The Federal Trade Commission, citing an uptick in data breaches and cyberattacks, on Wednesday issued a long-debated set of updates to its rule mandating financial institutions establish safeguards to protect customers’ financial information.
In short, the FTC’s 145-page amended “Safeguards Rule”stipulates that non-banking financial institutions — including auto dealerships — establish and maintain more “comprehensive” security systems to protect customers’ information.
The Safeguards Rule, mandated by Congress under the 1999 Gramm-Leach-Bliley Act, has been the subject of scrutiny in recent years. The FTC asked for public comment on proposed changes to the rule back in 2019. The agency also held a public workshop on it last year, where potential fortifications to the rule were met with opposition from the National Automobile Dealers Association.
“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” FTC Bureau of Consumer Protection Director Samuel Levine said in a statement. “The updates adopted by the Commission to the Safeguards Rule detail commonsense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”
A spokesman for the National Automobile Dealers Association said the final amendments have “a significant number of new and expanded requirements for dealers” that depart from the FTC’s usual “flexible and self-modernizing approach.”
“While we are pleased that the FTC, in direct response to NADA’s input, made significant changes and provided important clarifications to the proposed amended rule, many of the new requirements being imposed still lack the scalability and flexibility that will make them achievable by smaller businesses,” the spokesman said. “Unfortunately, this will likely lead to increased costs and liability exposure for dealers without producing corresponding benefits to consumers.”
The commission voted 3-2 to publish the updates to the Safeguards Rule in the Federal Register. Noah Joshua Phillips and Christine Wilson, the two commissioners who voted no, issued a dissenting statement.
“In fact, as several commenters observed, the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions,” the two commissioners wrote.
The FTC said it also is seeking additional input about whether it should further alter the Safeguards Rule to require financial institutions to disclose specific data breaches and other security incidents in which misuse of customer information has occurred or at least 1,000 customers have been affected.
Members of the public will have 60 days to submit a comment on that once the FTC publishes a notice in the Federal Register.