NPRM), at 12-
13; National Automobile Dealers Association (comment 46, NPRM), at
33.
\228\ National Automobile Dealers Association (comment 46,
NPRM), at 32-33.
\229\ American Council on Education (comment 24, NPRM), at 12.
---------------------------------------------------------------------------
Alterations to an information system or network introduce
heightened risk of cybersecurity incidents; \230\ thus, it is important
to expressly require change management to be a part of an information
security program. The Commission agrees with ACE that many financial
institutions will already have change management procedures in place.
If those procedures adequately consider security issues involved in the
change, then they may satisfy this requirement.
---------------------------------------------------------------------------
\230\ See Remarks of Rocio Baeza, Safeguards Workshop Tr., supra
note 17, at 95 (``[E]very time there is a change to any of these
[network] environments, that is creating additional risk.'');
Remarks of Scott Wallace, Safeguards Workshop Tr., supra note 17, at
147-48 (giving an example of an incident in which network changes
led to the exposure of sensitive information); Remarks of Matthew
Green, Safeguards Workshop Tr., supra note 17, at 252 (noting it is
``a little dangerous'' to make ``major changes'' to an information
system at a time of heightened stress).
---------------------------------------------------------------------------
As to the comment a financial institution that has not made changes
to its environment in some time should not be required to have change
management processes, the Commission disagrees. Few information systems
can remain unchanged for a significant period of time, given the
changing technical requirements for business and security. Indeed, NADA
acknowledges financial institutions will need to ``adapt[] their
programs to keep up with changes in data security.'' \231\ For this
reason, all financial institutions must have procedures for when the
changes occur. As with all of the requirements of the Rule, though, the
exact nature of these procedures will vary depending on the size,
complexity and nature of the information system. A simple system may
have equally simple change management procedures.
---------------------------------------------------------------------------
\231\ National Automobile Dealers Association (comment 46,
NPRM), at 33 n.96.
---------------------------------------------------------------------------
The Commission adopts this proposed paragraph as paragraph (c)(7)
of the Final Rule without change.
System Monitoring
Proposed paragraph (c)(10) required financial institutions to
implement policies and procedures designed ``to monitor the activity of
authorized users and detect unauthorized access or use of, or tampering
with, customer information by such users.'' \232\ The Proposed Rule
required financial institutions to take steps to monitor those users
and their activities related to customer information in a manner
adapted to the financial institution's particular operations and needs.
---------------------------------------------------------------------------
\232\ Proposed 16 CFR 314.4(c)(10).
---------------------------------------------------------------------------
NADA stated this requirement would create unnecessary expense
because it would require financial institutions to ``continually
monitor all authorized use'' and would mean ``yet more new employees or
third-party IT consultants.'' \233\ The Commission disagrees, however,
noting that monitoring of system use can be automated.\234\ There is no
requirement a separate staff member would be required to exclusively
monitor system use.
---------------------------------------------------------------------------
\233\ National Automobile Dealer Association (comment 46, NPRM),
at 33.
\234\ See Remarks of Nicholas Weaver, Safeguards Workshop Tr.,
supra note 17, at 124-25.
---------------------------------------------------------------------------
In addition, one commenter stated monitoring the use of paper files
is impossible and should be excluded from this provision.\235\ The
Commission acknowledges monitoring of paper records is qualitatively
different than the monitoring of electronic records. This requirement
goes hand in hand with limiting access to documents, whether electronic
or paper. For example, if an institution has a file room and access to
the room is limited to particular employees (e.g., the payroll office),
the institution should have measures in place to ensure those access
controls are in fact being utilized (e.g., sign in with front desk,
logging of key card access, security camera).
---------------------------------------------------------------------------
\235\ American Financial Services Association (comment 41,
NPRM), at 6.
---------------------------------------------------------------------------
As discussed above, this paragraph is amended to also require the
logging of user activity, but is otherwise adopted as proposed as
paragraph (c)(8).
[[Page 70293]]
Proposed Paragraph (d)
Proposed paragraph (d)(1) retained the current Rule's requirement
that financial institutions ``[r]egularly test or otherwise monitor the
effectiveness of the safeguards' key controls, systems, and procedures,
including those to detect actual and attempted attacks on, or
intrusions into, information systems.''
Proposed paragraph (d)(2) provided further detail to this
requirement by stating the monitoring must take the form of either
``continuous monitoring'' or ``periodic penetration testing and
vulnerability assessments.'' The proposal explained continuous
monitoring is any system that allows real-time, ongoing monitoring of
an information system's security, including monitoring for security
threats, misconfigured systems, and other vulnerabilities.\236\ For
those who elected to engage in periodic penetration testing and
vulnerability assessment, the proposal required penetration testing at
least once annually (or more frequently if called for in the financial
institution's risk assessment) and vulnerability assessments at least
twice a year.\237\
---------------------------------------------------------------------------
\236\ Financial institutions that choose the option of
continuous monitoring would also be satisfying Sec. 314.4(c)(8).
\237\ Proposed 16 CFR 314.4(d)(1) and (2).
---------------------------------------------------------------------------
Some commenters thought the proposal went too far in requiring
continuous monitoring or penetration and vulnerability testing, while
others thought the proposal did not go far enough. On one hand, ACE
argued continuous monitoring is too burdensome and difficult for some
financial institutions,\238\ particularly those with ``highly
decentralized systems,'' such as colleges and universities, which could
be required to monitor their entire system.\239\ ACE further suggested
the Rule should not prescribe any particular testing methodology or
schedule and should allow financial institutions to develop a testing
approach appropriate for the financial institution.\240\ The NPA
commented penetration and vulnerability testing would be too expensive
for small pawnbrokers with small staffs and a small customer base,
where their members would be ``likely to notice a penetration of our
records.'' \241\ One commenter stated the requirements for monitoring
and testing were ``overlapping and confusing'' and suggested the
Commission avoid confusion by including continuous monitoring,
penetration testing, vulnerability scanning, periodic risk assessment
reviews, and logging as optional components of an information security
program to be included on an as-needed basis.\242\ Some commenters
recommended the testing requirement be limited to electronic data and
exclude monitoring of physical data.\243\ The American Financial
Services Association argued the testing of physical safeguards required
by paragraph (d)(1) ``would be impossible.'' \244\ Finally, CTIA
argued, for entities that choose the approach of penetration and
vulnerability testing, these tests should be required less
regularly.\245\
---------------------------------------------------------------------------
\238\ American Council on Education (comment 24, NPRM), at 13-
14.
\239\ American Council on Education (comment 24, NPRM), at 13.
\240\ American Council on Education (comment 24, NPRM), at 14.
\241\ National Pawnbrokers Association (comment 3, Workshop), at
2.
\242\ Global Privacy Alliance (comment 38, NPRM), at 10-11.
\243\ National Independent Automobile Dealers Association
(comment 48, NPRM), at 6; American Financial Services Association
(comment 41, NPRM), at 6.
\244\ American Financial Services Association (comment 41,
NPRM), at 6.
\245\ CTIA (comment 34, NPRM) at 12-13 (arguing penetration
testing should be required only once every two years and
vulnerability testing be required only once a year).
---------------------------------------------------------------------------
On the other hand, the Princeton Center suggested, rather than
requiring either continuous monitoring or penetration testing, the Rule
should require both. It noted continuous monitoring is very effective
at detecting problems with, and threats to, ``off-the-shelf systems''
but penetration testing is better at ``for checking the interaction
between systems, proprietary systems, or subtle security issues.''
\246\ Similarly, the MSRT was concerned that the Proposed Rule
suggested annual penetration testing alone could protect financial
institutions, rather than serve as a supplement to proper
monitoring.\247\
---------------------------------------------------------------------------
\246\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 5.
\247\ Money Services Round Table (comment 53, NPRM), at 9; see
also Gusto and others (Comment 11, Workshop), at 2 (arguing
penetration testing and vulnerability assessments both have their
weaknesses and financial institutions should develop a testing
program that it is appropriate for them).
---------------------------------------------------------------------------
The Commission agrees with commenters who pointed out the
difficulty of applying certain testing requirements to physical
safeguards. Although the general testing requirement set forth in
paragraph (d)(1) should apply to physical safeguards (e.g., testing
effectiveness of physical locks), the continuous monitoring,
vulnerability assessment, and penetration testing in paragraph (d)(2)
is not relevant to information in physical form. Accordingly, the final
version of paragraph (d)(2) is limited to safeguards on information
systems.
The Commission also agrees biannual vulnerability testing may not
be sufficient to detect new threats. Thus, given the relative ease with
which vulnerability assessments can be performed, it modifies the Final
Rule to require financial institutions to perform assessments when
there is an elevated risk of new vulnerabilities having been introduced
into their information systems, in addition to the required biannual
assessments.
Beyond these modifications, the Commission believes the proposal
struck the right balance between flexibility and protection of customer
information, and adopts the proposed provision as final. For commenters
concerned about costs of testing and continuous monitoring, the
Commission notes the Rule requires one, not both. Although many
financial institutions may choose to use both, the Commission agrees
the costs of requiring both for all financial institutions may not be
justified. \248\ As to arguments that the testing required by the Rule
is too frequent and will therefore be too costly, the Commission does
not agree vulnerability assessments will be costly. Indeed, there are
resources for free and automated vulnerability assessments.\249\ And
although the Commission acknowledges penetration testing can be a
somewhat lengthy and costly process for large or complex systems,\250\
a longer period between penetration tests will leave information
systems vulnerable to attacks that exploit weaknesses normally revealed
by penetration testing.
---------------------------------------------------------------------------
\248\ The Commission believes a system for continuous monitoring
will include some form of vulnerability assessment as part of
monitoring the information system.
\249\ Remarks of Frederick Lee, Safeguards Workshop Tr., supra
note 17, at 139-40.
\250\ See id. at 129-30 (noting the cost of a penetration test
can increase significantly depending on the complexity of the system
to be tested and the scope of the test).
---------------------------------------------------------------------------
Two other portions of the Final Rule should help financial
institutions concerned about the costs of monitoring and testing.
First, because the Commission is limiting the definition of
``information system'' in the Final Rule, financial institutions will
be able to limit this provision's application by segmenting their
network and conducting monitoring or testing only of systems that
contain customer information or that are connected to such systems.
Second, this requirement does not apply to those institutions that
[[Page 70294]]
maintain records on fewer than 5,000 individuals. Accordingly, for
example, it should not apply to businesses small enough for staff to
personally know a majority of customers.
Finally, the Commission does not believe the testing requirements
are duplicative of other provisions of the Final Rule. The provision
relating to additional risk assessments, Sec. 314.4(b)(2), requires a
financial institution to reevaluate its risks and to determine if
safeguards should be modified or added--it does not require testing to
detect threats and technical vulnerabilities in the existing system.
Section 313.4(c)(8)'s requirement that financial institutions monitor
users' activity in an information system is focused on one aspect of
information security--detecting and preventing unauthorized access and
use of the system. The requirement of this paragraph, on the other
hand, is focused on testing the overall effectiveness of a financial
institution's safeguards. It is broader than paragraph (c)(8)'s
requirement and is necessary to ensure financial institutions test the
strength of their safeguards as a whole.
Accordingly, the Final Rule requires financial institutions to
perform vulnerability assessments at least once every six months and,
additionally, whenever there are material changes to their operations
or business arrangements and whenever there are circumstances they know
or have reason to know may have a material impact on their information
security program.
Proposed Paragraph (e)
Proposed paragraph (e) set forth a requirement that financial
institutions implement policies and procedures ``to ensure that
personnel are able to enact [the financial institution's] information
security program.'' This requirement included four components: (1)
General employee training; (2) use of qualified information security
personnel; (3) specific training for information security personnel;
and (4) verification that security personnel are taking steps to
maintain current knowledge on security issues.
General Employee Training
Proposed paragraph (e)(1) required financial institutions to
provide their personnel with ``security awareness training that is
updated to reflect risks identified by the risk assessment.'' \251\
---------------------------------------------------------------------------
\251\ Proposed 16 CFR 314.4(e)(1).
---------------------------------------------------------------------------
While one commenter specifically supported the inclusion of this
training requirement,\252\ the U.S. Chamber of Commerce argued the Rule
should not have any specific training requirements at all.\253\ NADA
stated the requirement that the training be ``updated to reflect risks
identified by the risk assessment'' will require companies to develop
individualized training programs to suit their financial institution
and that such a process would be expensive and unnecessary because
``general security awareness'' is generally enough for most financial
institutions.\254\
---------------------------------------------------------------------------
\252\ Electronic Privacy Information Center (comment 55, NPRM),
at 8.
\253\ U.S. Chamber of Commerce (comment 33, NPRM), at 12; see
also American Financial Services Association (comment 41, NPRM), at
6 (stating the Commission should acknowledge that a training program
for a small financial institution will be different than a program
for a larger program).
\254\ National Automobile Dealers Association (comment 46,
NPRM), at 34.
---------------------------------------------------------------------------
Given the current Rule includes a similar training requirement and
training remains a vital part of effective information security, the
Commission declines to eliminate it. The Commission believes the Final
Rule's training requirement retains the same flexibility as the
existing Rule and allows financial institutions to adopt a training
program appropriate to their organization.
The Commission disagrees with NADA's concern the requirement to
update training programs would be too expensive. Without a requirement
that the training program be updated based on an assessment of risks,
employees may be subject to the same training year after year, which
might reflect obsolete threats, as opposed to addressing current ones.
The Commission interprets this provision to require only that the
training program be updated as necessary based on changes in the
financial institution's risk assessment. The provision also gives
financial institutions the flexibility to use programs provided by a
third party, if that program is appropriate for the financial
institution. In order to clarify updates are required only when needed
by changes in the financial institution or new security threats,
though, the Final Rule states training programs need to be updated only
``as necessary.''
Information Security Personnel
Proposed paragraph (e)(2) required financial institutions to
``[u]tiliz[e] qualified information security personnel,'' employed
either by them or by affiliates or service providers, ``sufficient to
manage [their] information security risks and to perform or oversee the
information security program.'' \255\ This proposed provision was
designed to ensure information security personnel used by financial
institutions are qualified for their positions and information security
programs are sufficiently staffed.
---------------------------------------------------------------------------
\255\ Proposed 16 CFR 314.4(e)(2).
---------------------------------------------------------------------------
Some commenters argued this provision was too vague because it does
not define what personnel are necessary and what ``qualified''
means.\256\ NADA argued hiring additional staff to meet this
requirement could be prohibitively expensive.\257\
---------------------------------------------------------------------------
\256\ National Automobile Dealers Association (comment 46,
NPRM), at 35; National Independent Automobile Dealers Association
(comment 48, NPRM), at 7.
\257\ National Automobile Dealers Association (comment 46,
NPRM), at 35.
---------------------------------------------------------------------------
As discussed in relation to the appointment of a ``Qualified
Individual,'' the Commission believes a more specific definition of
``qualified'' would not be appropriate because each financial
institution has different needs and different levels of training,
experience, and expertise will be appropriate for the information
security staff of each institution. The term ``qualified'' conveys only
that staff must have the abilities and expertise to perform the duties
required by the information security program.\258\ The Commission
declines to include a more prescriptive set of qualification
requirements in the Final Rule.\259\
---------------------------------------------------------------------------
\258\ NADA also asks whether this provision would require
financial institutions to hire more personnel if they do not have
enough qualified staff. Id. The Final Rule does require the hiring
of additional personnel if existing personnel are not enough to
maintain the financial institution's information security program.
\259\ One commenter, on the other hand, approved of the decision
not to define ``qualified'' in the Proposed Rule, but argued the
requirement in its totality was unclear because it did not set forth
``how the Commission would hold covered entities accountable.''
American Council on Education (comment 24, NPRM) at 14. The
Commission believes the term ``qualified'' provides a clear enough
requirement to allow a financial institution's compliance to be
evaluated.
---------------------------------------------------------------------------
As to the concern about expense, the Commission acknowledges hiring
employees or retaining third parties to maintain financial
institutions' information security programs can be a substantial
expense. But the expense is necessary to effectuate Congressional
intent that financial institutions implement reasonable safeguards to
protect customer information. The Rule requires only that a financial
institution have personnel ``sufficient'' to manage its risk and to
maintain its information security program. A financial institution is
required only to have the staff necessary to maintain its information
security. An information security program that is not properly
maintained cannot offer the protection it is designed to provide. A
financial institution that
[[Page 70295]]
does not comply with this requirement, by definition, has insufficient
staffing, and thus, cannot reasonably protect customer information.
Although the expense is necessary, the level of expense is
mitigated by several factors. First, existing financial institutions
should already have information security personnel (either in the form
of employees or third-party service providers) qualified to perform the
duties necessary to maintain reasonable security in order to comply
with the requirements of the current Rule. Depending on the skills of
those employees, additional staffing may not be necessary to meet the
demands of the Final Rule. Second, the required staffing will vary
greatly based on the size and complexity of the information system. A
financial institution with an extremely simple system may not require
even a single full time employee. Finally, the Rule allows the use of
service providers to meet this requirement. This can significantly
reduce costs as services exist to share the expense of qualified
personnel and offer information security support at significantly less
than the cost of employing a single qualified employee.\260\ The
Commission continues to believe utilizing qualified and sufficient
information security personnel is a vital part of any information
security program and accordingly, adopts proposed paragraph (e)(2) in
the Final Rule without modification.
---------------------------------------------------------------------------
\260\ See, e.g., Slides Accompanying Remarks of Rocio Baeza,
``Models for Complying to the Safeguards Rule Changes,'' in
Safeguards Workshop Slides, supra note 72, at 27-28 (describing
three different compliance models: In-house, outsource, and hybrid,
with costs ranging from $199 per month to more than $15,000 per
month); see also remarks of Rocio Baeza, Safeguards Workshop Tr.,
supra note 17, at 81-83; slides Accompanying Remarks of Brian
McManamon, ``Sample Pricing,'' in Safeguards Workshop Slides, supra
note 72, at 29 (estimating the cost of cybersecurity services based
on number of endpoints); Remarks of Brian McManamon, Safeguards
Workshop Tr., supra note 17, at 83-85.
---------------------------------------------------------------------------
Training of Security Personnel
The Proposed Rule also required financial institutions to
``[p]rovid[e] information security personnel with security updates and
training sufficient to address relevant security risks.'' \261\ This is
separate from paragraph (e)(1)'s requirement to train all personnel
generally.
---------------------------------------------------------------------------
\261\ Proposed 16 CFR 314.4(e)(3).
---------------------------------------------------------------------------
Some commenters argued providing ongoing training could be too
costly for some financial institutions.\262\ The Commission disagrees.
Maintaining awareness of emerging threats and vulnerabilities is a
critical aspect of information security. In order to perform their
duties, security personnel must be educated on the changing nature of
threats to the information systems they maintain. There are resources
that will allow smaller institutions to meet this requirement at little
or no cost, such as published security updates, online courses, and
educational publications.\263\ For financial institutions that utilize
service providers to meet information security needs, the service
provider is likely to include assurances that provided personnel will
be trained in current security practices. The Commission views the use
of such a service provider as meeting this requirement, as the
financial institution is ``providing'' the service as part of the price
it pays to the service provider. Thus, the Final Rule adopts paragraph
(e)(3) as proposed.\264\
---------------------------------------------------------------------------
\262\ National Automobile Dealers Association (comment 46,
NPRM), at 35.
