On October 27, 2021, the Federal Trade Commission (“FTC”) announced important updates to the Gramm-Leach-Bliley Act’s (the “Act”) primary consumer protection rules.

Enacted in 1999, the Act implemented regulations on financial institutions with regard to consumer privacy and data security concerns. It includes two primary parts, or “rules”: the Privacy Rule and the Safeguards Rule. The Privacy Rule limits disclosure and use of nonpublic personal information of consumers and requires covered entities to give notice of their information sharing practices. The Privacy rule also requires that such notices describe the covered entities’ data security practices and procedures for ensuring confidentiality of consumer data. Those practices and procedures are, in turn, governed by the Safeguards Rule.

  1. Safeguard Rule Changes

 The Safeguards Rule is concerned primarily with risk detection, assessment and management in three areas of a covered entity’s business: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. It generally requires that covered entities develop written information security plans tailored to the entity’s size, nature and customer-base, as well as—mostly importantly—the nature and sensitivity of the consumer information it handles. (https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying.)

The Final Rule followed a years-long rulemaking period. It contains “five main modifications to the existing [Safeguards] Rule”:

First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption. Second, it adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies [by a “Qualified Individual”]. Third, it exempts financial institutions that collect less customer information [fewer than 5,000 consumers] from certain requirements [written risk assessment, incident response plan, and annual reporting to the Board of Directors]. Fourth, it expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”–companies that bring together buyers and sellers of a product or service–within the scope of the Rule. Finally, the Final Rule defines several terms and provides related examples in the Rule itself rather than incorporate them by reference from the Privacy of Consumer Financial Information Rule, 16 CFR part 313.

A link to the Final Rule, which will be effective 30 days after publication, can be found here.

  1. Safeguard Rule Proposed Rulemaking

Procedures for reporting security events are noticeably absent from the Final Rule. However, the FTC is currently seeking further comment regarding yet additional changes to the Safeguards Rule that would “require financial institutions to report [electronically] to the Commission any security event where the financial institutions have determined misuse of customer information has occurred or is reasonably likely and that at least 1,000 consumers have been affected or reasonably may be affected.”

A link to the Notice of Proposed Rulemaking, with comments due 60 days after publication, can be found here.

  1. Privacy Rule Changes

The FTC also announced technical, but still noteworthy changes to the Privacy Rule. These were primarily intended to bring the Rule into harmony with changes to the Dodd-Frank Act, which transferred certain rulemaking authority related to the GLBA to the Consumer Financial Protection Bureau, except for certain motor vehicle dealers. The changes to the Privacy Rule also harmonized the Rule with the 2015 FAST Act, which afforded an exception to the annual privacy notice requirement to certain dealers that only share nonpublic personal information with service providers, joint marketers or other third parties in a way that avoids the Rule’s opt-out notice requirements.