The Federal Trade Commission recently amended the Safeguards Rule, 16 C.F.R. § 314.1, et seq., with significant changes to how an information security program should be designed, what it must include, and who needs to be in charge. Some may note the similarity to the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies, N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00, et seq.
The Rule is now considerably lengthier, but not all the amendments added anything new or substantive. In this article we will explain which changes look new but are not, which are new and substantial, which do not apply to small businesses, and when certain provisions go into effect.
The Rule was promulgated under the Gramm-Leach-Bliley Act which, in part, requires the FTC to issue rules setting forth standards that financial institutions must implement to safeguard certain information. The Rule applies to customer information held by non-banking financial institutions and “sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of [that information].”
View this content by subscribing
Please register to unlock this content
I already have an account. Log in