In April, the Federal Trade Commission (FTC) published in the Federal Register its proposed amendments to the 2000 Privacy Rule and 2003 Safeguards Rule. The genesis of these amendments is based on the FTC’s enforcement experience, and are intended to keep pace with technological developments within the financial industry. The proposed revisions relevant to automotive lenders fall under the Gramm Leach Bliley Act (GLBA).
Changes to the Privacy Rule
Revisions to the Privacy Rule would result in two substantive changes:
- The scope and definition of “financial institution” was modified to include entities that are engaged in activities that are incidental to financial activities, to bring both rules into accordance with the CFPB’s Regulation P (Privacy of Consumer Financial Information).
- The annual privacy notice requirements were modified to implement statutory changes to the GLBA enacted by the Fixing America’s Surface Transportation Act (the FAST Act).
The FAST Act established that a financial institution is not required to provide an annual privacy notice under the Privacy Rule if it:
- only shares NPI with nonaffiliated third parties in a manner that does not require notice of an opt-out right to be provided to its customers; and,
- has not changed its privacy policies and practices with respect to the disclosure of NPI since it last provided a privacy notice to its customers.
The CFPB published a final rule to implement these statutory changes in September 2018. The FTC’s proposal would amend the annual notice requirements to bring it in line with the FAST Act and the CFPB regulations.
Changes to the Safeguards Rule
Specifically, the proposed amendments to the Safeguards Rule seek to achieve the following objectives:
- provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption;
- improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies; and,
- exempt small businesses from certain requirements of the amended Safeguards Rule.
Keeping Up With Technology
Much has changed in the world of cybersecurity since these rules were first implemented – both positive and negative. On the plus side, significant progress has been made by software and security providers to improve customer data protection. Unfortunately, those who would like to steal that data have matched that progress. Regardless of what rules and regulations exist, it is in the lender’s best interest to implement any measure available to protect its customers’ data.
Your institution probably already has a comprehensive information security program in place. However, now is the time to review that program, as the proposed rule amendment provides further definition on requirements, such as:
- encrypting all consumer data;
- implementing access controls to prevent unauthorized users from accessing consumer information;
- utilizing multifactor authentication to access consumer data; and,
- requiring periodic reports submitted to the boards of directors to ensure compliance.
The proposed amendments to the Safeguards Rule will better align the rule with prevailing cyber security standards, such as the New York State Department of Financial Services (NYDFS) cybersecurity regulations and the National Institute of Standards and Technology (NIST) framework. The amendments are also designed to ensure that non-bank financial technology entities are subject to cybersecurity standards similar to those that banks are subject to under the Federal Financial Institutions Examination Council (FFIEC) interagency guidelines.
These proposed amendments to the Safeguards Rule and Privacy Rule are in the “comment” phase. If you are a financial institution under the FTC’s jurisdiction, now is your time to submit input that would shape the future final rule. While I’m all for progress and improved data security, there is always a risk/reward.