\263\ See, e.g., Federal Trade Commission, Cybersecurity for
Small Business, https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity (last accessed 1 Dec. 2020); Remarks
of Kiersten Todt, Safeguards Workshop Tr. at 86-88 (describing the
resources of the Cyber Readiness Institute).
\264\ The Clearing House suggested the Rule should require
background checks on employees. The Clearing House (Comment 49,
NPRM) at 19.
---------------------------------------------------------------------------
Verification of Current Knowledge
Proposed paragraph (e)(4) required financial institutions to
``[v]erify[ ] that key information security personnel take steps to
maintain current knowledge of changing information security threats and
countermeasures.'' \265\ This requirement was intended to complement
the proposed requirement regarding ongoing training of data security
personnel, by requiring verification such training has taken place.
---------------------------------------------------------------------------
\265\ Proposed 16 CFR 314.4(e)(4).
---------------------------------------------------------------------------
NADA argued this requirement should not apply to smaller financial
institutions, stating the examples set forth in the Proposed Rule would
be difficult for some smaller financial institutions to perform.\266\
The examples provided with the Proposed Rule were that a financial
institution could: (1) Offer incentives or funds for key personnel to
undertake continuing education that addresses recent developments, (2)
include a requirement to stay abreast of security research as part of
their performance metrics, or (3) conduct an annual assessment of key
personnel's knowledge of threats related to their information system.
The Commission believes smaller financial institutions can take
advantage of any of these methods, particularly ``requiring key
personnel to undertake continuing education'' as part of that
personnel's duties. If they outsource responsibility for data security
to service providers, they can simply include these requirements in
their contracts.
---------------------------------------------------------------------------
\266\ National Automobile Dealers Association (comment 46,
NPRM), at 35-36.
---------------------------------------------------------------------------
The Commission believes the rapidly changing nature of information
security mandates this requirement, in order that information security
leadership can properly supervise the information security program.
Accordingly, the Final Rule adopts proposed paragraph (e)(4) without
change.
Proposed Paragraph (f)
Proposed paragraphs (f)(1) and (2) retained the current Rule's
requirement, found in existing paragraphs (d)(1) and (2), to oversee
service providers, and added a paragraph (f)(3), requiring financial
institutions also periodically assess service providers ``based on the
risk they present and the continued adequacy of their safeguards.''
\267\ The current Rule expressly requires an assessment of service
providers' safeguards only at the onboarding stage; proposed paragraph
(f)(3) required financial institutions to monitor their service
providers on an ongoing basis to ensure they are maintaining adequate
safeguards to protect customer information they possess or access.\268\
---------------------------------------------------------------------------
\267\ Proposed 16 CFR 314.4(g).
\268\ The Clearing House wrote in support of this element of the
Proposed Rule, noting it would bring the Safeguards Rule's
provisions relating to service provider oversight into better
alignment with security guidelines for banks. The Clearing House
(comment 49, NPRM), at 14.
---------------------------------------------------------------------------
Several commenters argued it would be costly and difficult for some
financial institutions to periodically assess their service
providers.\269\ These commenters were particularly concerned with
smaller financial institutions' ability to ``monitor'' larger service
providers.\270\ The Internet Association commented the requirement to
periodically assess service providers would be too onerous for the
service providers themselves, arguing the requirement would place
``service providers under constant surveillance by their financial
institution clients.'' \271\ HITRUST suggested the Rule should state
the periodic assessment requirement may be satisfied by requiring
service providers to obtain and maintain information
[[Page 70296]]
security certifications provided by third parties and based on proper
information security frameworks.\272\ In contrast, Consumer Reports
took issue with the Rule requiring only ``assessment'' of service
providers, and argued financial institutions should be required to
monitor their service providers for compliance.\273\ Yet other
commenters expressed confusion over the term ``service provider,''
asking whether it would cover national consumer reporting agencies that
smaller financial institutions would be hard-pressed to assess.\274\
---------------------------------------------------------------------------
\269\ National Automobile Dealers Association (comment 46,
NPRM), at 37; National Independent Automobile Dealers Association
(comment 48, NPRM), at 7; see also Wangyang Shen (comment 3, Privacy
Rule) (noting difficulty of supervising cloud services).
\270\ National Automobile Dealers Association (comment 46,
NPRM), at 22; National Association of Dealer Counsel (comment 44,
NPRM), at 3.
\271\ Internet Association (comment 9, Workshop), at 3-4.
\272\ HITRUST (comment 18, NPRM), at 3-4.
\273\ Consumer Reports (comment 52, NPRM) at 7.
\274\ American Financial Services Association (comment 41,
NPRM), at 7.
---------------------------------------------------------------------------
The Commission retains the service provider oversight requirement
from proposed paragraph (f) without modification. Some high profile
breaches have been caused by service providers' security failures,\275\
and the Commission views the regular assessment of the security risks
of service providers as an important part of maintaining the strength
of a financial institution's safeguards.
---------------------------------------------------------------------------
\275\ For example, in 2013, attackers were reportedly able to
use stolen credentials obtained from a third-party service provider
to access a customer service database maintained by national
retailer Target Corporation, resulting in the theft of information
relating to 41 million customer payment card accounts. Kevin McCoy,
Target to pay $18.5M for 2013 data breach that affected 41 million
consumers, USA Today, May 23, 2017, https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/.
---------------------------------------------------------------------------
The Commission disagrees with the commenters who expressed concerns
this provision, and particularly the assessment requirement, would
impose undue costs on financial institutions. The Rule would require
financial institutions only to assess the risks service providers
present and evaluate whether they continue to provide the safeguards
required by contract, which need not include extensive investigation of
a service provider's systems. In the case of large service providers,
this oversight may consist of reviewing public reports of insecure
practices, changes in the services provided, or security failures in
the services provided. In other circumstances, such as where a large
company hires a vendor to secure sensitive customer information,
certifications, reports, or even third-party audits may be appropriate.
The exact steps required depend both on the size and complexity of the
financial institution and the nature of the services provided by the
service provider. For this reason, the Commission declines to adopt the
suggestion to allow a financial institution to accept an information
security certification from the service provider to satisfy the service
provider oversight requirement. The fact that a company maintains an
information security certification may be a significant part of
assessing the adequacy of a service provider's safeguards, but the
Commission declines to prescribe a one-size-fits all approach, given
the variation in size and complexity of financial institutions and
their service providers.
To avoid imposing undue costs on financial institutions, the
Commission declines to require ongoing monitoring, rather than periodic
assessment, as recommended by Consumer Reports. The Commission believes
periodic assessment strikes the right balance between protecting
consumers and imposing undue costs on financial institutions. The
Commission acknowledges financial institutions may have limited
bargaining power in obtaining services from large service providers and
limited ability to demand access to a service provider's systems. In
those cases, any sort of hands-on assessment of the provider's systems
may not be possible.
As to the concern the assessment requirement will impose undue
burdens on the service providers themselves, the Commission does not
believe this concern justifies a modification to the proposed
requirement. First, the Rule does not require ``constant surveillance''
by financial institutions--they are required only to ``periodically
assess'' the risks presented by service providers. Second, as discussed
above, the supervision of service providers is a vitally important
aspect of information security, and while there may be some burdens on
the service providers associated with being supervised, these are
necessary burdens. A financial institution must be sure a service
provider is protecting the information of its customers, and any
expenses this involves are a necessary part of fulfilling this duty.
Finally, as to concerns about potential ambiguities in the
definition of service provider, the amendments preserve the definition
in the current Rule. Thus, entities subject to this requirement under
the Final Rule will remain the same as under the existing Rule and may
include consumer reporting agencies. As discussed above, even larger
service providers such as national CRAs can be subjected to some form
of review by financial institutions.\276\
---------------------------------------------------------------------------
\276\ The National Pawnbrokers Association expressed concern
they cannot control vendors of local law enforcement agencies to
whom they are required to provide customer information. National
Pawnbrokers Association (comment 32, NPRM), at 2. However, the Rule
does not require financial institutions oversee service providers
employed by other entities over which they have no control.
---------------------------------------------------------------------------
The Commission adopts proposed paragraph (f) in the Final Rule
without modification.
Proposed Paragraph (g)
Paragraph (g) of the Proposed Rule retained the language of
existing paragraph (e) in the current Rule, which requires financial
institutions to evaluate and adjust their information security programs
in light of the result of testing required by this section, material
changes to their operations or business arrangements, or any other
circumstances they know or have reason to know may have a material
impact on their information security program. The Commission received
no comments on this paragraph and adopts the language of the Proposed
Rule.
Proposed Paragraph (h)
Proposed paragraph (h) required financial institutions to establish
written incident response plans that addressed (1) the goals of the
plan; (2) the internal processes for responding to a security event;
(3) the definition of clear roles, responsibilities and levels of
decision-making authority; (4) external and internal communications and
information sharing; (5) identification of requirements for the
remediation of any identified weaknesses in information systems and
associated controls; (6) documentation and reporting regarding security
events and related incident response activities; and (7) the evaluation
and revision as necessary of the incident response plan following a
security event.
Several commenters supported the proposal to require an incident
response plan.\277\ The Credit Union National Association observed an
incident response plan ``helps ensure that an entity is prepared in
case of an incident by planning how it will respond and what is
required for the response.'' \278\ Consumer Reports noted a rapid
response to a security event can limit damage caused by the event.\279\
The
[[Page 70297]]
Princeton Center commented ``a written incident response plan is an
essential component of a good security system.'' \280\ HITRUST
commented incident response plans can help organizations ``to better
allocate limited resources.'' \281\ The South Carolina Department of
Consumer Affairs suggested the provision go further by requiring the
incident response plan include a process for notifying senior
information security personnel of the event.\282\
---------------------------------------------------------------------------
\277\ Consumer Reports (comment 52, NPRM), at 6; Princeton
University Center for Information Technology Policy (comment 54,
NPRM), at 7; Electronic Privacy Information Center (comment 55,
NPRM), at 8; Credit Union National Association (comment 30, NPRM),
at 2; Heartland Credit Union Association (comment 42, NPRM), at 2;
National Association of Federally-Insured Credit Unions (comment 43,
NPRM), at 1; HITRUST (comment 18, NPRM), at 2.
\278\ Credit Union National Association (comment 30, NPRM), at
2.
\279\ Consumer Reports (comment 52, NPRM), at 6.
\280\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 7.
\281\ HITRUST (comment 18, NPRM), at 2.
\282\ South Carolina Department of Consumer Affairs (comment 47,
NPRM), at 2.
---------------------------------------------------------------------------
Other commenters opposed requiring an incident response plan or
objected to particular aspects of the requirement. Some commenters
suggested requiring financial institutions to have incident response
plans is outside the Commission's authority under the GLB Act.\283\
NADA argued the requirement for an incident response plan was overbroad
in light of the broad definition of security event,\284\ and the
requirement was vague as to what the plan should include.\285\
---------------------------------------------------------------------------
\283\ National Automobile Dealer Association (comment 46, NPRM),
at 38; National Independent Automobile Dealers Association (comment
48, NPRM), at 7.
\284\ National Automobile Dealer Association (comment 46, NPRM),
at 38.
\285\ National Automobile Dealer Association (comment 46, NPRM),
at 12, 38-39. NPA also asked for greater detail on what constitutes
an ``incident.'' National Pawnbroker Association (comment 32, NPRM),
at 4.
---------------------------------------------------------------------------
Other commenters argued the requirement was too burdensome. ACE
argued ``the range of security events that might occur and their
potential impacts on institutional capacity to recover'' make
establishing an incident response plan that will allow an institution
to ``respond to, and recover from, any security event materially
affecting . . . customer information'' impossible.\286\ The Mortgage
Bankers Association (``MBA'') suggested ``institutions of smaller sizes
may not necessarily be capable of addressing all seven of the proposed
goals.'' \287\ Further, the MBA argued an incident response plan
requirement had ``the potential to cripple small businesses under the
pressure of repeatedly checking the boxes for potentially harmless
events.'' \288\
---------------------------------------------------------------------------
\286\ American Council on Education (comment 24, NPRM), at 15.
\287\ Mortgage Bankers Association (comment 26, NPRM), at 4.
\288\ Mortgage Bankers Association (comment 26, NPRM), at 4.
---------------------------------------------------------------------------
Finally, some commenters raised questions about what it means for
customer information to be in a financial institution's ``possession''
for purposes of the incident response plan requirement. ACE argued the
requirement does not adequately account for customer information held
in cloud storage operated by third parties, asserting such information
is not technically within the financial institution's possession.\289\
ACE suggested the provision should apply to customer information for
which the financial institution is responsible, instead.\290\
Relatedly, the NPA expressed concern pawnbrokers might be subject to
liability under the Proposed Rule when law enforcement agencies or
their third-party vendors make public disclosures of customer
information pawnbrokers are obligated to report.\291\
---------------------------------------------------------------------------
\289\ American Council on Education (comment 24, NPRM), at 15.
\290\ Id.
\291\ National Pawnbroker Association (comment 32, NPRM), at 4.
---------------------------------------------------------------------------
The Commission retains the requirement for financial institution to
develop and implement an incident response plan, with one modification
described below. The Commission believes the creation of an incident
response plan is directly related to safeguarding customer information
and is within its authority under the GLBA. The requirement to create
an incident response plan focuses on preparing financial institutions
to respond promptly and appropriately to security events, and
mitigating any weaknesses in their information systems in the process.
By responding quickly and promptly mitigating weaknesses, financial
institutions can stop ongoing or future compromise of customer
information.\292\ A well-organized response to a security event can
limit the number of consumers affected by an outside attacker by
promptly identifying the attack and taking steps to stop the attack.
---------------------------------------------------------------------------
\292\ See Remarks of Serge Jorgenson, Safeguards Workshop Tr.,
supra note 17, at 52 (observing a prompt response to an incident can
prevent a ``threat actor running around in my environment for days,
months, years, and able to access anything they want.'').
---------------------------------------------------------------------------
The Commission disagrees with the commenters who stated this
requirement was too burdensome. The Final Rule requires incident
response plans address ``security event[s] materially affecting the
confidentiality, integrity, or availability of customer information in
[a financial institution's] control.'' Significantly, the plan must
address events that ``materially'' affect customer information. Thus,
the required incident response plan does not require a plan to address
every security event that may occur. The plan need not include minute
details or all possible scenarios. Instead, the Rule requires the plan
to establish a system--for example, by laying out clear lines of
responsibility, systems for information sharing, and methods for
evaluating possible solutions--that will facilitate a financial
institution's response to security events regardless of the nature of
the event. A detailed approach may be appropriate for some financial
institutions, such as those with especially complicated systems or
personnel hierarchies, but the Rule is designed to give financial
institutions the flexibility needed to develop plans that best suit
their needs.\293\
---------------------------------------------------------------------------
\293\ Although the Commission agrees with the South Carolina
Department of Consumer Affairs that notification of senior personnel
is valuable, the requirement that the plan address ``the definition
of clear roles, responsibilities and levels of decision-making
authority'' will almost always result in communication of decision-
making to senior personnel authorized to make decisions about the
security response. Coupled with the requirement the Qualified
Individual report to the board or equivalent body on material events
affecting security, the Commission does not see the need to make
this change.
---------------------------------------------------------------------------
Moreover, the Commission believes the requirement is clear as to
what an incident response plan should include. The seven listed
requirements for the incident response plans provide sufficient
guidance to financial institutions designing incident response plans
while giving them flexibility to design a plan suited to their
organization. In addition, there are many resources for designing
incident response plans available for financial institutions, as well
as service providers that can assist with the design process.\294\
Individual institutions can determine the exact details of the plans.
---------------------------------------------------------------------------
\294\ See, e.g., FTC, Data Breach Response: A Guide for Business
(2019), www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business; NIST, Guide for Cybersecurity Event
Recovery (2016), nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf; Orion Cassetto, Incident Response Plan 101: How
to Build One, Templates and Examples, Exabeam: Information Security
Blog (November 21, 2018), www.exabeam.com/incident-response/incident-response-plan/ (last visited December 2, 2020).
---------------------------------------------------------------------------
To address questions about whether information is in the financial
institution's ``possession,'' the Commission is revising paragraph (h)
of the Final Rule to require financial institutions develop incident
response plans ``designed to promptly respond to, and recover from, any
security event materially affecting . . . customer information in your
control.'' (emphasis added) Replacing the term ``possession'' with
``control'' resolves the questions raised by ACE and the NPA regarding
[[Page 70298]]
whether financial institutions must plan for security events affecting
data that has been transferred to various kinds of third parties. Where
a financial institution has voluntarily opted to store its customer
information in the cloud, to whatever extent the information is no
longer in the ``possession'' of the financial institution, it is
certainly within the institution's ``control.'' By contrast, customer
information that has been obtained by a third party such as a law
enforcement agency, over whom a financial institution has no authority
and of whose actions the financial institution has no knowledge, cannot
fairly be said to be in the financial institution's control.
Consequently, the financial institution need not account for possible
disclosures of that information by the third party.\295\
---------------------------------------------------------------------------
\295\ NADA further argued the incident response plan constitutes
a de facto consumer notification requirement. National Automobile
Dealer Association (comment 46, NPRM), at 39. Financial institutions
have an independent obligation to perform notification as required
by state law, whether or not they have an incident response plan in
place. The fact that the Rule requires a plan that sets forth
procedures for satisfying that requirement does not impose any
independent notification requirement on the financial institution.
---------------------------------------------------------------------------
Notification of Security Events to the Commission
The Commission also requested comment on whether the Rule should
require financial institutions to report security events to the
Commission. Several commenters supported this requirement.\296\ The
Princeton University Center for Information Technology Policy noted
such a reporting requirement would ``provide the Commission with
valuable information about the scope of the problem and the
effectiveness of security measures across different entities'' and
``help the Commission coordinate responses to shared threats.'' \297\
The National Association of Federally-Insured Credit Unions argued
requiring financial institutions to report security events to the
Commission would provide an ``appropriate incentive for covered
financial companies to disclose information to consumers and relevant
regulatory bodies.'' \298\ NAFCU also suggested notification
requirements are important because they ``ensure independent assessment
of whether a security incident represents a threat to consumer
privacy.'' \299\
---------------------------------------------------------------------------
\296\ Consumer Reports (comment 52, NPRM), at 6; Princeton
University Center for Information Technology Policy (comment 54,
NPRM), at 7; Credit Union National Association (comment 30, NPRM),
at 2; Heartland Credit Union Association (comment 42, NPRM), at 2;
National Association of Federally-Insured Credit Unions (comment 43,
NPRM), at 1-2.
\297\ Princeton University Center for Information Technology
Policy (comment 54, NPRM), at 7.
\298\ National Association of Federally-Insured Credit Unions
(comment 43, NPRM), at 1.
\299\ National Association of Federally-Insured Credit Unions
(comment 43, NPRM), at 1-2.
---------------------------------------------------------------------------
Other commenters opposed the inclusion of a reporting
requirement.\300\ ACE argued such a requirement ``would simply add
another layer on top of an already crowded list of federal and state
law enforcement contacts and state breach reporting requirements.''
