The United States Federal Trade Commission (FTC) has tightened the security standards that financial institutions must comply with when handling consumer data.
Financial institutions will be required to explain their information-sharing practices and designate a single qualified individual to oversee their information security program.
The change is part of an update to the FTC’s Safeguards Rule that was announced in a joint statement by FTC Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter.
Five main modifications to the existing Standards for Safeguarding Customer Information were contained in a Final Rule issued by the commission.
The first adds provisions designed to provide covered financial institutions with more guidance on developing and implementing specific aspects of an overall information security program. It specifies safeguards, including access controls and encryption, and adds mechanisms designed to ensure that employee training and oversight are effective.
It states that “while the current Rule requires financial institutions to undertake a risk assessment and develop and implement safeguards to address the identified risks, the Final Rule sets forth specific criteria for what the risk assessment must include and requires that the risk assessment be set forth in writing.
“As to particular safeguards, the Final Rule requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.”
The second modification is designed to improve the accountability of financial institutions’ information security programs, while the third exempts financial institutions that collect less customer information from certain requirements.
Under the fourth, the definition of “financial institution” has been expanded to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. It also adds “finders” – companies that bring together buyers and sellers of a product or service – within the scope of the Rule.
The fifth change included in the Final Rule defines several terms and provides related examples.
Khan and Slaughter said the new consumer protection measure was inspired by recent widespread data breaches, including the Equifax data breach in 2017, which exposed the information of 147 million Americans.