By Michael G. Charapp
Charapp & Weiss LLP
In spring 2019, we published an article titled “Your Safeguarding Obligations May Get More Expensive”. We reported that the FTC published for comment substantial and potentially expensive amendments to its Safeguards Rule originally promulgated under authority of the Gramm Leach Bliley Act (GLBA).
The final revised rule was published on Oct. 27, 2021. Our concern with the final Rule is the same as we expressed about the proposal. The original Safeguards Rule maintained flexibility for businesses permitted under the GLBA by allowing them to make their own determinations of the best policies and methods to ensure protection of customer data. The revised Rule removes that flexibility, particularly regarding digital consumer data. The revision makes small companies that are deemed financial institutions because they meet the overly-inclusive definition of that term under the Rule, like car dealers, implement procedures used by the world’s largest financial institutions. The changes will dramatically increase a dealer’s costs for compliance with the FTC Safeguards Rule.
The revised Rule became effective 30 days after publication in the Federal Register. However, the burdensome specific requirements we will discuss below go into effect one year after publication – October 27, 2022.
A Written Information Security Program Including Specific Requirements
The prior version of the Safeguards Rule required financial institutions to implement a written comprehensive information security program appropriate for the size and complexity of the financial institution, setting forth the administrative, technical, and physical safeguards used to protect customer information against unauthorized use or access that could cause substantial harm to customers. The updated Safeguards Rule now contains specifics that must be included in the information security program. Here is what a covered financial institution (including a franchised motor vehicle dealer) must do:
- Qualified Individual. Designate a qualified individual responsible for overseeing and implementing the information security program. The Qualified Individual may be employed by the covered financial institution, an affiliate, or a service provider.
- Written Risk Assessment. Perform a written risk assessment with specific evaluation and assessment criteria that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and assesses the sufficiency of any safeguards in place to control these risks. The assessment must describe how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.
- Updated Risk Assessments. Periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and reassess the sufficiency of any safeguards in place to control these risks.
- Safeguards. Design and implement safeguards to control the risks identified in the risk assessment.
o Access. Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information and limit authorized users’ access only to customer information they need to perform their duties and functions, or with customers, to access their own information.
o Management. Identify and manage the data, personnel, devices, systems, and facilities to achieve business purposes in accordance with their relative importance to business objectives and the risk strategy.
o Encryption. Protect by encryption all customer information held or transmitted, both in transit over external networks and at rest.
o Development Practices. Adopt secure development practices for in-house developed applications for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications utilized to transmit, access, or store customer information.
o Multi-Factor Authentication. Implement multi-factor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.
o Maintenance Period. Develop, implement, and maintain procedures for the secure disposal of customer information two years after the last date the information is used in the provision of a product or service to the customer to which it relates, unless a specified exception applies.
o Log for Authorized Users. Implement policies, procedures and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
- Testing. Regularly test or otherwise monitor the effectiveness of the critical controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.
- Continuous Monitoring. For information systems, monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.
- Awareness and Training. Implement policies and procedures to ensure that personnel can properly use the information security program by:
o Understanding Risks. Providing personnel with security awareness training updated as necessary to reflect risks identified by the risk assessment;
o Qualified Personnel. Utilizing qualified information security personnel employed by the covered financial institution or an affiliate, or service provider, sufficient to manage your information security risks and to perform or oversee the information security program;
o Training. Providing information security personnel with security updates and training sufficient to address security risks; and
o Continuous Updating of Key Personnel. Verifying that key information security personnel try to maintain knowledge of changing information security threats and countermeasures.
- Regular Updates. Continually evaluate and adjust the security program to address changes.
- Service Providers. Oversee service providers to ensure their compliance with Safeguards requirements.
- Incident Response Plan. Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information.
- Regular Reports. Require the Qualified Individual to report in writing, regularly and at least annually, to the board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a senior officer responsible for your information security program.
Effort and Expense
The revised Rule was released as part of a 145-page report detailing changes made from the original proposal based on input from interested persons. The tweaks reduced some of the burden and clarified obligations, but for the most part the revised Rule will still increase the expenses and time necessary for dealers to implement the revised Rule and maintain it. As we noted nearly four years ago, dealers will rely on their DMS vendors to assist them in making the changes necessary for compliance, and those changes are likely to come at a substantial price. But those expenses can be dwarfed by the costs of implementation. Employees must be retrained, the chief information officer will have dramatically increased responsibilities, oversight will be more costly, and ongoing testing and compliance costs will increase.
As the effective date for the responsibilities under the Revised Rule approaches, dealer trade associations will provide further guidance. Stay tuned.