\301\ ACE also suggested any notification requirement should be limited
to a more restricted definition of ``security event'' than the
definition in the Proposed Rule, so financial institutions would only
be required to report incidents that could lead to consumer harm.\302\
---------------------------------------------------------------------------
\300\ National Independent Automobile Dealers Association
(comment 48, NPRM), at 7; American Council on Education (comment 24,
NPRM), at 15.
\301\ American Council on Education (comment 24, NPRM), at 15.
\302\ Id.
---------------------------------------------------------------------------
The Commission agrees with commenters that stated a requirement
financial institutions report security events to the Commission would
have many benefits, including allowing the Commission to identify
emerging threats and assisting the Commission's enforcement of the
Rule. In addition, such a requirement would be unlikely to create a
significant burden on financial institutions because a security event
that leads to notification to the Commission is very likely to create
breach notification obligations under various state laws, and the
financial institution will thus already be engaged in notifying
consumers and state regulators. The addition of a notification to the
FTC would not require any significant additional preparation or effort.
However, because the notice of proposed rulemaking did not set forth a
detailed proposal for a notification requirement, the Final Rule does
not include such a requirement. Instead, the Commission is issuing a
supplemental notice of proposed rulemaking (SNPRM) that proposes adding
a requirement financial institutions notify the Commission of detected
security events under certain circumstances.\303\
---------------------------------------------------------------------------
\303\ Standards for Safeguarding Customer Information, SNPRM,
published elsewhere in this issue of the Federal Register.
---------------------------------------------------------------------------
Proposed Paragraph (i)
Proposed paragraph (i) required a financial institution's CISO to
``report in writing, at least annually, to [the financial
institution's] board of directors or equivalent governing body''
regarding the following information: (1) The overall status of the
information security program and financial institution's compliance
with the Safeguards Rule; and (2) material matters related to the
information security program, addressing issues such as risk
assessment, risk management and control decisions, service provider
arrangements, results of testing, security events or violations and
management's responses thereto, and recommendations for changes in the
information security program.\304\ For financial institutions that did
not have a board of directors or equivalent, the proposal required the
CISO to make the report to a senior officer responsible for the
financial institution's information security program.
---------------------------------------------------------------------------
\304\ Proposed 16 CFR 314.4(i).
---------------------------------------------------------------------------
One commenter supported this requirement.\305\ Additionally,
several workshop participants emphasized the value of communication
between information security leaders and corporate boards or their
equivalent. For example, workshop participant Michele Norin stated it
is ``important'' for the topic of information security to be discussed
at the level of the board or senior leadership regularly, and at least
once per year.\306\ Participant Adrienne Allen agreed annual reporting
made sense as a requirement, but noted for some financial institutions,
particularly those with an online presence, even more frequent
communication could be beneficial.\307\
---------------------------------------------------------------------------
\305\ Rocio Baeza (comment 12, Workshop), at 3-8 (supporting
requirement and providing sample report form and compliance
questionnaire); see also The Clearing House (comment 49, NPRM), at
15-16 (arguing that Rule should require more involvement from Board
and senior management).
\306\ Remarks of Michele Norin, Safeguards Workshop Tr., supra
note 17, at 194.
\307\ Remarks of Adrienne Allen, Safeguards Workshop Tr., supra
note 17, at 199-200.
---------------------------------------------------------------------------
ACE argued the Proposed Rule created too much emphasis on a single
annual report and should instead focus on regular reporting to the
Board or equivalent.\308\ It also expressed concern the report required
by the Proposed Rule would be too detailed and would not allow the
Board to see ``the forest for the trees,'' \309\ the requirements for
the report were too prescriptive, and the requirements focused too much
on compliance rather than security.\310\ Similarly, NADA argued the
report would not improve security but would instead create
``unnecessary liability exposure for the board/leadership of the
entity.'' \311\ HITRUST suggested
[[Page 70299]]
Qualified Individuals should be able to meet this reporting requirement
by submitting a report from an information security certification
program to the Board or equivalent body.\312\
---------------------------------------------------------------------------
\308\ American Council on Education (comment 24, NPRM), at 16.
\309\ Id.
\310\ Id.
\311\ National Automobile Dealer Association (comment 46, NPRM),
at 41. NADA also argued the reports by third-party Qualified
Individuals might not include useful information and were ``more
likely to be filled with platitudes and/or efforts to `upsell' the
dealership on additional CISO services.'' Id. at 42. NADA provided
no support for this claim. The Commission notes such a report would
not meet the requirements of this provision, and the financial
institution would be justified in terminating their relationship
with that provider or, at least, demanding a revised report that did
meet those requirements.
\312\ HITRUST (comment 18, NPRM), at 4.
---------------------------------------------------------------------------
The Commission adopts the proposal as final, with one modification
discussed below. This provision is intended to ensure the governing
body of the financial institution is engaged with and informed about
the state of the financial institution's information security program.
Likewise, this will create accountability for the Qualified Individual
by requiring him or her to set forth the status of the information
security program for the governing body.\313\ This will help financial
institutions to ensure their information security programs are being
maintained appropriately and given the necessary resources. Written
reports will create a record of decisions made and the information upon
which they were based, which may aid future decision-making.\314\
Management involvement in information security programs can improve the
strength of those programs and help to reduce breaches.\315\
---------------------------------------------------------------------------
\313\ See Remarks of Karthik Rangarajan, Safeguards Workshop
Tr., supra note 17, at (``If quarter over quarter, year over year,
this watermark isn't reducing, then board of directors should be
able to challenge us and say maybe you're not mapping your risks
correctly, or vice versa if it's reducing but we're seeing more
incidents, we're seeing potential breaches, things like that, then
the board of directors should be able to say maybe you don't have
the right risk quantification framework or the right risk management
framework.'').
\314\ Workshop participants Adrienne Allen, Karthik Rangarajan,
and Michele Norin each emphasized this point. See Safeguards
Workshop Tr., supra note 17, pp. 201-09.
\315\ See Juhee Kwon Jackie Rees Ulmer, & Tawei Wang, The
Association Between Top Management Involvement and Compensation and
Information Security Breaches, Journal of Information Systems,
Spring 2013, at 219-236 (``. . . the involvement of an IT executive
decreases the probability of information security breach reports by
about 35 percent . . .''); Julia L. Higgs, Robert E. Pinsker, Thomas
Joseph Smith, & George Young, The Relationship Between Board-Level
Technology Committees and Reported Security Breaches, Journal of
Information Systems, Fall 2016, at 79-98 (``[A]s a technology
committee becomes more established, its firm is not as likely to be
breached. To obtain further evidence on the perceived value of a
technology committee, this study uses a returns analysis and finds
that the presence of a technology committee mitigates the negative
abnormal stock returns arising from external breaches.'').
---------------------------------------------------------------------------
The Commission disagrees with the commenters who stated the
reporting requirement would be too prescriptive. In fact, the language
only requires reporting of (1) the overall status of the information
security program and its compliance with this Rule; and (2) material
matters related to the information security program. The language
includes examples of what material matters might include, such as risk
assessments and security events, but does not require all of them be
included. The financial institution and the Qualified Individual will
be responsible for determining what is material for their organization.
The Commission does not believe these requirements call for overly
detailed reports.\316\
---------------------------------------------------------------------------
\316\ Indeed, workshop participants discussed a variety of
strategies for meaningful communication between security personnel
and senior leadership. Participants noted the proper content, style,
and cadence of reporting (beyond the minimum annual report) will
vary depending on, among other things, the type of financial
institution in question and the level of familiarity of leadership
with the relevant technical issues. See Safeguards Workshop Tr.,
supra note 17, at 194-200.
---------------------------------------------------------------------------
Although the Commission agrees a certification report from a
Qualified Individual could be a part of the annual report and may cover
many material matters, it may not suffice in all cases; thus, the
Commission declines to include such a one-size-fits-all requirement.
As to the suggestion to require ``regular'' reporting, the
Commission agrees more regular reporting may be the best approach for
many financial institutions. To this end, the Commission modifies the
requirement in the final rule to say ``regularly, and at least
annually.'' \317\ Beyond this modification, the Final Rule adopts
proposed paragraph (i) as proposed.
---------------------------------------------------------------------------
\317\ NADA argued reports required by this provision would be
expensive because the Proposed Rule stated they would need to be
prepared by a ``CISO,'' which NADA takes to mean a highly
compensated expert of the type retained by the most sophisticated
large institutions. National Automobile Dealer Association (comment
46, NPRM), at 41. As discussed above, however, the Rule does not
require all financial institutions to retain such an expert.
Instead, the report will be made by the Qualified Individual, whose
expertise and compensation will vary according to the size and
complexity of a financial institution's information system.
---------------------------------------------------------------------------
Board Certification
The Commission specifically sought comment on whether the Board or
equivalent should be required to certify the contents of the report.
The two commenters who addressed this question stated they should
not.\318\ ACE noted ``governing boards generally will not have the
knowledge and expertise to independently certify'' the technical
aspects of the report and certification might require the employment of
outside auditors.\319\ The Commission agrees senior management of
financial institutions will often lack the technical expertise to
personally attest to its validity. In addition, the primary purpose of
the required report is to encourage communication between information
security personnel and senior management, not to show compliance with
the Rule. Requiring the governing board to certify the contents of the
report would likely transform the report into a compliance document and
might reduce its efficacy as a communication between the Qualified
Individual and the Board. Accordingly, the Commission declines to adopt
this requirement in the Final Rule.
---------------------------------------------------------------------------
\318\ National Automobile Dealer Association (comment 46, NPRM),
at 41 n.126; American Council on Education (comment 24, NPRM), at
16.
\319\ American Council on Education (comment 24, NPRM), at 16.
---------------------------------------------------------------------------
Sec. 314.5: Effective Date
The Proposed Rule set a new effective date for some portions of the
Rule. Proposed Sec. 314.5 provided certain elements of the information
security program would not be required until six months after the
publication of a final rule, rather than immediately upon publication.
The paragraphs that would have a delayed effective date were: Sec.
314.4(a), related to the appointment of a Qualified Individual; Sec.
314.4(b)(1), relating to conducting a written risk assessment; Sec.
314.4(c)(1) through (8), setting forth the new elements of the
information security program; Sec. 314.4(d)(2), requiring continuous
monitoring or annual penetration testing and biannual vulnerability
assessment; Sec. 314.4(e), requiring training for personnel; Sec.
314.4(f)(3), requiring periodic assessment of service providers; Sec.
314.4(h), requiring a written incident response plan; and Sec.
314.4(i), requiring annual written reports from the Qualified
Individual. All other requirements under the Safeguards Rule would
remain in effect during this six-month period. These remaining
requirements largely mirrored the requirements of the existing Rule.
All commenters that addressed this provision noted the difficulty
of complying with some of the provisions of the Proposed Rule, and
argued financial institutions should be given more time to comply with
them. ACE suggested financial institutions be given one year to create
a plan for compliance and two years to come into actual
compliance.\320\ AFSA suggested compliance not be required for two
[[Page 70300]]
years.\321\ ACA International requested the effective date be one year
after publication of the Rule.\322\
---------------------------------------------------------------------------
\320\ American Council on Education (comment 24, NPRM), at 4-5.
\321\ American Financial Services Association (comment 41,
NPRM), at 7.
\322\ ACA International (comment 45, NPRM), at 10-11.
---------------------------------------------------------------------------
The Commission agrees some financial institutions may need longer
to modify their information security programs to comply with the new
requirements in the Final Rule, especially given the current pandemic
and the strains it is placing on businesses. Accordingly, the Final
Rule extends the effective date for these enumerated provisions to one
year after the publication of this document.
Proposed Sec. 314.6: Exceptions
Proposed Sec. 314.6 exempted financial institutions that maintain
customer information concerning fewer than five thousand consumers from
certain requirements of the Proposed Rule, namely Sec. 314.4(b)(1),
requiring a written risk assessment; Sec. 314.4(d)(2), requiring
continuous monitoring or annual penetration testing and biannual
vulnerability assessment; Sec. 314.4(h), requiring a written incident
response plan; and Sec. 314.4(i), requiring an annual written report
by the CISO (as revised, the Qualified Individual).\323\ This proposed
section was designed to reduce the burden on smaller financial
institutions.
---------------------------------------------------------------------------
\323\ Proposed 16 CFR 314.6.
---------------------------------------------------------------------------
The Commission sought comment on whether it was appropriate to
include such an exemption, whether the specific exemptions were
appropriate, whether the use of the number of customers concerning whom
the financial institution retains customer information is the most
effective way to determine which financial institutions should be
exempted and, if so, whether five thousand customers was an appropriate
number. After reviewing the comments received, the Commission retains
the exemption for financial institutions with fewer than 5,000
customers as proposed.
Several commenters supported the inclusion of an exemption for
small financial institutions. Consumer Reports supported the exemption
as proposed.\324\ NPA supported the decision to base this exemption on
the number of customers whose information the financial institution
maintains, but questioned how the number of customers would be
determined.\325\ NPA asked whether the number of customers would be
counted on an annual basis or include all records the financial
institution maintains. It also asked if each transaction with a
customer would be counted separately.\326\
---------------------------------------------------------------------------
\324\ Consumer Reports (comment 52, NPRM), at 6; see also Credit
Union National Association (comment 30, NPRM), at 2 (noting the
exemption will be helpful for smaller businesses, but suggesting
other changes to the Proposed Rule so the exemption is not
required).
\325\ National Pawnbrokers Association (comment 32, NPRM), at 6.
\326\ Id.; see also National Independent Automobile Dealers
Association (comment 48, NPRM), at 3.
---------------------------------------------------------------------------
Some commenters argued the number of customers whose records a
financial institution maintains was the wrong measure by which to
assess whether the exemption should apply. For example, commenters
suggested the Rule should take into account businesses with revenue
beneath a certain threshold,\327\ the number of students enrolled at
covered educational institutions,\328\ or the number of individuals
employed by the financial institution.\329\
---------------------------------------------------------------------------
\327\ ACA International (comment 45, NPRM), at 11-12.
\328\ American Council on Education (comment 24, NPRM), at 5.
\329\ Ahmed Aly (comment 22, NPRM).
---------------------------------------------------------------------------
Additionally, some commenters argued the threshold for application
of the exemption should be higher. ACA International suggested the
exemption should apply to all financial institutions maintaining
records concerning fewer than 10,000 customers.\330\ AFSA suggested a
50,000 customer threshold.\331\ NADA \332\ and NIADA \333\ argued the
threshold should be raised to 100,000 customers. Without proposing a
specific alternative, NPA expressed concern the 5,000-customer
threshold may be too low, noting pawnbrokers who accept firearms as
collateral are required to keep customer records related to certain
transactions for twenty years.\334\
---------------------------------------------------------------------------
\330\ ACA International (comment 45, NPRM), at 11-12.
\331\ American Financial Services Association (comment 41,
NPRM), at 3-4.
\332\ National Automobile Dealers Association (comment 46,
NPRM), at 43-44. NADA also suggested information about customers for
which the nonpublic information has been removed should not be
counted to the total. If the information is anonymized or otherwise
transformed so it is no longer reasonably linkable to a customer,
that information will not count towards the exemption. NADA's
example of retaining only ``name, phone number, address, and VIN of
the vehicle they own,'' would still count as customer information
under the Rule.
\333\ National Independent Automobile Dealers Association
(comment 48, NPRM), at 3.
\334\ National Pawnbrokers Association (comment 32, NPRM), at 6.
---------------------------------------------------------------------------
As to the substance of the exemption, some commenters felt it did
not go far enough to relieve the burden of the rule for small financial
institutions. ACA International proposed eligible financial
institutions should also be exempt from the requirement to designate a
single qualified individual to oversee their information security
programs.\335\ The National Federation of Independent Business argued
businesses with 15 or fewer employees should be exempted from the Rule
entirely and instead held only to a requirement to take ``commercially
reasonable steps'' to safeguard customer information.\336\ The Small
Business Administration Office of Advocacy suggested, in the absence of
additional information regarding the impact of the proposed changes on
small businesses, the Rule should ``maintain the status quo'' for small
entities as defined by the Small Business Administration's size
standards.\337\
---------------------------------------------------------------------------
\335\ ACA International (comment 45, NPRM), at 12.
\336\ National Federation of Independent Business (comment 16,
NPRM), at 4.
\337\ Small Business Administration Office of Advocacy (comment
28, NPRM), at 6.
---------------------------------------------------------------------------
On the other hand, other commenters opposed the inclusion of any
exemption. The Independent Community Bankers of America noted the
Federal Financial Institutions Examination Council Interagency
Guidelines Establishing Standards for Safeguarding Customer Information
(``FFIEC Guidelines''), which detail how depository institutions are
required to protect customer information, include no exemption for
smaller institutions and suggested the Rule should also have no
exemption and apply equally to all financial institutions.\338\
---------------------------------------------------------------------------
\338\ Independent Community Bankers of America (comment 35,
NPRM), at 4; see also American Escrow (comment 6, Workshop), at 3
(arguing even small companies may need to comply with all portions
of the Rule to maintain consumer confidence); see also Caiting Wang
(Comment 6, Privacy) (suggesting exempted provisions should be
optional for smaller businesses, or the Commission create a fund to
enable small businesses to comply with these provisions).
---------------------------------------------------------------------------
Under the existing Rule, there is no exception for smaller
entities. Still, the Commission continues to believe it is appropriate
to exempt small businesses from some of the revised Rule's
requirements. Although the FFIEC Guidelines do not exempt small
businesses from its requirements, the FFIEC Guidelines regulate only
depository financial institutions subject to an entirely different
regulatory regime, including supervision by their regulatory agencies.
While the provisions from which eligible financial institutions are
exempt have significant benefits for the security of customer
information and other sensitive data,\339\
[[Page 70301]]
those provisions may be less necessary in situations where the overall
volume of retained data is low. This is true in part because the
potential for cumulative consumer harm is less where fewer consumers'
information may be exposed as the result of a security incident.\340\
---------------------------------------------------------------------------
\339\ See, e.g., Remarks of Brian McManamon, Safeguards Workshop
Tr., supra note 17, at 85 (noting continuous monitoring allows
organizations to detect and quickly respond to threats); Remarks of
Frederick Lee, Safeguards Workshop Tr., supra note 17, at 126-28
(Frederick Lee) (discussing benefits of penetration testing);
Remarks of Tom Dugas, Safeguards Workshop Tr., supra note 17, at 143
(noting the importance of vulnerability scans); Remarks of Michele
Norin, Safeguards Workshop Tr., supra note 17, 194-95 (asserting
annual reporting by the Qualified Individual to an organization's
board or equivalent is beneficial); Remarks of Adrienne Allen,
Safeguards Workshop Tr., supra note 17, at 201.
\340\ See Remarks of James Crifasi, Safeguards Workshop Tr.,
supra note 17, at 91-92 (noting companies that control large amounts
of consumer data should in most instances implement the full range
of data security safeguards, whereas small businesses with less data
may need to focus on cybersecurity basics); see also Remarks of Lee
Waters, Safeguards Workshop Tr., supra note 17, at 91 (``[T]he
amount of data [that a business holds] would definitely have an
influence on whether a business is even going to be attacked.'');
Remarks of Rocio Baeza, Safeguards Workshop Tr., supra note 17, at
94 (citing the volume of consumer records held by an organization as
an important factor in assessing cybersecurity risk).
