Federal Trade Commission December 9, 2021 – Federal Register Recent Federal Regulation Documents

The Federal Trade Commission (``FTC'' or ``Commission'') is issuing a final rule (``Final Rule'') to amend the Standards for Safeguarding Customer Information (``Safeguards Rule'' or ``Rule''). The Final Rule contains five main modifications to the existing Rule. First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption. Second, it adds provisions designed to improve the accountability of financial institutions' information security programs, such as by requiring periodic reports to boards of directors or governing bodies. Third, it exempts financial institutions that collect less customer information from certain requirements. Fourth, it expands the definition of ``financial institution'' to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds ``finders''companies that bring together buyers and sellers of a product or servicewithin the scope of the Rule. Finally, the Final Rule defines several terms and provides related examples in the Rule itself rather than incorporates them from the Privacy of Consumer Financial Information Rule (``Privacy Rule'').

The Commission requests public comment on its proposal to further amend the Standards for Safeguarding Customer Information (``Safeguards Rule'' or ``Rule'') to require financial institutions to report to the Commission any security event where the financial institutions have determined misuse of customer information has occurred or is reasonably likely and at least 1,000 consumers have been affected or reasonably may be affected.