On November 15, 2022, the Federal Trade Commission (FTC) announced a six-month extension of the deadline to comply with most provisions of its new Safeguards Rule. Covered "financial institutions" under the Safeguards Rule, which implements part of the Gramm-Leach-Bliley Act (GLBA), must now comply with the entire rule by June 9, 2023.
As we discussed in a prior blog post and webinar, the FTC overhauled the Safeguards Rule in October 2021, including by requiring financial institutions to adopt enumerated technical safeguards and administrative safeguards. A few requirements of the new Safeguards Rule (which largely tracked the previous version of the rule) became effective 30 days after the rule was published. The bulk of the requirements were set to go into effect on December 9, 2022. Financial institutions now have an additional six months to meet Safeguard Rule requirements, such as to:
- Designate a qualified individual to oversee their information security program;
- Develop a written risk assessment;
- Implement access controls and monitoring;
- Encrypt customer information in transit and at rest (or use alternative compensation controls where encryption is infeasible);
- Develop an incident response plan;
- Adopt secure development practices for in-house developed software and processes for assessing the security of externally developed applications;
- Periodically assess the security practices of service providers; and
- Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
The "financial institutions" covered by the Safeguards Rule broadly includes non-bank entities "engaging in an activity that is financial in nature or incidental to such financial activities." This definition encompasses many companies that may not consider themselves to be financial institutions, such as non-bank and alternative lenders, retailers that extend credit to customers, and even colleges and universities that administer certain federal student aid programs.
The FTC's commissioners voted unanimously to extend the compliance deadline. In explaining its decision, the FTC cited a report from the Small Business Administration Office of Advocacy describing a shortage of qualified information security personnel and supply chain issues affecting IT and security systems, which could hamper companies' ability to comply with the new requirements.
While this extension is likely welcome news for covered financial institutions, those institutions should not delay their compliance efforts. For many, the new Safeguards Rule may require significant investment in personnel, program development, and technology.