---------------------------------------------------------------------------
For similar reasons, the Commission finds the number of individuals
concerning whom a financial institution maintains customer information
is the appropriate measure of whether the exemption should apply to a
particular financial institution. The application of the exemption
should take into account both the potential burden of compliance to
financial institutions and the risk to consumers when standards are
relaxed--in other words, the purpose of the exemption is to avoid
imposing undue burden while assuring customer information is subject to
necessary protections. Even a very small financial institution,
depending on its business model, may retain very large quantities of
sensitive customer information.\341\ Adequate security is necessary to
protect such information, which may constitute an attractive target for
bad actors such as identity thieves; the value of the target is
correlated with the volume of information maintained.\342\ While a
business's revenue or number of employees may provide a measure of the
burden of compliance for that business, these figures do not capture
consumer risk. By contrast, the number of individuals about whom a
financial institution maintains customer information is a proxy for the
level of security necessary in light of both the risk of attack and the
potential consumer harm should a security incident occur.\343\ In
addition, basing the exemption on the number of individuals concerning
whom a financial institution maintains customer information provides an
incentive to financial institutions to reduce the amount of information
they retain. A financial institution may choose to dispose of
information so it holds information on few enough consumers to qualify
for exemption.\344\
---------------------------------------------------------------------------
\341\ See, e.g., Remarks of James Crifasi, Safeguards Workshop
Tr., supra note 17, at 91-92 (noting small businesses with an
enormous amount of consumer records need to follow all of the
safeguards and ``can't get away with just doing the basics''); see
also ACA International (comment 45, NPRM) at 11 (``Many small
financial institutions, including a number of ACA members, have
objectively limited operations in terms of number of employees and
revenues, but handle large volumes of consumer account data for each
of their clients on whose behalf they are collecting debts.'').
\342\ See. e.g., Remarks of Rocio Baeza, Safeguards Workshop
Tr., supra note 17, at 94 (opining ``the better indicators for
cybersecurity risk are going to be two things: The volume of
consumer records that a financial institution holds and also the
rate of change.''); Remarks of Lee Waters, Safeguards Workshop Tr.,
supra note 17, at 91 (noting the amount of data a company holds
influences whether it is going to be attacked).
\343\ See Remarks of Brian McManamon, Safeguards Workshop Tr.,
supra note 17, at 89-90 (noting the size of a financial institution
and the amount and nature of the information it holds factor into an
appropriate information security program).
\344\ The Commission understands this provision to count all
individual consumers about which a financial institution maintains
customer information, including both current and former customers.
The exemption counts consumers rather than transactions so a
financial institution that had 100 transactions with a single
customer would count only a single consumer.
---------------------------------------------------------------------------
The Final Rule adopts this section as proposed. The Commission
continues to believe the cutoff for financial institutions maintaining
information concerning 5,000 consumers appropriately balances the need
for security with the burdens on smaller businesses. The requirements
to which exempted financial institutions would still be required to
adhere are tailored to balance the importance of adequately securing
customer information against the need to limit financial burdens for
small businesses. Many of these requirements were already in force as
part of the existing Rule--for example, covered financial institutions
were already required to design and implement a written information
security program, conduct risk assessments, perform an initial
assessment of their service providers, and designate one or more
employees to oversee information security. For reasons discussed
elsewhere in this document, the new requirements that apply to exempted
financial institutions, such as the requirement to designate a single
qualified individual to oversee information security rather than one or
more individuals, will ensure financial institutions of all sizes
continue to adequately protect customer information in an environment
of increasing cybersecurity risk, while avoiding the imposition of
undue burden.
IV. Paperwork Reduction Act
The Paperwork Reduction Act (``PRA''), 44 U.S.C. 35, requires
Federal agencies to seek and obtain Office of Management and Budget
(OMB) approval before undertaking a collection of information directed
to ten or more persons.\345\ A ``collection of information'' occurs
when ten or more persons are asked to report, provide, disclose, or
record information in response to ``identical questions.'' \346\
Applying these standards, neither the Safeguards Rule nor the
amendments constitute a ``collection of information.'' \347\ The Rule
calls upon affected financial institutions to develop or strengthen
their information security programs in order to provide reasonable
safeguards. Under the Rule, each financial institution's safeguards
will vary according to its size and complexity, the nature and scope of
its activities, and the sensitivity of the information involved. For
example, a financial institution with numerous employees would develop
and implement employee training and management procedures beyond those
that would be appropriate or reasonable for a sole proprietorship, such
as an individual tax preparer or mortgage broker. Similarly, a
financial institution that shares customer information with numerous
service providers would need to take steps to ensure such information
remains protected, while a financial institution with no service
providers would not need to address this issue. Thus, although each
financial institution must summarize its compliance efforts in one or
more written documents, the discretionary balancing of factors and
circumstances the Rule allows--including the myriad operational
differences among businesses it contemplated--does not require entities
to answer ``identical questions'' and therefore does not trigger the
PRA's requirements.
---------------------------------------------------------------------------
\345\ 44 U.S.C. 3502(3)(A)(i).
\346\ See 44 U.S.C. 3502(3)(A).
\347\ See Standards for Safeguarding Customer Information, 67 FR
36484, 36491 (May 23, 2002).
---------------------------------------------------------------------------
The amendments to the Rule do not change this analysis because they
retain the existing Rule's process-based approach, allowing financial
institutions to tailor their programs to reflect the financial
institutions' size, complexity, and operations, and to the
[[Page 70302]]
sensitivity and amount of customer information they collect. For
example, amended Sec. 314.4(b) would require a written risk
assessment, but each risk assessment will reflect the particular
structure and operation of the financial institution and, though each
assessment must include certain criteria, these are only general
guidelines and do not consist of ``identical questions.'' Similarly,
amended Sec. 314.4(h), which requires a written incident response
plan, is only an extension of the preexisting requirement of a written
information security plan and would necessarily vary significantly
based on factors such as the financial institution's internal
procedures, which officials within the financial institution have
decision-making authority, how the financial institution communicates
internally and externally, and the structure of the financial
institution's information systems. Likewise, the proposed requirement
for Qualified Individuals to produce annual reports under proposed
Sec. 314.4(i) does not consist of answers to identical questions, as
the content of these reports would vary considerably between financial
institutions and Qualified Individuals are given flexibility in
deciding what to include in the reports. Finally, the modification of
the definition of ``financial institution'' to include ``activities
incidental to financial activities'' and therefore bring finders under
the scope of the Rule do not constitute a ``collection of
information,'' and therefore do not trigger the PRA's requirements.
V. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA), as amended by the Small
Business Regulatory Enforcement Fairness Act of 1996, requires an
agency to either provide an Initial Regulatory Flexibility Analysis
(IRFA) with a proposed Rule, or certify that the proposed Rule will not
have a significant impact on a substantial number of small
entities.\348\ The Commission published an Initial Regulatory
Flexibility Analysis in order to inquire into the impact of the
Proposed Rule on small entities. In response, the Commission received
comments that argued the revision to the Safeguards Rule would be
unduly burdensome for smaller financial institutions. The discussion
below summarizes these comments and the Commission's response to them.
---------------------------------------------------------------------------
\348\ 5 U.S.C. 603 et seq.
---------------------------------------------------------------------------
1. Description of the Reason for Agency Action
The Commission issues these amendments to clarify the Safeguards
Rule by including a definition of ``financial institution'' and related
examples in the Safeguards Rule rather than incorporating them from the
Privacy Rule by reference. The amendments also expand the definition of
``financial institution'' in the Rule to include entities engaged in
activities incidental to financial activities. This change would bring
``finders'' within the scope of the Rule. This change harmonizes the
Rule with other agencies' rules and requires finders that collect
consumers' sensitive financial information to comply with the
Safeguards Rule's process-based approach to protect that data.
In addition, the amendments modify the Safeguards Rule to include
more detailed requirements for the information security program
required by the Rule.
2. Issues Raised by Comments in Response to the IRFA
As stated above, the Commission received several comments that
argued the revised Safeguards Rule would impose unduly heavy burdens on
smaller businesses. The Small Business Administration's Office of
Advocacy commented it was concerned the FTC had not gathered sufficient
data as to either the costs or benefits of the proposed changes for
small financial institutions. The FTC shares the Office of Advocacy's
interest in ensuring regulatory changes have an evidentiary basis. Many
of the questions on which the FTC sought public comment, both in the
regulatory review and in the proposed rule context, specifically
related to the costs and benefits of existing and proposed Rule
requirements. Following the initial round of commenting, the Commission
conducted the FTC Safeguards Workshop and solicited additional public
comments with the explicit goal of gathering additional data relating
to the costs and benefits of the proposed changes.\349\ As detailed
throughout this document, the Commission believes there is a strong
evidentiary basis for the issuance of the Final Rule.
---------------------------------------------------------------------------
\349\ See Public Workshop Examining Information Security for
Financial Institutions and Information Related to Changes to the
Safeguards Rule, 85 FR 13082 (Mar. 6, 2020).
---------------------------------------------------------------------------
The Office of Advocacy also argued the Proposed Rule's requirements
were unduly prescriptive and should not be enacted as they apply to
small businesses until the Commission can ``ascertain the quantitative
impact on small entities.'' \350\ The Office of Advocacy, along with
other commenters, argued the amendments taken together would create a
large burden on smaller financial institutions. In particular,
commenters pointed to the requirements that financial institutions
appoint a chief information security officer, customer information be
encrypted, financial institutions utilize multi-factor authentication,
and financial institutions regularly update training programs. These
comments and the Commission's response are discussed at length above.
Most commenters did not provide any specific estimates of these
expenses, but two commenters did provide a summary of their expected
expenses.
---------------------------------------------------------------------------
\350\ Small Business Administration Office of Advocacy (comment
28, NPRM), at 6.
---------------------------------------------------------------------------
As discussed in the document, the Commission believes any burden
imposed by the revised Rule is substantially mitigated by the fact the
Rule continues to be process-based, flexible, and based on the
financial institution's size and complexity. In addition, the
amendments exempt institutions that maintain information on fewer than
5,000 consumers from certain requirements that require additional
written product and might pose a greater burden on smaller entities.
The Commission believes most of the entities covered by the exemption
will be small businesses. Finally, the Commission believes all
financial institutions, including small businesses, that comply with
the current Safeguards Rule will already be in compliance with most of
the new provisions of the revised Rule as part of their current
information security program.
In addition, in response to the comments concerned about the burden
of the amendments, the Commission extended the effective date from six
months after the publication of the Final Rule to one year after the
publication to allow financial institutions additional time to come
into compliance with the revised Rule. In addition, in response to
comments that argued hiring a chief information security officer would
be prohibitively expensive for small financial institutions, the
Commission amended the rule to clarify such an employee was not
required for all financial institutions. The Final Rule is modified to
clarify a financial institution need only appoint an individual who is
qualified to coordinate its information security program, and those
qualifications will vary based on the complexity of the program and
size and nature of the
[[Page 70303]]
financial institution. The Commission also clarified employee training
programs need to be updated only as necessary, to respond to a comment
regular updating would be difficult for smaller financial institutions.
3. Estimate of Number of Small Entities to Which the Amendments Will
Apply
As previously discussed in the IRFA, determining a precise estimate
of the number of small entities \351\--including newly covered entities
under the modified definition of financial institution--is not readily
feasible. Financial institutions already covered by the Rule as
originally promulgated include lenders, financial advisors, loan
brokers and servicers, collection agencies, financial advisors, tax
preparers, and real estate settlement services, to the extent they have
``customer information'' within the meaning of the Rule. Finders are
also covered under the Final Rule. However, it is not known whether any
finders are small entities, and if so, how many there are. The
Commission requested comment and information on the number of
``finders'' that would be covered by the Rule's modified definition of
``financial institution,'' and how many of those finders, if any, are
small entities. The Commission received no comments that addressed this
question.
---------------------------------------------------------------------------
\351\ The U.S. Small Business Administration Table of Small
Business Size Standards Matched to North American Industry
Classification System Codes (``NAICS'') are generally expressed in
either millions of dollars or number of employees. A size standard
is the largest a business can be and still qualify as a small
business for Federal Government programs. For the most part, size
standards are the annual receipts or the average employment of a
firm. Depending on the nature of the financial services an
institution provides, the size standard varies. By way of example,
mortgage and nonmortgage loan brokers (NAICS code 522310) are
classified as small if their annual receipts are $8.0 million or
less. Consumer lending institutions (NAICS code 522291) are
classified as small if their annual receipts are $41.5 million or
less. Commercial banking and savings institutions (NAICS codes
522110 and 522120) are classified as small if their assets are $600
million or less. Assets are determined by averaging the assets
reported on businesses' four quarterly financial statements for the
preceding year. The 2019 Table of Small Business Size Standards is
available at https://www.sba.gov/sites/default/files/2019-08/SBA%20Table%20of%20Size%20Standards_Effective%20Aug%2019%2C%202019_Rev.pdf.
---------------------------------------------------------------------------
4. Projected Reporting, Recordkeeping, and Other Compliance
Requirements
The Rule does not impose any reporting or any specific
recordkeeping requirements as discussed earlier. See supra Section IV
(Paperwork Reduction Act). With regard to other compliance
requirements, the addition of definitions and examples from the Privacy
Rule is not expected to have an impact on covered financial
institutions, including those that may be small entities. (The
preceding section of this analysis discusses classes of covered
financial institutions that may qualify as small entities.) The
addition of ``finders'' to the definition of financial institutions
imposes the obligations of the Rule on entities that engage in
``finding'' activity and also collect customer information.
The addition of more detailed requirements may require some
financial institutions to perform additional risk assessments or
monitoring, or to create additional safeguards as set forth in the
Proposed Rule. These obligations may require institutions to retain
employees or third-party service providers with skills in information
security, but, as discussed above, the Commission believes most
financial institutions will have already complied with many parts of
the Rule as part of their information security programs required under
the existing Rule. There may be additional related compliance costs
(e.g., legal, new equipment or systems, modifications to policies or
procedures), but, as discussed above, the Commission believes these are
limited by several factors, including the flexibility of the Rule, the
existing safeguards in place to comply with the existing Rule, and the
exemption for financial institutions that maintain less consumer
information.
Although two commenters provided summaries of the expected expenses
for some financial institutions to comply with the Rule, those
estimates did not provide sufficient detail to fully evaluate whether
they were accurate or representative of other financial institutions
and appeared to be based, at least in part, on a misunderstanding of
the requirement to appoint a Qualified Individual. The Commission
believes, for most smaller financial institutions, there are very low-
cost solutions for any additional duties imposed by the Final Rule.
This view is supported by the comments of several experts at the
Safeguards Rule Workshop.\352\
---------------------------------------------------------------------------
\352\ See, e.g., Remarks of Brian McManamon, Safeguards Workshop
Tr., supra note 17, at 78 (describing virtual CISO services);
Matthew Green, Safeguards Workshop Tr., supra note 17, at 225
(noting website usage of encryption for data in motion is above 80
percent; ``Let's Encrypt'' provides free TLS certificates; and costs
have gone down to the point that if a financial institution is not
using TLS encryption for data in motion, it is making an unusual
decision outside the norm); Rocio Baeza, Safeguards Workshop Tr.,
supra note 17, at 106 (``[T]he encryption of data in transit has
been standard. There's no pushback with that.''); Slides
Accompanying the Remarks of Lee Waters, ``Information Security
Programs and Smaller Businesses,'' in Safeguards Workshop Slides,
supra note 72, at 26 (``Estimated Costs of Proposed Changes,''
estimating costs of multi-factor authentication to be $50 for
smartcard or fingerprint readers, and $10 each per smartcard);
Slides Accompanying Remarks of Wendy Nather, Safeguards Workshop
Slides, supra note 72, at 37 (chart showing the use of multi-factor
authentication solutions such as Duo Push, phone call, mobile
passcode, SMS passcode, hardware token, Yubikey passcode, and U2F
token in industries such as financial services and higher
education).
---------------------------------------------------------------------------
The Commission believes the protection of consumers' financial
information is of the utmost importance and the cost of the safeguards
required to provide that protection is justified and necessary. The
Commission carefully balanced the cost of these requirements with the
need to protect consumer information and has made every effort to
ensure the Final Rule retains flexibility so financial institutions can
tailor information security programs to the size and complexity of the
financial institution, the nature and scope of its activities, and the
sensitivity of any customer information at issue.
5. Description of Steps Taken To Minimize Significant Economic Impact,
if Any, on Small Entities, Including Alternatives
The standards in the Final Rule allow a small financial institution
to develop an information security program appropriate to its size and
complexity, the nature and scope of its activities, and the sensitivity
of any customer information at issue. The amendments include certain
design standards (e.g., a company must implement encryption,
authentication, and incident response) in the Rule, in addition to the
performance standards (reasonable security) the Rule currently uses. As
discussed, while these design standards may introduce some additional
burden, the Commission believes many financial institutions' existing
information security programs already meet most of these requirements.
In addition, the requirements in the Final Rule, like those in the
existing Rule, are designed to allow financial institutions flexibility
in how and whether they should be implemented. For example, the
requirement encryption be used to protect customer information in
transit and at rest may be met with effective alternative compensating
controls if encryption is infeasible for a given financial institution.
In addition, the amendments exempt financial institutions that
maintain relatively small amounts of customer information from certain
requirements of the Final Rule. The exemptions would apply to financial
institutions that maintain customer information
[[Page 70304]]
concerning fewer than ten thousand consumers. The Commission believes
exempted financial institutions are generally, but not exclusively,
small entities. Such financial institutions are not required to perform
a written risk assessment, conduct continuous monitoring or annual
penetration testing and biannual vulnerability assessment, prepare a
written incident response plan, or prepare an annual written report by
the Qualified Individual. These exemptions are intended to reduce the
burden on smaller financial institutions. The Commission believes the
obligations subject to these exemptions are the ones most likely to
cause undue burden on smaller financial institutions.
Exempted financial institutions will still need to conduct risk
assessments, design and implement a written information security
program with the required elements, utilize qualified information
security personnel and train employees, monitor activity of authorized
users, oversee service providers, and evaluate and adjust their
information security program. These are core obligations under the Rule
any financial institution that collects customer information must meet,
regardless of size.
The Commission considered allowing compliance with a third-party
data security standard, such as the NIST framework, to act as a safe
harbor for compliance with the Rule. The Commission, however,
determined any reduction of burden created by allowing such safe
harbors is offset by issues they would cause. For example, such safe
harbors would require the Commission to monitor the third-party
standard or standards to determine whether they continued to align with
the Safeguards Rule. In addition, the Commission would still have to
investigate a company's compliance with the outside standard in any
enforcement action. The Commission also does not agree compliance with
an outside standard is likely to be less burdensome than complying with
the Safeguards Rule itself.
VI. Other Matters
Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.),
the Office of Information and Regulatory Affairs designated this rule
as not a ``major rule,'' as defined by 5 U.S.C. 804(2).
List of Subjects in 16 CFR Part 314
Consumer protection, Credit, Data protection, Privacy, Trade
practices.
For the reasons stated above, the Federal Trade Commission amends
16 CFR part 314 as follows:
PART 314--STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
0
1. The authority citation for part 314 continues to read as follows:
Authority: 15 U.S.C. 6801(b), 6805(b)(2).
