FTC Updates Safeguards Rule

The United States Federal Trade Commission (FTC) has tightened the security standards that financial institutions must comply with when handling consumer data.

Financial institutions will be required to explain their information-sharing practices and designate a single qualified individual to oversee their information security program.

The change is part of an update to the FTC’s Safeguards Rule that was announced in a joint statement by FTC Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter.

Five main modifications to the existing Standards for Safeguarding Customer Information were contained in a Final Rule issued by the commission.

The first adds provisions designed to provide covered financial institutions with more guidance on developing and implementing specific aspects of an overall information security program. It specifies safeguards, including access controls and encryption, and adds mechanisms designed to ensure that employee training and oversight are effective. 

It states that “while the current Rule requires financial institutions to undertake a risk assessment and develop and implement safeguards to address the identified risks, the Final Rule sets forth specific criteria for what the risk assessment must include and requires that the risk assessment be set forth in writing. 

“As to particular safeguards, the Final Rule requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.”

The second modification is designed to improve the accountability of financial institutions’ information security programs, while the third exempts financial institutions that collect less customer ..

Support the originator by clicking the read the rest link below.