Governance Controls at the Center of the FTC’s Financial Data Privacy Rule


Financial institutions face heightened expectations for corporate accountability and oversight of data security measures under the Federal Trade Commission’s new rule to protect their consumer information.

FTC Guarantees Rrulerupdated Oct. 27, directs financial institutions to designate a person responsible for security controls, such as an information security officer, who will report regularly to the board of directors.

The guidelines represent an acknowledgment that corporate boards are increasingly concerned about cybersecurity, according to Brittany Bacon, privacy and cybersecurity practice partner at Hunton Andrews Kurth LLP.

“This sends a clear message that cybersecurity continues to be a fundamental risk issue,” Bacon said, particularly for financial institutions that hold sensitive customer data such as bank account information and social security numbers.

Many financial firms already have a security manager or consultants to advise them on their security programs, she said. These practices may be less common in companies that fall on what Bacon called the financial industry’s “margins,” meaning the FTC’s rule could have more impact there.

Companies covered

The commission’s rule, issued under the Gramm-Leach-Bliley Act of 1999, serves as a catch-all for financial institutions not covered by other federal regulators.

Banks and credit unions, for example, are subject to Federal Reserve and National Credit Union Administration privacy and data security rules.

The FTC rule applies to institutions such as mortgage brokers, payday lenders and consumer reporting agencies. This would include Equifax Inc.who agreed to pay $575 million as part of a settlement with the agency and other regulators over a 2017 data breach.

The updated FTC rule is expanded to also cover intermediary companies that bring together a buyer and a seller, such as for a merger or acquisition.

According to Christopher Pippett, chairman of the financial services industry practice at Fox Rothschild LLP, the commission’s emphasis on appointing a person responsible for security oversight could reduce legal pressure on boards. for them to be blamed for the violations.

“If you have a qualified person who manages security and reports to the board, directors are less likely to have any liability,” Pippett said.

Following its massive data breach, Equifax and its directors and officers agreed to pay $149 million to resolve allegations that they misled investors about the company’s cyber defenses and vulnerabilities. Other companies have seen similar lawsuits from investors over data breaches.

Other Regulators

The commission’s update brings its rule into line with regulations from other government agencies that oversee the financial industry, including the New York Department of Financial Services.

New York’s cybersecurity ruleswhich were the first of their kind in the United States, similarly require banks and other financial institutions to appoint an information security officer who reports at least once a year to the board of directors on the position and corporate IT risks.

The department’s rules also provide for data access controls such as encryption and multi-factor authentication, which are increasingly common in the security arena. The FTC rule also instructs financial institutions under its jurisdiction to limit who can access consumer data and to use encryption to secure the data.

“The FTC realized it needed to align its rule with that of peer regulators and current thinking,” said Glenn Brown, privacy and data security adviser at Squire Patton Boggs.

Brown said the commission is also looking to synchronize cyber requirements when it comes to notifying regulators of a consumer data breach.

In New York, financial institutions must report a breach to their regulator within 72 hours of discovering the incident. The Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, and the Federal Reserve Board have proposed their own 36-hour breach notification standard.

The FTC calls on the public Feedback on whether to make an additional change to the rule to require financial institutions to report certain data breaches and other security events to the commission.


Comments are closed.