0
2. In Sec. 314.1, revise paragraph (b) to read as follows:
Sec. 314.1 Purpose and scope.
* * * * *
(b) Scope. This part applies to the handling of customer
information by all financial institutions over which the Federal Trade
Commission (``FTC'' or ``Commission'') has jurisdiction. Namely, this
part applies to those ``financial institutions'' over which the
Commission has rulemaking authority pursuant to section 501(b) of the
Gramm-Leach-Bliley Act. An entity is a ``financial institution'' if its
business is engaging in an activity that is financial in nature or
incidental to such financial activities as described in section 4(k) of
the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which
incorporates activities enumerated by the Federal Reserve Board in 12
CFR 225.28 and 225.86. The ``financial institutions'' subject to the
Commission's enforcement authority are those that are not otherwise
subject to the enforcement authority of another regulator under section
505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805. More specifically,
those entities include, but are not limited to, mortgage lenders, ``pay
day'' lenders, finance companies, mortgage brokers, account servicers,
check cashers, wire transferors, travel agencies operated in connection
with financial services, collection agencies, credit counselors and
other financial advisors, tax preparation firms, non-federally insured
credit unions, investment advisors that are not required to register
with the Securities and Exchange Commission, and entities acting as
finders. They are referred to in this part as ``You.'' This part
applies to all customer information in your possession, regardless of
whether such information pertains to individuals with whom you have a
customer relationship, or pertains to the customers of other financial
institutions that have provided such information to you.
0
3. Revise Sec. 314.2 to read as follows:
Sec. 314.2 Definitions.
(a) Authorized user means any employee, contractor, agent,
customer, or other person that is authorized to access any of your
information systems or data.
(b)(1) Consumer means an individual who obtains or has obtained a
financial product or service from you that is to be used primarily for
personal, family, or household purposes, or that individual's legal
representative.
(2) For example:
(i) An individual who applies to you for credit for personal,
family, or household purposes is a consumer of a financial service,
regardless of whether the credit is extended.
(ii) An individual who provides nonpublic personal information to
you in order to obtain a determination about whether he or she may
qualify for a loan to be used primarily for personal, family, or
household purposes is a consumer of a financial service, regardless of
whether the loan is extended.
(iii) An individual who provides nonpublic personal information to
you in connection with obtaining or seeking to obtain financial,
investment, or economic advisory services is a consumer, regardless of
whether you establish a continuing advisory relationship.
(iv) If you hold ownership or servicing rights to an individual's
loan that is used primarily for personal, family, or household
purposes, the individual is your consumer, even if you hold those
rights in conjunction with one or more other institutions. (The
individual is also a consumer with respect to the other financial
institutions involved.) An individual who has a loan in which you have
ownership or servicing rights is your consumer, even if you, or another
institution with those rights, hire an agent to collect on the loan.
(v) An individual who is a consumer of another financial
institution is not your consumer solely because you act as agent for,
or provide processing or other services to, that financial institution.
(vi) An individual is not your consumer solely because he or she
has designated you as trustee for a trust.
(vii) An individual is not your consumer solely because he or she
is a beneficiary of a trust for which you are a trustee.
(viii) An individual is not your consumer solely because he or she
is a participant or a beneficiary of an employee benefit plan that you
sponsor or for which you act as a trustee or fiduciary.
(c) Customer means a consumer who has a customer relationship with
you.
(d) Customer information means any record containing nonpublic
personal information about a customer of a financial institution,
whether in paper, electronic, or other form, that is handled
[[Page 70305]]
or maintained by or on behalf of you or your affiliates.
(e)(1) Customer relationship means a continuing relationship
between a consumer and you under which you provide one or more
financial products or services to the consumer that are to be used
primarily for personal, family, or household purposes.
(2) For example:
(i) Continuing relationship. A consumer has a continuing
relationship with you if the consumer:
(A) Has a credit or investment account with you;
(B) Obtains a loan from you;
(C) Purchases an insurance product from you;
(D) Holds an investment product through you, such as when you act
as a custodian for securities or for assets in an Individual Retirement
Arrangement;
(E) Enters into an agreement or understanding with you whereby you
undertake to arrange or broker a home mortgage loan, or credit to
purchase a vehicle, for the consumer;
(F) Enters into a lease of personal property on a non-operating
basis with you;
(G) Obtains financial, investment, or economic advisory services
from you for a fee;
(H) Becomes your client for the purpose of obtaining tax
preparation or credit counseling services from you;
(I) Obtains career counseling while seeking employment with a
financial institution or the finance, accounting, or audit department
of any company (or while employed by such a financial institution or
department of any company);
(J) Is obligated on an account that you purchase from another
financial institution, regardless of whether the account is in default
when purchased, unless you do not locate the consumer or attempt to
collect any amount from the consumer on the account;
(K) Obtains real estate settlement services from you; or
(L) Has a loan for which you own the servicing rights.
(ii) No continuing relationship. A consumer does not, however, have
a continuing relationship with you if:
(A) The consumer obtains a financial product or service from you
only in isolated transactions, such as using your ATM to withdraw cash
from an account at another financial institution; purchasing a money
order from you; cashing a check with you; or making a wire transfer
through you;
(B) You sell the consumer's loan and do not retain the rights to
service that loan;
(C) You sell the consumer airline tickets, travel insurance, or
traveler's checks in isolated transactions;
(D) The consumer obtains one-time personal or real property
appraisal services from you; or
(E) The consumer purchases checks for a personal checking account
from you.
(f) Encryption means the transformation of data into a form that
results in a low probability of assigning meaning without the use of a
protective process or key, consistent with current cryptographic
standards and accompanied by appropriate safeguards for cryptographic
key material.
(g)(1) Financial product or service means any product or service
that a financial holding company could offer by engaging in a financial
activity under section 4(k) of the Bank Holding Company Act of 1956 (12
U.S.C. 1843(k)).
(2) Financial service includes your evaluation or brokerage of
information that you collect in connection with a request or an
application from a consumer for a financial product or service.
(h)(1) Financial institution means any institution the business of
which is engaging in an activity that is financial in nature or
incidental to such financial activities as described in section 4(k) of
the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution
that is significantly engaged in financial activities, or significantly
engaged in activities incidental to such financial activities, is a
financial institution.
(2) Examples of financial institutions are as follows:
(i) A retailer that extends credit by issuing its own credit card
directly to consumers is a financial institution because extending
credit is a financial activity listed in 12 CFR 225.28(b)(1) and
referenced in section 4(k)(4)(F) of the Bank Holding Company Act of
1956 (12 U.S.C. 1843(k)(4)(F)), and issuing that extension of credit
through a proprietary credit card demonstrates that a retailer is
significantly engaged in extending credit.
(ii) An automobile dealership that, as a usual part of its
business, leases automobiles on a nonoperating basis for longer than 90
days is a financial institution with respect to its leasing business
because leasing personal property on a nonoperating basis where the
initial term of the lease is at least 90 days is a financial activity
listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of
the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F).
(iii) A personal property or real estate appraiser is a financial
institution because real and personal property appraisal is a financial
activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section
4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F).
(iv) A career counselor that specializes in providing career
counseling services to individuals currently employed by or recently
displaced from a financial organization, individuals who are seeking
employment with a financial organization, or individuals who are
currently employed by or seeking placement with the finance, accounting
or audit departments of any company is a financial institution because
such career counseling activities are financial activities listed in 12
CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank
Holding Company Act, 12 U.S.C. 1843(k)(4)(F).
(v) A business that prints and sells checks for consumers, either
as its sole business or as one of its product lines, is a financial
institution because printing and selling checks is a financial activity
that is listed in 12 CFR 225.28(b)(10)(ii) and referenced in section
4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F).
(vi) A business that regularly wires money to and from consumers is
a financial institution because transferring money is a financial
activity referenced in section 4(k)(4)(A) of the Bank Holding Company
Act, 12 U.S.C. 1843(k)(4)(A), and regularly providing that service
demonstrates that the business is significantly engaged in that
activity.
(vii) A check cashing business is a financial institution because
cashing a check is exchanging money, which is a financial activity
listed in section 4(k)(4)(A) of the Bank Holding Company Act, 12 U.S.C.
1843(k)(4)(A).
(viii) An accountant or other tax preparation service that is in
the business of completing income tax returns is a financial
institution because tax preparation services is a financial activity
listed in 12 CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G)
of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G).
(ix) A business that operates a travel agency in connection with
financial services is a financial institution because operating a
travel agency in connection with financial services is a financial
activity listed in 12 CFR 225.86(b)(2) and referenced in section
4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G).
(x) An entity that provides real estate settlement services is a
financial institution because providing real estate settlement services
is a financial activity
[[Page 70306]]
listed in 12 CFR 225.28(b)(2)(viii) and referenced in section
4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F).
(xi) A mortgage broker is a financial institution because brokering
loans is a financial activity listed in 12 CFR 225.28(b)(1) and
referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12
U.S.C. 1843(k)(4)(F).
(xii) An investment advisory company and a credit counseling
service are each financial institutions because providing financial and
investment advisory services are financial activities referenced in
section 4(k)(4)(C) of the Bank Holding Company Act, 12 U.S.C.
1843(k)(4)(C).
(xiii) A company acting as a finder in bringing together one or
more buyers and sellers of any product or service for transactions that
the parties themselves negotiate and consummate is a financial
institution because acting as a finder is an activity that is financial
in nature or incidental to a financial activity listed in 12 CFR
225.86(d)(1).
(3) Financial institution does not include:
(i) Any person or entity with respect to any financial activity
that is subject to the jurisdiction of the Commodity Futures Trading
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
(ii) The Federal Agricultural Mortgage Corporation or any entity
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C.
2001 et seq.);
(iii) Institutions chartered by Congress specifically to engage in
securitizations, secondary market sales (including sales of servicing
rights) or similar transactions related to a transaction of a consumer,
as long as such institutions do not sell or transfer nonpublic personal
information to a nonaffiliated third party other than as permitted by
Sec. Sec. 313.14 and 313.15; or
(iv) Entities that engage in financial activities but that are not
significantly engaged in those financial activities, and entities that
engage in activities incidental to financial activities but that are
not significantly engaged in activities incidental to financial
activities.
(4) Examples of entities that are not significantly engaged in
financial activities are as follows:
(i) A retailer is not a financial institution if its only means of
extending credit are occasional ``lay away'' and deferred payment plans
or accepting payment by means of credit cards issued by others.
(ii) A retailer is not a financial institution merely because it
accepts payment in the form of cash, checks, or credit cards that it
did not issue.
(iii) A merchant is not a financial institution merely because it
allows an individual to ``run a tab.''
(iv) A grocery store is not a financial institution merely because
it allows individuals to whom it sells groceries to cash a check, or
write a check for a higher amount than the grocery purchase and obtain
cash in return.
(i) Information security program means the administrative,
technical, or physical safeguards you use to access, collect,
distribute, process, protect, store, use, transmit, dispose of, or
otherwise handle customer information.
(j) Information system means a discrete set of electronic
information resources organized for the collection, processing,
maintenance, use, sharing, dissemination or disposition of electronic
information containing customer information or connected to a system
containing customer information, as well as any specialized system such
as industrial/process controls systems, telephone switching and private
branch exchange systems, and environmental controls systems that
contains customer information or that is connected to a system that
contains customer information.
(k) Multi-factor authentication means authentication through
verification of at least two of the following types of authentication
factors:
(1) Knowledge factors, such as a password;
(2) Possession factors, such as a token; or
(3) Inherence factors, such as biometric characteristics.
(l)(1) Nonpublic personal information means:
(i) Personally identifiable financial information; and
(ii) Any list, description, or other grouping of consumers (and
publicly available information pertaining to them) that is derived
using any personally identifiable financial information that is not
publicly available.
(2) Nonpublic personal information does not include:
(i) Publicly available information, except as included on a list
described in paragraph (l)(1)(ii) of this section; or
(ii) Any list, description, or other grouping of consumers (and
publicly available information pertaining to them) that is derived
without using any personally identifiable financial information that is
not publicly available.
(3) For example:
(i) Nonpublic personal information includes any list of
individuals' names and street addresses that is derived in whole or in
part using personally identifiable financial information (that is not
publicly available), such as account numbers.
(ii) Nonpublic personal information does not include any list of
individuals' names and addresses that contains only publicly available
information, is not derived, in whole or in part, using personally
identifiable financial information that is not publicly available, and
is not disclosed in a manner that indicates that any of the individuals
on the list is a consumer of a financial institution.
(m) Penetration testing means a test methodology in which assessors
attempt to circumvent or defeat the security features of an information
system by attempting penetration of databases or controls from outside
or inside your information systems.
(n)(1) Personally identifiable financial information means any
information:
(i) A consumer provides to you to obtain a financial product or
service from you;
(ii) About a consumer resulting from any transaction involving a
financial product or service between you and a consumer; or
(iii) You otherwise obtain about a consumer in connection with
providing a financial product or service to that consumer.
(2) For example:
(i) Information included. Personally identifiable financial
information includes:
(A) Information a consumer provides to you on an application to
obtain a loan, credit card, or other financial product or service;
(B) Account balance information, payment history, overdraft
history, and credit or debit card purchase information;
(C) The fact that an individual is or has been one of your
customers or has obtained a financial product or service from you;
(D) Any information about your consumer if it is disclosed in a
manner that indicates that the individual is or has been your consumer;
(E) Any information that a consumer provides to you or that you or
your agent otherwise obtain in connection with collecting on, or
servicing, a credit account;
(F) Any information you collect through an internet ``cookie'' (an
information collecting device from a web server); and
(G) Information from a consumer report.
(ii) Information not included. Personally identifiable financial
information does not include:
[[Page 70307]]
(A) A list of names and addresses of customers of an entity that is
not a financial institution; and
(B) Information that does not identify a consumer, such as
aggregate information or blind data that does not contain personal
identifiers such as account numbers, names, or addresses.
(o)(1) Publicly available information means any information that
you have a reasonable basis to believe is lawfully made available to
the general public from:
(i) Federal, State, or local government records;
(ii) Widely distributed media; or
(iii) Disclosures to the general public that are required to be
made by Federal, State, or local law.
(2) You have a reasonable basis to believe that information is
lawfully made available to the general public if you have taken steps
to determine:
(i) That the information is of the type that is available to the
general public; and
(ii) Whether an individual can direct that the information not be
made available to the general public and, if so, that your consumer has
not done so.
(3) For example:
(i) Government records. Publicly available information in
government records includes information in government real estate
records and security interest filings.
(ii) Widely distributed media. Publicly available information from
widely distributed media includes information from a telephone book, a
television or radio program, a newspaper, or a website that is
available to the general public on an unrestricted basis. A website is
not restricted merely because an internet service provider or a site
operator requires a fee or a password, so long as access is available
to the general public.
(iii) Reasonable basis. (A) You have a reasonable basis to believe
that mortgage information is lawfully made available to the general
public if you have determined that the information is of the type
included on the public record in the jurisdiction where the mortgage
would be recorded.
(B) You have a reasonable basis to believe that an individual's
telephone number is lawfully made available to the general public if
you have located the telephone number in the telephone book or the
consumer has informed you that the telephone number is not unlisted.
(p) Security event means an event resulting in unauthorized access
to, or disruption or misuse of, an information system, information
stored on such information system, or customer information held in
physical form.
(q) Service provider means any person or entity that receives,
maintains, processes, or otherwise is permitted access to customer
information through its provision of services directly to a financial
institution that is subject to this part.
(r) You includes each ``financial institution'' (but excludes any
``other person'') over which the Commission has enforcement
jurisdiction pursuant to section 505(a)(7) of the Gramm-Leach-Bliley
Act.
0
4. In Sec. 314.3, revise paragraph (a) to read as follows:
Sec. 314.3 Standards for safeguarding customer information.
(a) Information security program. You shall develop, implement, and
maintain a comprehensive information security program that is written
in one or more readily accessible parts and contains administrative,
technical, and physical safeguards that are appropriate to your size
and complexity, the nature and scope of your activities, and the
sensitivity of any customer information at issue. The information
security program shall include the elements set forth in Sec. 314.4
and shall be reasonably designed to achieve the objectives of this
part, as set forth in paragraph (b) of this section.
* * * * *
0
5. Revise Sec. 314.4 to read as follows:
Sec. 314.4 Elements.
In order to develop, implement, and maintain your information
security program, you shall:
(a) Designate a qualified individual responsible for overseeing and
implementing your information security program and enforcing your
information security program (for purposes of this part, ``Qualified
Individual''). The Qualified Individual may be employed by you, an
affiliate, or a service provider. To the extent the requirement in this
paragraph (a) is met using a service provider or an affiliate, you
shall:
(1) Retain responsibility for compliance with this part;
(2) Designate a senior member of your personnel responsible for
direction and oversight of the Qualified Individual; and
(3) Require the service provider or affiliate to maintain an
information security program that protects you in accordance with the
requirements of this part.
(b) Base your information security program on a risk assessment
that identifies reasonably foreseeable internal and external risks to
the security, confidentiality, and integrity of customer information
that could result in the unauthorized disclosure, misuse, alteration,
destruction, or other compromise of such information, and assesses the
sufficiency of any safeguards in place to control these risks.
(1) The risk assessment shall be written and shall include:
(i) Criteria for the evaluation and categorization of identified
security risks or threats you face;
(ii) Criteria for the assessment of the confidentiality, integrity,
and availability of your information systems and customer information,
including the adequacy of the existing controls in the context of the
identified risks or threats you face; and
(iii) Requirements describing how identified risks will be
mitigated or accepted based on the risk assessment and how the
information security program will address the risks.
(2) You shall periodically perform additional risk assessments that
reexamine the reasonably foreseeable internal and external risks to the
security, confidentiality, and integrity of customer information that
could result in the unauthorized disclosure, misuse, alteration,
destruction, or other compromise of such information, and reassess the
sufficiency of any safeguards in place to control these risks.
(c) Design and implement safeguards to control the risks you
identity through risk assessment, including by:
(1) Implementing and periodically reviewing access controls,
including technical and, as appropriate, physical controls to:
(i) Authenticate and permit access only to authorized users to
protect against the unauthorized acquisition of customer information;
and
(ii) Limit authorized users' access only to customer information
that they need to perform their duties and functions, or, in the case
of customers, to access their own information;
(2) Identify and manage the data, personnel, devices, systems, and
facilities that enable you to achieve business purposes in accordance
with their relative importance to business objectives and your risk
strategy;
(3) Protect by encryption all customer information held or
transmitted by you both in transit over external networks and at rest.
To the extent you determine that encryption of customer information,
either in transit over external networks or at rest, is infeasible, you
may instead secure such customer information using effective
[[Page 70308]]
alternative compensating controls reviewed and approved by your
Qualified Individual;
(4) Adopt secure development practices for in-house developed
applications utilized by you for transmitting, accessing, or storing
customer information and procedures for evaluating, assessing, or
testing the security of externally developed applications you utilize
to transmit, access, or store customer information;
(5) Implement multi-factor authentication for any individual
accessing any information system, unless your Qualified Individual has
approved in writing the use of reasonably equivalent or more secure
access controls;
(6)(i) Develop, implement, and maintain procedures for the secure
disposal of customer information in any format no later than two years
after the last date the information is used in connection with the
provision of a product or service to the customer to which it relates,
unless such information is necessary for business operations or for
other legitimate business purposes, is otherwise required to be
retained by law or regulation, or where targeted disposal is not
reasonably feasible due to the manner in which the information is
maintained; and
(ii) Periodically review your data retention policy to minimize the
unnecessary retention of data;
(7) Adopt procedures for change management; and
(8) Implement policies, procedures, and controls designed to
monitor and log the activity of authorized users and detect
unauthorized access or use of, or tampering with, customer information
by such users.
