November 10, 2021
US Federal Trade Commission Adopts Prescriptive Data Security Requirements and Other Updates to Its Gramm-Leach-Bliley Act Safeguards Rule
Authors:
Overview
- On October 27, 2021, the Federal Trade Commission issued a final rule (“Final Rule”) implementing most of the revisions it proposed in 2019, with some important modifications, to its Gramm-Leach-Bliley Act safeguards rule.
- Financial institutions covered by the Final Rule include finders, finance companies, mortgage companies, motor vehicle dealerships, payday lenders and other non-banks involved in the consumer financial services industry.
- The Final Rule adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program and provisions designed to improve the accountability of financial institutions’ information security programs; exempts financial institutions that maintain customer information concerning fewer than 5,000 consumers from certain requirements; expands the definition of “financial institution” to include entities engaged in activities incidental to financial activities (e.g., so-called “finders” that bring together buyers and sellers of a product or service); and defines several terms and provides related examples in the safeguards rule.
- The Final Rule will take effect one year after its publication in the Federal Register.