(d)(1) Regularly test or otherwise monitor the effectiveness of the
safeguards' key controls, systems, and procedures, including those to
detect actual and attempted attacks on, or intrusions into, information
systems.
(2) For information systems, the monitoring and testing shall
include continuous monitoring or periodic penetration testing and
vulnerability assessments. Absent effective continuous monitoring or
other systems to detect, on an ongoing basis, changes in information
systems that may create vulnerabilities, you shall conduct:
(i) Annual penetration testing of your information systems
determined each given year based on relevant identified risks in
accordance with the risk assessment; and
(ii) Vulnerability assessments, including any systemic scans or
reviews of information systems reasonably designed to identify publicly
known security vulnerabilities in your information systems based on the
risk assessment, at least every six months; and whenever there are
material changes to your operations or business arrangements; and
whenever there are circumstances you know or have reason to know may
have a material impact on your information security program.
(e) Implement policies and procedures to ensure that personnel are
able to enact your information security program by:
(1) Providing your personnel with security awareness training that
is updated as necessary to reflect risks identified by the risk
assessment;
(2) Utilizing qualified information security personnel employed by
you or an affiliate or service provider sufficient to manage your
information security risks and to perform or oversee the information
security program;
(3) Providing information security personnel with security updates
and training sufficient to address relevant security risks; and
(4) Verifying that key information security personnel take steps to
maintain current knowledge of changing information security threats and
countermeasures.
(f) Oversee service providers, by:
(1) Taking reasonable steps to select and retain service providers
that are capable of maintaining appropriate safeguards for the customer
information at issue;
(2) Requiring your service providers by contract to implement and
maintain such safeguards; and
(3) Periodically assessing your service providers based on the risk
they present and the continued adequacy of their safeguards.
(g) Evaluate and adjust your information security program in light
of the results of the testing and monitoring required by paragraph (d)
of this section; any material changes to your operations or business
arrangements; the results of risk assessments performed under paragraph
(b)(2) of this section; or any other circumstances that you know or
have reason to know may have a material impact on your information
security program.
(h) Establish a written incident response plan designed to promptly
respond to, and recover from, any security event materially affecting
the confidentiality, integrity, or availability of customer information
in your control. Such incident response plan shall address the
following areas:
(1) The goals of the incident response plan;
(2) The internal processes for responding to a security event;
(3) The definition of clear roles, responsibilities, and levels of
decision-making authority;
(4) External and internal communications and information sharing;
(5) Identification of requirements for the remediation of any
identified weaknesses in information systems and associated controls;
(6) Documentation and reporting regarding security events and
related incident response activities; and
(7) The evaluation and revision as necessary of the incident
response plan following a security event.
(i) Require your Qualified Individual to report in writing,
regularly and at least annually, to your board of directors or
equivalent governing body. If no such board of directors or equivalent
governing body exists, such report shall be timely presented to a
senior officer responsible for your information security program. The
report shall include the following information:
(1) The overall status of the information security program and your
compliance with this part; and
(2) Material matters related to the information security program,
addressing issues such as risk assessment, risk management and control
decisions, service provider arrangements, results of testing, security
events or violations and management's responses thereto, and
recommendations for changes in the information security program.
0
6. Revise Sec. 314.5 to read as follows:
Sec. 314.5 Effective date.
Section 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3),
(h), and (i) are effective as of December 9, 2022.
0
7. Add Sec. 314.6 to read as follows:
Sec. 314.6 Exceptions.
Section 314.4(b)(1), (d)(2), (h), and (i) do not apply to financial
institutions that maintain customer information concerning fewer than
five thousand consumers.
By direction of the Commission, Commissioners Phillips and
Wilson dissenting.
April Tabor,
Secretary.
Note: The following appendix will not appear in the Code of
Federal Regulations.
[[Page 70309]]
Appendix--Statements Issued on October 27, 2021
Statement of Chair Lina M. Khan Joined by Commissioner Rebecca Kelly
Slaughter Regarding Regulatory Review of the Safeguards Rule
Today the FTC is significantly strengthening the Safeguards
Rule,\1\ first promulgated by the FTC twenty years ago pursuant to a
Congressional directive to protect personal information that is
stored by financial institutions. This revamping--the first time in
the Rule's history--is sorely needed. In the twenty years since the
Rule was first issued, the complexity of information security has
increased drastically, the use of computer networks in every aspect
of life has expanded exponentially, and, most notably, an unending
chain of damaging data breaches caused by inadequate security have
cost Americans heavily.\2\ The amendments adopted today require
financial institutions to develop information security programs that
can meet the challenges of today's security environment.
---------------------------------------------------------------------------
\1\ 16 CFR part 314. Pursuant to the Gramm Leach Bliley Act
(``GLB'' or ``GLBA''), Public Law 106-102, 113 Stat. 1338 (1999)
(codified as amended in scattered sections of 12 and 15 U.S.C.), the
Commission promulgated the Safeguards Rule in 2001.
\2\ See, e.g., 2020 Internet Crime Report, Fed. Bur.
Investigations,at 20 (Mar. 2021) (reporting consumer loss of over
$128 million resulting from corporate data breaches to those who
filed complaints in 2020 alone); Int'l Bus. Mach, Cost of a Data
Breach, at 4 (2021) (estimating that the average cost of single data
breach has risen to $4.24 million).
---------------------------------------------------------------------------
For Americans, the harms stemming from the types of security
vulnerabilities that this Rule addresses are all too real. Victims
of breaches have their most sensitive information exposed, making
them more vulnerable to identity theft, phishing attacks, and other
forms of fraud.\3\ In 2018, almost 10 percent of Americans suffered
some form of identity theft, costing many of them hundreds of
dollars and dozens of hours of time, an experience that many
describe as distressing.\4\ For some, the cost is much higher, with
victims losing tens of thousands of dollars.\5\
---------------------------------------------------------------------------
\3\ 2013 Identity Fraud Report: Data Breaches Becoming a
Treasure Trove for Fraudsters, Javelin Strategy, at 1 (Feb. 2013)
(reporting that 1 in 4 recipients of a data breach notification
become victims of identity theft); Michelle Singletary, Your online
profile may help identity thieves, Washington Post (Feb. 28, 2012),
https://www.washingtonpost.com/business/economy/michelle-singletary-your-online-profile-may-help-identity-thieves/2012/02/28/gIQAXFjygR_story.html (reporting that recipients of data breach
letters are 9.5% more likely to suffer identity theft).
\4\ See Erika Harrell, Victims of Identity Theft, 2018, U.S.
Dep't of Just., at 1 (Apr. 2021), https://bjs.ojp.gov/content/pub/pdf/vit18.pdf.
\5\ See 2021 Consumer Aftermath Report, Identity Theft Resource
Center (2021), at 6 (finding that in a study of 427 identity crime
victims, 21% of them suffered losses of over $20,000).
---------------------------------------------------------------------------
The Rule amendments the FTC is issuing today are strongly
supported by the evidence in the record.\6\ The evidence gathered
from information security experts, industry associations, and
consumer groups--those with hands-on experience in the area and
knowledge of the field--decisively show that the amendments are
necessary. Of course, all of this information supplements the
experience that Commission staff has obtained over twenty years of
enforcing the Rule, and gained through investigations of companies'
data security practices under the FTC's deception and unfairness
authority.
---------------------------------------------------------------------------
\6\ The Commission first sought public comments on the proposed
amendments in April 2019. See Privacy of Consumer Financial
Information Rule Under the Gramm-Leach-Bliley Act, 84 FR 13150;
Standards for Safeguarding Customer Information, 84 FR 13158 (April
4, 2019). The agency received almost 50 comments from consumer
groups, industry associations, and data security experts. See FTC
Seeks Comment on Proposed Amendments to Safeguards and Privacy
Rules, 16 CFR part 314, Project No. P145407, (FTC-2019-0019) (``2019
Safeguards and Privacy NPRM ''), https://www.regulations.gov/docket/FTC-2019-0019/document. Further, the Commission conducted a workshop
discussing the proposed amendments with information security
professionals and experts, including IT staff from financial
institutions covered by the Safeguards Rule. See Transcript,
Information Security and Financial Institutions: An FTC Workshop to
Examine Safeguards Rule, Fed. Trade Comm'n (July 13, 2020)
(``Safeguards Workshop''), https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf. Connected with the workshop, the Commission sought and
received another round of public comments on the amendments. The
eleven relevant public comments relating to the subject matter of
the July 13, 2020, workshop can be found here: Postponement of
Public Workshop Related to Proposed Changes to the Safeguards Rule,
85 FR 23354 (FTC-2020-0038) (Apr. 27, 2020) (``Workshop Comment
Docket''), https://www.regulations.gov/document/FTC-2020-0038-0001.
---------------------------------------------------------------------------
The dissent's conclusion that these amendments are unnecessary
is belied by both the reality of rampant data security breaches as
well as the robust evidentiary record. The recent history of major
data breaches affecting millions of consumers shows that more needs
to be done to protect consumers' sensitive information. Despite the
increasing sophistication of cyberattacks, many businesses continue
to offer inadequate security.\7\ In particular, the massive Equifax
breach, which the FTC alleged was caused by inadequate data security
that could have been easily corrected by the company, is a glaring
example of how a financial institution's lax security practices can
have devastating consequences for Americans.\8\ The dissent's
suggestion that our current framework is sufficient falls flat in
the face of such a stark example of the harm that can arise from
avoidable lax security practices by covered financial institutions.
Moreover, the dissent's complaint that the rule is also informed by
evidence arising from breaches and practices occurring in other
types of industries misses the mark. Not only is there substantial
evidence in the rulemaking record clearly illustrating security
lapses of financial institutions that are covered by the Rule,\9\
but the implication that we shouldn't use our broader knowledge of
common security pitfalls is unwise.
---------------------------------------------------------------------------
\7\ See, e.g., Electronic Privacy Information Center, Comment
Letter No. 55 on 2019 Safeguards and Privacy NPRM (FTC-2019-0019),
at 3 (Aug. 1, 2019) (citing dramatic increase in data breaches at
financial services firms affecting millions of consumers), https://www.regulations.gov/comment/FTC-2019-0019-0055; Consumer Reports,
Comment Letter No. 52 on 2019 Safeguards and Privacy NPRM (FTC-2019-
0019) (Aug. 2, 2019), https://www.regulations.gov/comment/FTC-2019-0019-0052 (noting several high profile data breaches at financial
institutions as evidence for the need for stronger regulation);
Inpher, Inc., Comment Letter No. 50 on 2019 Safeguards and Privacy
NPRM (FTC-2019-0019), at 1 (Aug. 1, 2019), https://www.regulations.gov/comment/FTC-2019-0019-0050 (pointing to major
breaches at financial institutions as evidence for the need of
stronger security regulations); Independent Community Bankers of
America, Comment Letter No. 35 on 2019 Safeguards and Privacy NPRM
(FTC-2019-0019) (Aug. 2, 2019), https://www.regulations.gov/comment/FTC-2019-0019-0035 (noting that FTC-regulated financial institutions
are subject to less stringent security requirements than those
regulated by banking agencies, even though many handle the same
types of information as those financial institutions); National
Consumer Law Center et al., Comment Letter No. 58 on 2019 Safeguards
and Privacy NPRM (FTC-2019-0019) (Aug. 2, 2019), https://www.regulations.gov/document/FTC-2019-0019-0058 (arguing that the
recent Equifax breach showed the need for strengthening the
Safeguards Rule); Cisco Systems, Inc., Comment Letter No. 51 on 2019
Safeguards and Privacy NPRM (FTC-2019-0019) (Aug. 2, 2019), https://www.regulations.gov/document/FTC-2019-0019-0051 (noting that
sophisticated hacking techniques used in state sponsored attacks are
likely to be adopted by ``more garden variety, less sophisticated
hackers.''); Safeguards Workshop, at 24-26 (July 13, 2020) (remarks
of Chris Cronin) (stating that many companies do not conduct
complete or adequate risk assessments). Id. at 38-39 (remarks of
Serge Jorgensen) (noting that businesses' understanding of the need
for security has improved, but that they continue to struggle to
implement controls across business units). Id. at 39-41 (remarks of
Chris Cronin) (stating that, ``as a rule,'' businesses of all sizes
are ``behind'' on cybersecurity, attributing this in part to
consultants whose advice about reasonable security is motivated by a
desire to ``make the clients happy''). Id. at 43 (remarks of Pablo
Molina) (citing ``the mounting losses that come from cybercrime'' as
evidence that many businesses are ``falling behind''
cybercriminals). Id. at 114 (remarks of Brian McManamon) (noting
that ``the proposed changes are the minimum necessary to have an
effective security program in place.''). Id. at 44 (remarks of Sam
Rubin) (noting that, in his experience, companies make significant
investments in technical security measures but that investment in
personnel to oversee and use those measures is ``a huge shortcoming
that I'm seeing in the field.''); The Clearing House Association
LLC, Comment Letter No. 49 on 2019 Safeguards and Privacy NPRM (FTC-
2019-0019), at 7-9 (Aug. 2, 2019), https://www.regulations.gov/comment/FTC-2019-0019-0049 (citing a 2018 study by the Center for
Financial Inclusion that showed widespread data security failures
among financial technology companies around the globe).
\8\ Press Release, Fed. Trade Comm'n, Equifax to Pay $575
Million as Part of Settlement with FTC, CFPB, and States Related to
2017 Data Breach, (July 22, 2019), https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related.
\9\ See infra, note 7.
---------------------------------------------------------------------------
The record evidence also shows that the amendment's requirements
track bedrock principles of data security and represent proven
elements of effective data security programs that reduce the risk of
breaches.\10\
[[Page 70310]]
The amended Rule requires that financial institutions' information
security plans address such core concepts as controlling who is
accessing their system,\11\ understanding their system,\12\
monitoring what users do in their system,\13\ and protecting the
information contained in their system.\14\ More particularly, it
also requires encryption of customer information and the use of
multifactor authentication. Adopting these practices will reduce the
chances of a breach occurring.
---------------------------------------------------------------------------
\10\ See, e.g., for Single Qualified Individual Requirement:
National Consumer Law Center et al., supra note 7, at 3 (arguing
that a clear line of reporting with a single responsible individual
could have prevented the Equifax consumer data breach); Safeguards
Workshop, at 182-84 (remarks of Adrienne Allen) (stating that
without a single responsible individual, information security staff
``can fall into traps of each relying on someone else to make a hard
call . . . [In a program without a single coordinator] issues can
sometimes fall through the cracks.''). Id. at 184-85 (remarks of
Michele Norin) (``I think it's extremely important to have a person
in front of the information security program. I think that there are
so many components to understand, to manage, to keep an eye on. I
think it's difficult to do that if it's part of someone else's job.
And so I found that it's extremely helpful to have a person in
charge of that program just from a pure basic management perspective
and understanding perspective.''); Risk Assessment Requirement: Id.
at 25 (remarks of Chris Cronin) (stating that evaluating the
likelihoods and impacts of potential security risks and evaluating
existing controls is an important component of a risk assessment).
Id. at 29-30 (remarks of Serge Jorgensen) (emphasizing the
importance of risk assessments as tools for adjusting existing
security measures to account for both current and future security
threats); Encryption Requirement: Princeton University Center for
Information Technology Policy, Comment Letter No. 54 on 2019
Safeguards and Privacy NPRM (FTC-2019-0019), at 3 (Aug. 2, 2019),
https://www.regulations.gov/document/FTC-2019-0019-0054 (noting the
effectiveness of encryption); Inpher, Inc., supra note 7, at 4;
Safeguards Workshop, at 225 (remarks of Matthew Green) (noting
website usage of encryption is above 80 percent; ``Let's Encrypt''
provides free TLS certificates; and costs have gone down to the
point that if a financial institution is not using TLS encryption
for data in motion, it is making an unusual decision outside the
norm). Id. at 106 (remarks of Rocio Baeza) (``[T]he encryption of
data in transit has been standard. There's no pushback with
that.''); Multifactor Authentication Requirement: Princeton
University Center for Information Technology Policy, supra note 10,
at 6-7; Electronic Privacy Information Center, supra, note 7, at 8;
National Consumer Law Center et al., supra note 7, at 2; Safeguards
Workshop, at 102 (remarks of Brian McManamon) (stating that his
company TECH LOCK supports requiring multi-factor authentication for
users connecting from internal networks). Id. at 266 (remarks of
Matthew Green) (explaining that passwords are not enough of an
authentication feature but when MFA is used and deployed, the
defenders can win against attackers). Id. at 239 (describing how
because smart phones have modern secure hardware processors,
biometric sensors and readers built in, increasingly consumers can
get the security they need through the devices they already have by
storing cryptographic authentication keys on the devices and then
using the phone to activate them); Incident Response Plan: Credit
Union National Association, Comment Letter No. 30 on 2019 Safeguards
and Privacy NPRM (FTC-2019-0019), at 2 (Aug. 1, 2019), https://www.regulations.gov/document/FTC-2019-0019-0030 (noting that that an
incident response plan ``helps ensure that an entity is prepared in
case of an incident by planning how it will respond and what is
required for the response.''). Consumer Reports, supra note 7, at 6
(observing that ``a written incident response plan is an essential
component of a good security system.''); HITRUST, Comment Letter No.
18 on 2019 Safeguards and Privacy NPRM (FTC-2019-0019), at 2 (July
1, 2019), https://www.regulations.gov/document/FTC-2019-0019-0018
(commenting that incident response plans can help organizations ``to
better allocate limited resources.). Safeguards Workshop, at 52
(remarks of Serge Jorgenson) (observing that a prompt response to an
incident can prevent a ``threat actor running around in my
environment for days, months, years, and able to access anything
they want.''); Board Reporting Requirement: Workshop participants
Adrienne Allen, Karthik Rangarajan, and Michele Norin each
emphasized that such reporting can aid decision making. See
Safeguards Workshop, at 201-09; see also Rocio Baeza, Comment Letter
No. 12 on Workshop Comment Docket (FTC-2020-0038), at 3-8 (Aug. 12,
2020), https://www.regulations.gov/comment/FTC-2020-0038-0012
(supporting requirement and providing sample report form and
compliance questionnaire); Juhee Kwon et al., The Association
Between Top Management Involvement and Compensation and Information
Security Breaches, J. L. Info. Sys., at 219-236 (2013) (``. . . the
involvement of an IT executive decreases the probability of
information security breach reports by about 35 percent . . .'');
Julia L. Higgs et al., The Relationship Between Board-Level
Technology Committees and Reported Security Breaches, J. L. Info.
Sys., at 79-98 (2016) (``[A]s a technology committee becomes more
established, its firm is not as likely to be breached. To obtain
further evidence on the perceived value of a technology committee,
this study uses a returns analysis and finds that the presence of a
technology committee mitigates the negative abnormal stock returns
arising from external breaches.'').
\11\ 16 CFR 314.4(c)(1).
\12\ 16 CFR 314.4(c)(2).
\13\ 16 CFR 314.4(c)(8).
\14\ 16 CFR 314.4(c)(3) and 314.4(c)(5).
---------------------------------------------------------------------------
In fact, it is likely that the massive breach at Equifax could
have been prevented or mitigated by adopting practices required by
these amendments. For example, the Commission's complaint alleged
that the vulnerability that led to the breach was not detected for
four months because Equifax's automated vulnerability scanner was
not configured to scan all of the networks in the system, something
that could have been prevented if Equifax had performed an adequate
inventory of its system as required by Sec. 314.4(c)(2) of the
amended Rule.\15\ Equifax allegedly did not encrypt the data of 145
million consumers as required by Sec. 314.4(c)(3) of the amended
Rule; such encryption might have prevented the intruders from
misusing individuals' sensitive information, even if they were able
to obtain it.\16\ In addition, the complaint charged that Equifax
did not adequately monitor activity on its network, which allowed
intruders to access and use their network undetected for months;
such monitoring will be required by Sec. 314.4(c)(8).\17\ Finally,
and perhaps most importantly, Equifax split authority over its
information security program between two people, which caused
failures of communications and oversight.\18\ Indeed, the U.S. House
Committee on Oversight and Government identified Equifax's
organization as one of the major causes of the breach.\19\
Appointing a single Qualified Individual as the coordinator of
Equifax's information security system, as required by Sec. 314.4(a)
of the amended Rule, could have helped prevent or limit the scope of
one of the largest breaches in American history. By implementing the
measures required in the amended Rule, financial institutions will
prevent or mitigate many future breaches, protecting consumers and
their information.
---------------------------------------------------------------------------
\15\ Compl. for Permanent Injunction & Other Relief., FTC v.
Equifax, Inc., No. 1:19-mi-99999-UNA (N.D. Ga. July 22, 2019) ] 17.
\16\ Id. ] 22.E.
\17\ Id. ] 22.F.
\18\ While the dissent questions the requirements in the Rule
regarding elevating security issues to the top levels of the
corporate structure, research supports these requirements. Boards
are becoming increasingly involved in cybersecurity governance, as
demonstrated by surveys of practitioners and the growth of
literature aimed at educating board members on cybersecurity. Some
studies suggest that Board attention to data security decisions can
dramatically improve data safeguarding. For example, one study found
a 35% decrease in the probability of information security breaches
when companies include the Chief Information Security Officer (or
equivalent) in the top management team and the CISO has access to
the board. See Juhee Kwon et al., supra note 10. see also Safeguards
Workshop, at 201-09.
\19\ U.S. H. Rep. Comm. on Oversight and Gov. Reform, Majority
Staff Report on The Equifax Data Breach, 115th Cong., at 55-62 (Dec.
2018).
---------------------------------------------------------------------------
There is also no support for the dissent's notion that the
amendments eliminate financial institutions' flexibility in a way
that will hurt smaller businesses. The amendments require that
information security programs address certain aspects of security,
but do not prescribe any particular method for doing so.
Specifically, the amended Rule requires that the information
security program address areas such as access control, change
management, information disposal, and monitoring user activity, but
it does not require that financial institutions take any particular
action in those areas. In fact, the Rule recognizes the concerns of
small businesses and adopts appropriate flexibilities. Section 314.6
of the revised Rule exempts financial institutions that maintain
information concerning fewer than 5,000 consumers from certain
requirements. In addition, financial institutions with smaller and
simpler systems may determine that minimal procedures are required
in those areas, and they retain flexibility under these amendments
to follow that route. Moreover, the record contains significant
evidence that there are free and low-cost solutions for smaller
businesses with more modest data security needs.\20\
---------------------------------------------------------------------------
\20\ See, e.g., Safeguards Workshop, at 267 (remarks of Wendy
Nather) (``we have a lot more options, a lot more technologies today
than we did before that are making both of these solutions, both
encryption and MFA, easier to use, more flexible, in some cases
cheaper, and we should be encouraging their adoption wherever
possible.''). Id. at 265-66 (remarks of Matthew Green) (``I think
that we're in a great time when we've reached the point where we can
actually mandate that encryption be used. . . . And we've reached
the point where now it is something that's come to be and we can
actually build well.''). Id. at 229-30 (remarks of Randy Marchany)
(noting that encryption is already built into the Microsoft Office
environment and that a number of Microsoft products, such as
Spreadsheets, Excel, Docs, and PowerPoint, support that encryption
feature). Id. at 225. Id. at 106 (Remarks of Rocio Baeza) (``[T]he
encryption of data in transit has been standard. There's no pushback
with that.''). Id. at 74 (remarks of James Crifasi) (stating that
car dealerships can rely on existing staff for the role of Qualified
Individual). Id. at 78-79 (remarks of Lee Waters) (stating that any
dealership with any IT staff at all would have someone who could
assume the role of ``qualified individual,'' perhaps requiring some
additional research or outside help). Id. at 81-82 (remarks of Rocio
Baeza) (stating that companies may use an existing employee for the
role and ``for any areas where there may be skill gaps, that can be
supplemented with either certifications or some type of
education.''). Id. at 89-90 (remarks of Brian McManamon) (noting
that the size of a financial institution and the amount and nature
of the information that it holds factor into an appropriate
information security program); Presentation Slides, Inf. Security &
Fin. Inst.: An FTC Workshop of GLB Safeguards, at 27-28 (July 13,
2020) (slides Accompanying remarks of Rocio Baeza, ``Models for
Complying to the Safeguards Rule Changes) (``Safeguards Workshop
Presentation Slides'') https://www.ftc.gov/system/files/documents/public_events/1567141/slides-glb-workshop.pdf (describing three
different compliance models: In-house, outsource, and hybrid, with
costs ranging from $199 per month to more than $15,000 per month).
Safeguards Workshop, at 81-83 (remarks of Rocio Baeza) (describing
three compliance models in more detail); Safeguards Workshop
Presentation Slides, at 29 (remarks of Brian McManamon, ``Sample
Pricing'') (estimating the cost of cybersecurity services based on
number of endpoints). Id. at 83-85.
---------------------------------------------------------------------------
[[Page 70311]]
We believe that these amendments represent a much-needed step
forward in protecting Americans' data security. Given growing
recognition that the requirements captured in the Rule represent
best practices, some financial institutions seem to have already
taken appropriate steps to protect customers' data and meet the
requirements set out in the amended Rule. It is important, though,
to require those that lag behind to strengthen their security and
prevent future breaches before they occur, rather than in the wake
of a devastating breach after the damage has already been done.
Joint Statement of Commissioners Noah Joshua Phillips and Christine S.
Wilson in the Matter of the Final Rule Amending the Gramm-Leach-Bliley
Act's Safeguards Rule
In 1999, Congress passed the Gramm-Leach-Bliley Act, which
charged the Federal Trade Commission (the ``Commission'') with
promulgating and enforcing a regulation to ensure that financial
firms take care to safeguard the information they collect from
consumers.\1\ The Safeguards Rule \2\ has established more data
security obligations for consumer financial data than for data
collected by non-financial firms, a gap that underlies our view--
shared by our colleagues--that congressional data security
legislation is warranted.
---------------------------------------------------------------------------
\1\ Public Law 106-102, 113 Stat. 1338 (1999). Notably, even as
it transferred authority for other consumer financial regulation to
the Consumer Financial Protection Bureau in the Dodd-Frank Act,
Congress left this rulemaking authority with the Commission, a vote
of confidence in our approach. 15 U.S.C. 6804(a)(1).
\2\ 16 CFR part 314.
---------------------------------------------------------------------------
One hallmark of the Safeguards Rule is its recognition that, in
a world of continuously evolving threats and standards, a one-size-
fits-all approach to data security may not work. Under Democratic
and Republic leadership, the Commission has repeatedly emphasized
this principle.\3\ We have traditionally eschewed an overly
prescriptive approach, both to data security in general and to the
Safeguards Rule itself.\4\ The FTC has never demanded ``perfect''
security because the Commission has recognized that data security is
neither cost- nor consequence-free, and often requires tradeoffs.\5\
At the same time, during our tenure, the Commission has continued to
enforce data security standards vigorously, including those embodied
in the Safeguards Rule.\6\
---------------------------------------------------------------------------
\3\ See, e.g., Federal Trade Commission, Statement Marking the
FTC's 50th Data Security Settlement, at 1 (Jan. 31, 2014), https://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf
(``FTC Data Security Statement'') (``Through its settlements,
testimony, and public statements, the Commission has made clear that
it does not require perfect security; reasonable and appropriate
security is a continuous process of assessing and addressing risks;
there is no one-size-fits-all data security program; and the mere
fact that a breach occurred does not mean that a company has
violated the law.''); see also Prepared Statement of the Federal
Trade Commission: Before the Committee on Homeland Security and
Governmental Affairs Permanent Subcommittee on Investigations, 116
Cong. 3 (2019) (statement of Andrew Smith, Director, Bureau of
Consumer Protection) (``[t]here is no one-size-fits-all data
security program . . .''), https://www.ftc.gov/system/files/documents/public_statements/1466607/commission_testimony_re_data_security_senate_03072019.pdf. Federal
Trade Commission, Stick with Security: A Business Blog Series (Oct.
2017), https://www.ftc.gov/news-events/blogs/business-blog/2017/10/stick-security-ftc-resources-your-business.
\4\ FTC Notice of Proposed Rulemaking, 84 FR 13158 (Apr. 4,
2019), https://www.federalregister.gov/documents/2019/04/04/2019-04981/standards-for-safeguarding-customer-information (``The
Commission continues to believe that a flexible, non-prescriptive
Rule enables covered organizations to use it to respond to the
changing landscape of security threats, to allow for innovation in
security practices, and to accommodate technological changes and
advances.'').
\5\ Under the FTC's unfairness authority, the Commission brings
cases when companies under its jurisdiction fail to employ
``reasonable'' security. FTC Data Security Statement, supra note 3
(``The touchstone of the Commission's approach to data security is
reasonableness: a company's data security measures must be
reasonable and appropriate in light of the sensitivity and volume of
consumer information it holds, the size and complexity of its
business, and the cost of available tools to improve security and
reduce vulnerabilities.'').
\6\ See, e.g., In the matter of Ascension Data & Analytics, LLC,
FTC File No. 1923126 (2020), https://www.ftc.gov/enforcement/cases-proceedings/192-3126/ascension-data-analytics-llc-matter; U.S. v.
Mortgage Solutions FCS, Inc., Civ. Action No. 4:20-cv-110 (N.D. Cal
2020), https://www.ftc.gov/enforcement/cases-proceedings/182-3199/mortgage-solutions-fcs-inc; FTC v. Equifax, Inc., Civ. Action No.
1:19-cv-03297-TWT (N.D. Ga. 2019), https://www.ftc.gov/enforcement/cases-proceedings/172-3203/equifax-inc.
---------------------------------------------------------------------------
In March 2019, the Commission approved a Notice of Proposed
Rulemaking (``NPRM'') proposing additional requirements to the
Safeguards Rule. While we recognize the value in regularly reviewing
our rules and updating them as needed, we dissented then because the
proposal lacked data demonstrating the need for and efficacy of the
proposed amendments.\7\
---------------------------------------------------------------------------
\7\ Dissenting Statement of Commissioner Noah Joshua Phillips
and Commissioner Christine S. Wilson, Review of Safeguards Rule
(Mar. 5, 2019), https://www.ftc.gov/system/files/documents/public_statements/1466705/reg_review_of_safeguards_rule_cmr_phillips_wilson_dissent.pdf; See,
e.g., Noah Joshua Phillips (@FTCPhillips), Twitter (Mar. 5, 2019,
3:08 p.m.), https://twitter.com/FTCPhillips/status/1103024596247289867 (``A reexamination of the Rule may indeed be
appropriate and necessary; but, before we borrow from other existing
schemes, we must first understand whether the existing Rule is
inadequate for its purpose and whether the data supports the
efficacy of the alternatives.''); Christine S. Wilson, Remarks at
NAD 2020, One Step Forward, Two Steps Back: Sound Policy on Consumer
Protection Fundamentals 7-8 (Oct. 5, 2020), https://www.ftc.gov/system/files/documents/public_statements/1581434/wilson_remarks_at_nad_100520.pdf.
---------------------------------------------------------------------------
We appreciate Staff's diligent work on this rule and many of the
modifications made to the original proposal. The Federal Register
Notice does a commendable job of presenting the full panoply of
comments that the Commission received. The FTC is at its best when
it seeks input from experts, industry, and consumer groups; this
rulemaking process reflects a commitment to that approach. But the
comment period did not produce data demonstrating that the previous
iteration of the rule was inadequate, or that the costs and
consequences of the new prescriptive obligations will translate into
actual consumer safeguards. That was our concern, and the comments
did not allay it.
In fact, as several commenters observed, the new prescriptive
requirements could weaken data security by diverting finite
resources towards a check-the-box compliance exercise and away from
risk management tailored to address the unique security needs of
individual financial institutions. It is ironic that the revisions
mandate a risk assessment and then order firms to prioritize
specified precautions ahead of the risks and needs counseled by that
assessment. The revisions also impose intrusive corporate governance
obligations wholly unsupported by record evidence of prevalent
failures at the senior managerial level.
For these reasons, which we explain more fully below, we
dissent.
The Record Fails To Provide a Basis for the New Requirements
We expressed concern in March 2019 that some of the proposals in
the NPRM tracked issues that arose in cases involving firms not
covered by the Safeguards Rule. That is, those failures occurred at
companies to which the Safeguards Rule did not apply. And heightened
obligations imposed in a settlement context, when a company has
engaged in risky and allegedly illegal behavior, may not be
appropriate for all market participants. We did not see evidence
that covered firms had a systematic problem--i.e., that the Rule was
not
[[Page 70312]]
working.\8\ The Commission can--and does-- promote best practices
and reasonable care requirements through speeches, guidance,
reports, and the like, to help financial firms evaluate whether they
are taking proper precautions.\9\ But new rules that set concrete
standards for all companies, regardless of risk, require more
justification. Such rules make companies liable for penalties, and
could focus efforts on compliance to address penalty deterrence
rather than risk.
---------------------------------------------------------------------------
\8\ Commenters on the proposed rules reflected these same
concerns. See, e.g, CTIA (comment 34, NPRM) at 4, https://www.regulations.gov/comment/FTC/2019-0019-0034 (observing that most
examples cited in the NPRM are from non-financial firms and arguing
that the FTC's action in Equifax demonstrated that the agency is
able to use to the current framework effectively); Global Privacy
Alliance (comment 38, NPRM) at 4, https://www.regulations.gov/comment/FTC/2019-0019-0038 (the changes to the rules started not
from FTC experience but rather from state laws); Electronic
Transactions Association (comment 27, NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0027 (the current rule is
effective and there are no harms that warrant these changes);
National Automobile Dealers Association (comment 46, NPRM) at 6,
https://www.regulations.gov/comment/FTC/2019-0019-0046 (``[N]ew
requirements for all financial institutions should not be based on
unrelated enforcement actions that may not be generally applicable
to all financial institutions subject to the Rule.'').
\9\ Federal Trade Commission, Data Security, https://www.ftc.gov/datasecurity.
---------------------------------------------------------------------------
Dozens of commenters have shared their views on the Safeguards
proposal, and FTC Staff held a workshop to evaluate the need to
change the Rule. While there is no shortage of opinions as to the
need and benefits of the proposed changes (nor is there a shortage
of opinions critiquing the new requirements), this process failed to
provide evidence of market failure or other systemic problems \10\
necessitating the proposed changes for firms already governed by the
requirements of the Rule. In fact, one commenter that generally
supported the rule changes noted that it was not clear that the new
rules would have prevented the alleged lapses that led to the
Equifax breach, the largest Safeguards case on record.\11\
---------------------------------------------------------------------------
\10\ One study cited by commenters pointed toward widespread
problems among fintech firms ``including misuse of cryptography, use
of weak cryptography, and excessive permission requirements.'' The
Clearing House Association LLC (comment 49, NPRM) at 7-9, https://www.regulations.gov/comment/FTC/2019-0019-0049 (citing a 2018 study
by the Center for Financial Inclusion, https://content.centerforfinancialinclusion.org/wp-content/uploads/sites/2/2018/09/CFI43-CFI_Online_Security-Final-2018.09.12.pdf). This study
included firms from around the world and did not indicate that this
limited set of issues arose in U.S. firms covered by the Safeguards
Rule. See also National Automobile Dealers Association (comment 46,
NPRM) at 46, https://www.regulations.gov/comment/FTC/2019-0019-0046
(``These requirements have largely not been proven to be necessary
or effective.''). Participants at the FTC's July 2020 Workshop
generally agreed that companies could invest more in security, but
the fact of under-investment does not mean that these changes to the
Safeguards Rule constitute the best course of action. FTC,
Information Security and Financial Institutions: An FTC Workshop to
Examine Safeguards Rule Tr. at 23-70 (July 13, 2020), https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf (``Safeguards Workshop'').
\11\ Consumer Reports (comment 52, NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0052 at 2. Not all the
commenters agreed with this perspective, and some felt that these
rules would have prevented the Equifax breach. See National Consumer
Law Center and others (comment 58, NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0058. Chair Khan and
Commissioner Slaughter focus on the Equifax breach to justify the
adoption of prescriptive and complex data security measures,
measures that match the sophistication and complexity of the
consumer financial data managed by one of the largest credit
bureaus. But even assuming the new rules would have prevented it,
one (albeit) high-profile breach, without more, should not be
extrapolated to an entire industry with diverse business models
housing varied consumer financial data. Reasonable safeguards for a
company like Equifax, based on its size and complexity, the nature
and scope of its activities, and the sensitivity of the information
involved, would likely outpace procedures that would be appropriate
or reasonable for a sole proprietorship or small business.
---------------------------------------------------------------------------
That these proposals may constitute best practices appropriate
to certain firms or situations does not justify imposing them on
every firm and in every situation.\12\ The FTC historically has been
appropriately cautious in mandating specific security practices, and
we see no sound basis in the rulemaking record to change that
approach.\13\
---------------------------------------------------------------------------
\12\ While the Final Rule is based on proposals from New York
State Department of Financial Services (``NYDFS''), the FTC imposes
its requirements much more broadly than the NYDFS Cybersecurity
Requirements for Financial Services Companies, 23 NYCRR Pt. 500. The
NYDFS requirements exempt a much larger cross-section of
organizations from the most onerous, prescriptive, and expensive
provisions in their rule. 23 NYCRR Sec. 500.19. Nor do the
exceptions in the Final Rule, while helpful, suffice.
\13\ Unfortunately, this is not the first time this Commission
has emphasized what we can do over what we should do. See, e.g.,
Joint Statement of Commissioners Noah Joshua Phillips and Christine
S. Wilson, In the matter of Resident Home LLC, Commission File No.
2023179 (Oct. 7, 2021), https://www.ftc.gov/system/files/documents/public_statements/1597270/resident_home_dissenting_statement_wilson_and_phillips_final_0.pdf;
Joint Statement of Commissioners Noah Joshua Phillips and Christine
S. Wilson, U.S. v. iSpring Water Systems, LLC, Commission File No.
C4611 (Apr. 12, 2019), https://www.ftc.gov/system/files/documents/public_statements/1513499/ispring_water_systems_llc_c4611_modified_joint_statement_of_commissioners_phillips_and_wilson_4-12.pdf.
---------------------------------------------------------------------------
The Revised Safeguards Rule Is Premature
In our 2019 statement, we expressed concern that the proposals
in the NPRM were premature. They are based in large part on the New
York Department of Financial Service data security rules,\14\
adopted in 2016. At the same time, Congress and the Executive Branch
were evaluating new privacy and data security legislation that may
overlap with the proposed amendments.\15\
---------------------------------------------------------------------------
\14\ Cybersecurity Requirements for Financial Services
Companies, 23 NYCRR Pt. 500 (2016).
\15\ See Consumer Data Industry Association (comment 36, NPRM)
at 2, https://www.regulations.gov/document?D=FTC-2019-0019-0036
(noting that the NY rule is too recent and Congress is debating new
legislation that should be left to Congress to resolve); National
Automobile Dealers Association (comment 46, NPRM) at 46, https://www.regulations.gov/comment/FTC-2019-0019-0046 (The new rules ``are
premature as they are based on untested and new standards in a
rapidly changing environment, and in a context where federal debate
is ongoing.''); New York Insurance Association (comment 31, NPRM),
https://www.regulations.gov/comment/FTC-2019-0019-0031 (it is
premature to adopt these rules without the benefit of the state's
experience).
---------------------------------------------------------------------------
Since our original statement, we have been provided with no
additional information on the impact and efficacy of the NYDFS
rules.\16\ Without this critical input, we do not believe adopting
wholesale the NYDFS approach is the prudent course.\17\ We would
have been better served by monitoring the efficacy, costs and
unintended consequences of the NYDFS rules during this ramp-up
period. Imposing similar rules on far more firms across a broader
array of industries makes even less sense.
---------------------------------------------------------------------------
\16\ We appreciate the time and resources the NYDFS invested in
commenting on our proposed rule. Though the NYDFS does say that its
rules have ``enhanced cybersecurity protection across the financial
industry and fostered an environment in which the threat of a cyber
attack is taken seriously at all levels of New York's financial
services firms,'' it offers no supporting data. New York State
Department of Financial Services (comment 40, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0040.
\17\ As several commenters pointed out, the NYDFS rules are more
nuanced that the amendments introduced today. For instance, under
the NYDFS regulations, certain additional requirements only apply to
a category of sensitive data, a limitation not carried through to
the Safeguards Rule. See, e.g., U.S. Chamber of Commerce (comment
33, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0033;
CTIA (comment 34, NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0034; Electronic Transactions Association (comment 27,
NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0027. These
distinctions only raise more questions and concerns about basing our
regulations on the New York rules.
---------------------------------------------------------------------------
Congress, with the encouragement of the Commission, has
continued to consider legislative initiatives in this area.
Throughout 2019, 2020 and 2021, we saw the release of several draft
bills addressing data security, as well as privacy.\18\ And other
developments, such as data security requirements of the General Data
Protection Regulation \19\ and new cybersecurity incidents \20\
ensure that
[[Page 70313]]
these issues will continue to draw congressional attention. The
decisions about tradeoffs in this space are complex and significant
for consumers, business, and government; intrusive mandates are best
left to the people's representatives rather than to the vagaries of
the administrative rulemaking process.\21\
---------------------------------------------------------------------------
\18\ See, e.g., Fourth Amendment is Not for Sale Act, S. 1265,
117th Cong. (2021); Data Care Act of 2021, S. 919, 117th Cong.
(2021); Data Protection Act of 2021, S. 2134, 117th Cong. (2021);
SAFE DATA Act, S. 2499, 117th Cong. (2021); Consumer Online Privacy
Rights Act, S. 2968, 116th Cong. (2019). See also, California
Privacy Rights Act of 2020, Cal. Civ. Code Sec. 1798.100 et seq.;
Virginia Consumer Data Protection Act, Va. Code Sec. 59.1-575 et
seq.; and Colorado Privacy Act, 2021 Colo. ALS 483, 2021 Colo. Ch.
483, 2021 Colo. SB. 190.
\19\ Council Directive 2016/679, art. 32 2016 O.J. (L119).
\20\ See, e.g., Joseph Menn and Christopher Bing, Hackers of
SolarWinds stole data on U.S. sanctions policy, intelligence probes,
Reuters (Oct. 8, 2021), https://www.reuters.com/world/us/hackers-solarwinds-breach-stole-data-us-sanctions-policy-intelligence-probes-2021-10-07/; Stephanie Kelly and Jessica Resnick-ault, One
password allowed hackers to disrupt Colonial Pipeline, CEO tells
senators, Reuters (June 8, 2021), https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08; Carly Page, The Accellion data breach
continues to get messier, TechCrunch (July 8, 2021), https://techcrunch.com/2021/07/08/the-accellion-data-breach-continues-to-get-messier/; Peter Valdes-Dapena, Volkswagen hack: 3 million
customers have had their information stolen, CNN (June 11, 2021),
https://www.cnn.com/2021/06/11/cars/vw-audi-hack-customer-information/.
\21\ Sen. Roger Wicker, Rep. Cathy McMorris Rodgers, & Noah
Phillips, FTC must leave privacy legislating to Congress, Wash.
Examiner (Sept. 29, 2021), https://www.washingtonexaminer.com/opinion/op-eds/ftc-must-leave-privacy-legislating-to-congress.
Substance aside, businesses and consumers need confidence to plan
around new rules. As the recent--and perhaps future--debate about
net neutrality rules has demonstrated, agency rules are subject to
disruptive swings that undermine such confidence.
---------------------------------------------------------------------------
The Revised Rules Inhibit Flexibility and Impose Substantial Costs
The Safeguards Rule originally drafted and evaluated by the
Commission embraced a flexible approach, emphasizing protections
targeted to a company's size and risk profile.\22\ As we wrote in
2019, these new rules move us away from that approach; that loss of
flexibility will impose costs without necessarily improving
safeguards for consumer data, which should be the point of this
exercise.
---------------------------------------------------------------------------
\22\ The Commission itself acknowledges the importance of
flexibility in issuing the Final Rule. See, e.g., Final Rule at 27
(``The Commission, however, believes that the elements provide
sufficient flexibilityfor financial institutions to adopt
information security programs suited to the size, nature, and
complexity of their organization and information systems.'')
---------------------------------------------------------------------------
Commenters and the Commission itself have noted that there are
financial impacts to these new requirements.\23\ The Small Business
Administration's Office of Advocacy stated its belief that the
Commission itself does not appear to understand fully the economic
impact of the proposed changes to the Safeguards Rule.\24\
---------------------------------------------------------------------------
\23\ See Final Rule; American Council on Education (comment 24,
NPRM) at 13-14, https://www.regulations.gov/comment/FTC-2019-0019-0024; Wisconsin Bankers Association (comment 37, NPRM) at 1-2,
https://www.regulations.gov/comment/FTC-2019-0019-0037; American
Financial Services Association (comment 41, NPRM) at 4, https://www.regulations.gov/comment/FTC-2019-0019-0041; National Association
of Dealer Counsel (comment 44, NPRM) at 1, https://www.regulations.gov/comment/FTC-2019-0019-0044; National Automobile
Dealers Association (comment 46, NPRM) at 11, https://www.regulations.gov/comment/FTC-2019-0019-0046; National Independent
Automobile Dealers Association, (comment 48, NPRM) at 3, https://www.regulations.gov/comment/FTC-2019-0019-0048; Gusto and others
(comment 11, Workshop) at 2-4, https://www.regulations.gov/comment/FTC-2019-0019-0011; National Pawnbrokers Association (comment 3,
NPRM) at 2, https://www.regulations.gov/comment/FTC-2019-0019-0032;
See also Remarks of James Crifasi, Safeguards Workshop, supra note
10, Tr. at 72-74, https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf
(study showing that compliance costs are unaffordable for small
businesses).
\24\ Small Business Administration Office of Advocacy (comment
28, NPRM) at 3-4, https://www.regulations.gov/comment/FTC-2019-0019-0028 (``An agency cannot consider alternatives that minimize any
significant economic impact if the agency does not know what the
economic impact of the proposed action is.'').
---------------------------------------------------------------------------
The burden of these new rules may also reduce competition and
innovation, as smaller firms less able to absorb the financial costs
cede ground to larger firms better equipped to handle new regulatory
mandates.\25\
---------------------------------------------------------------------------
\25\ See CTIA (comment 34, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0034 (noting the need for more study on the
costs to competition); U.S. Chamber of Commerce (comment 33, NPRM)
at 4, https://www.regulations.gov/comment/FTC-2019-0019-0033 (``Some
private organizations can absorb the added costs, while others
cannot.''). See also Christine S. Wilson, Remarks at the Future of
Privacy Forum, A Defining Moment for Privacy: The Time is Ripe for
Federal Privacy Legislation 13 (Feb. 6, 2020), https://www.ftc.gov/system/files/documents/public_statements/1566337/commissioner_wilson_privacy_forum_speech_02-06-2020.pdf
(``Importantly, the legislative framework should also consider
competition. Regulations, by their nature, will impact markets and
competition. GDPR may have lessons to teach us in this regard.
Research indicates that GDPR may have decreased venture capital
investment and entrenched dominant players in the digital
advertising market.''); Noah Joshua Phillips, Prepared Remarks at
internet Governance Forum USA, Keep It: Maintaining Competition in
the Privacy Debate (July 27, 2018), https://www.ftc.gov/system/files/documents/public_statements/1395934/phillips_-_internet_governance_forum_7-27-18.pdf (discussing the competition
impacts of new privacy rules).
---------------------------------------------------------------------------
Security itself may also suffer. A series of specific rules can
incentivize companies to move from a thoughtful assessment of risk
and precautions to a check-the-box exercise to ensure that they are
complying with regulatory mandates--in other words, from a focus on
real security to an emphasis on rule compliance.\26\ One commenter
cited data demonstrating that when security personnel are busy with
compliance and regulatory response, they have less time to focus on
a firm's actual security needs.\27\ Further, without the flexibility
to prioritize, finite resources may be diverted to areas of lower
risk but higher regulatory scrutiny; \28\ commenters noted the irony
of mandating a risk assessment and then ordering firms to prioritize
specified precautions ahead of the risks and needs counseled by that
assessment.\29\ And potentially innovative security practices that
address changing threats and needs may be discouraged.\30\ As
[[Page 70314]]
one commenter noted, ``[e]ven today's best practices will be
overtaken by future changes in both technology and the capabilities
of threat actors,'' \31\ and these proscriptive rules lose the
``self-modernizing'' nature of flexible requirements,\32\ locking in
place the primacy of current practices.\33\
---------------------------------------------------------------------------
\26\ See U.S. Chamber of Commerce (comment 33, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0033; Consumer Data
Industry Association (comment 36, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0036; Global Privacy
Alliance (comment 38, NPRM), https://www.regulations.gov/comment/FTC/2019-0019-0038. While some parts of the rule, such as encryption
requirements, allow security officials to make a written
determination that a different precaution is appropriate, it seems
unlikely that any individual security official will risk liability
to make such a determination and the specific requirements here will
likely become the default rule. American Council on Education
(comment 24, NPRM) at 12, https://www.regulations.gov/comment/FTC-2019-0019-0024 (``In the absence of a clear delineation by the
Commission of what alternatives an institutional information
security executive might approve that the Commission considers
reasonably equivalent, and assurance that they are reasonably
applicable in our contexts, that pressure release valve in the
requirement seems unlikely to release much pressure.''); Software
Information & Industry Association (comment 29, NPRM) at 3, https://www.regulations.gov/comment/FTC-2019-0019-0056 (``The mere threat of
a per se law violation will chill these approvals except in the most
ironclad circumstances, thereby potentially thwarting
industry[hyphen]wide adoption of new and better security
standards.''); New York Insurance Association (comment 31, NPRM),
https://www.regulations.gov/comment/FTC-2019-0019-0031 (``This runs
the risk that companies might feel compelled to encrypt all consumer
data regardless of whether the CISO's compensating controls would be
second guessed in the event a company were to lose unencrypted
customer information.''); Mortgage Bankers Association (comment 26,
NPRM) at 4, https://www.regulations.gov/comment/FTC-2019-0019-0026
(noting the obligation to prepare an incident response plan had
``the potential to cripple small businesses under the pressure of
repeatedly checking the boxes for potential harmless events.'').
\27\ Bank Policy Institute (comment 39, NPRM) at 6, https://www.regulations.gov/comment/FTC-2019-0019-0039 (``When the sector
surveyed its information security teams in late 2016, CISOs reported
that approximately 40% of their cyber team's time was spent on
compliance related matters, not on cybersecurity. Due to one
framework issuance, in particular, the reconciliation process
delayed one firm's implementation of a security event monitoring
tool intended to better detect and respond to cyber-attacks by 3-6
months. With respect to another issuance, another firm stated that
91 internal meetings were held to determine how that issuance
aligned with its program and in gathering data for eventual
regulatory requests.'').
\28\ See U.S. Chamber of Commerce (comment 33, NPRM) at 4,
https://www.regulations.gov/comment/FTC-2019-0019-0033 (``the
proposed requirements would increasingly divert company resources
toward compliance and away from risk management activities that are
tailored to businesses' unique security needs.''); Software
Information & Industry Association (comment 29, NPRM) at 3, https://www.regulations.gov/comment/FTC-2019-0019-0056 (``The effect of a
prescriptive approach in this enforcement structure is to place
companies in the position of forced compliance with potentially
unnecessary or inapplicable requirements without the appropriate
process for these covered entities to explain to a supervisory
authority why it is unnecessary.''); American Financial Services
Association (comment 41, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0041. In some cases, asking too much of small
businesses for whom all this is a substantial undertaking may lead
them to fail at even the basic protections. Safeguards Workshop,
supra note 10, Tr. at 118-19 (July 13, 2020), https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf.
\29\ See Bank Policy Institute (comment 39, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0039; Money Services Round
Table (comment 53, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0053.
\30\ See Consumer Data Industry Association (comment 36, NPRM)
at 7-8, https://www.regulations.gov/comment/FTC-2019-0019-0036
(minimization requirement can impact innovative uses more broadly).
\31\ See Cisco Systems Inc. (comment 51, NPRM) at 3, https://www.regulations.gov/comment/FTC-2019-0019-0051 (noting also in the
context of multi-factor authentication that there will come a time
when it is no longer the ``appropriate baseline'' and ``covered
entities could find themselves in full compliance with the rule as
long as they use access control technology no less protective than
MFA as defined in the Proposed Amendments.'').
\32\ National Automobile Dealers Association (comment 46, NPRM),
https://www.regulations.gov/comment/FTC-2019-0019-0046.
\33\ See CTIA (comment 34, NPRM) at 3-5, https://www.regulations.gov/comment/FTC-2019-0019-0034 (flexibility in the
rule allowed it to keep up with evolving threats, whereas new rule
could limit innovation); HITRUST Alliance (comment 18, NPRM),
https://www.regulations.gov/comment/FTC-2019-0019-0018 (expressing
concern about creating outdated requirements); The American
Financial Services Association (comment 41, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0041.
---------------------------------------------------------------------------
The reduction in flexibility and imposition of these costs must
be justified by a significant reduction in risk or some other
substantial consumer benefit. But the record provides scant support
for these tradeoffs. Or as one commenter put it:
[A]s with many of these requirements, we do not take issue with
the notion that there is merit to this step [requiring monitoring],
and that many financial institutions will implement some version of
this control. However, by making this an explicit, stand-alone
requirement, the Commission is enshrining costs and efforts that
will be extensive and will likely not be needed in all
circumstances.\34\
---------------------------------------------------------------------------
\34\ National Automobile Dealers Association (comment 46, NPRM)
https://www.regulations.gov/comment/FTC-2019-0019-0046 (arguing that
the Commission needs additional study into the costs and benefits);
See also Consumer Data Industry Association (comment 36, NPRM),
https://www.regulations.gov/comment/FTC-2019-0019-0036 (benefits of
new rule not justified by tradeoffs).
---------------------------------------------------------------------------
The Rules Involve the FTC in the Internal Governance Decisions of
Covered Firms
The specifics of the proposals also raise issues, as we
expressed in 2019, with regard to mandating the appropriate level of
board engagement,\35\ hiring and training requirements,\36\ and
program accountability structures.\37\ We wrote then, and remain
concerned now, that the Commission is substituting its own judgement
about governance decisions for those of private companies covered by
this Rule.
---------------------------------------------------------------------------
\35\ American Council on Education (comment 24, NPRM) at 16,
https://www.regulations.gov/comment/FTC-2019-0019-0024; National
Automobile Dealers Association (comment 46, NPRM) at 41, https://www.regulations.gov/comment/FTC-2019-0019-0046.
\36\ U.S. Chamber of Commerce (comment 33, NPRM) at 12, https://www.regulations.gov/comment/FTC-2019-0019-0033; National Automobile
Dealers Association (comment 46, NPRM) at 34-36, https://www.regulations.gov/comment/FTC-2019-0019-0046.
\37\ See Final Rule. See also American Council on Education
(comment 24, NPRM) at 14, https://www.regulations.gov/comment/FTC-2019-0019-0024 (critiquing the intrusion on personnel practices).
---------------------------------------------------------------------------
In certain extraordinary cases involving clear evidence of
management failure, we have imposed prescriptive governance
obligations on respondents.\38\ Those rare and egregious instances
cannot justify a similar approach in a broad rulemaking absent a
real record of widespread corporate mismanagement or failure at the
senior management level.
---------------------------------------------------------------------------
\38\ U.S. v. Facebook, Inc., Civ. Action No. 19-cv-2184 (D.D.C.
July 24, 2019), https://www.ftc.gov/enforcement/cases-proceedings/092-3184/facebook-inc.
---------------------------------------------------------------------------
The Commission has elected to proceed with most of these
governance requirements, forcing the hand of management and shifting
their priorities to avoid the risk of regulatory action,\39\ without
clear evidence of their need or efficacy.
---------------------------------------------------------------------------
\39\ These governance rules may not even promote security. See
Consumer Data Industry Association (comment 36, NPRM), https://www.regulations.gov/comment/FTC-2019-0019-0036 (arguing that the
annual reporting will become a checkbox exercise).
---------------------------------------------------------------------------
Conclusion
Regularly reviewing our rules to ensure that they address the
current environment is an important part of the FTC's regular
process. But rules have far-reaching and frequently unintended
impacts in the real world; when imposing additional legal
obligations in the rulemaking context, we must do so with great
care. The amended Safeguards Rule replaces a rule that has worked
well for 20 years, a rule that took a principle-based approach in
order to provide financial institutions flexibility to determine the
appropriate and realistic security safeguards for their
organizations. The record before us at best fails to convince that
the changes are necessary and at worst raises concern about the
substantial costs and risks in imposing these amendments.
Accordingly, we dissent.
[FR Doc. 2021-25736 Filed 12-8-21; 8:45 am]
BILLING CODE 6750-01-P
