The FTC’s recent publication, FTC Safeguards Rule: What Your Business Needs to Know (the “Guide”), provides a helpful overview of the FTC’s recent Safeguards Rule amendments. The FTC’s Safeguards Rule is applicable to “financial institutions,” such as private funds, subject to the FTC’s jurisdiction but not the jurisdiction of another regulator under the Gramm-Leach-Bliley Act (GLBA). Ropes & Gray has previous reviewed the Safeguards Rule amendments here and here. The Guide does not break any substantial new ground but does provide a useful summary of the Safeguards Rule’s security requirements along with additional details regarding the controls the FTC considers part of a reasonable information security program.
The Guide identifies nine elements of an information security program required under the Safeguards Rule. Companies that maintain personal information regarding fewer than 5,000 consumers are not subject to all of these requirements, as summarized further here. Additionally, companies are not required to have in place all of the controls described until December of this year, but should work toward implementation now, as many will require time intensive processes.
- Qualified Individual: The Safeguards Rule requires designation of a “Qualified Individual” to implement and supervise the company’s information security program. The Qualified Individual must be, as the name implies, an individual, not a group or committee, but can be an employee of the company, an affiliate or a service provider. The individual’s qualifications may vary depending on the type of organization. What matters, the publication explains, is “real-world know-how suited to your circumstances.” If, as may be the case with many private funds, a service provider is designated to implement the information security program, the company must still designate someone to supervise. If the Qualified Individual works for an affiliate or service provider, that organization should also maintain an appropriate information security program. In practice, that means that many private funds may need a managing affiliate to help them satisfy their security obligations under the Safeguards Rule.
- Risk Assessment: The FTC again highlights the important of a periodic risk assessment to an effective information security program. The FTC states that such an assessment should start with an inventory of the personal information that the company maintains and where its stored. Once that inventory is complete, the assessment should consider both internal and external risks to the information, should be documented in writing, and should include criteria for evaluating the identified risks.
- Specific security controls: The Safeguards Rule articulates specific security controls a covered entity must adopt. These include:
- Access controls
- A data inventory noting where customer information is collected, stored, or transmitted, along with company systems, devices, platforms, and personnel
- Encryption of customer information both in transit and at rest on company systems or, if infeasible, alternative controls approved by the Qualified Individual
- Secure development of applications used to store, access, or transmit customer information
- Multi-factor authentication for access to customer information, or compensating controls approved by the Qualified Individual
- Secure data disposal consistent with defined retention periods
- Change management processes
- System monitoring including logging of access to customer information
- Monitoring and testing safeguards: To test procedures for detection of actual or attempted attacks, the FTC requires either continuous system monitoring or annual penetration testing along with system-wide vulnerability scanning every six months. Tests should also be conducted whenever there are changes that will have a material impact on the program.
- Training: Companies should train all employees on the information security program and conduct regular refreshers. The FTC notes that individuals with more hands-on responsibilities should receive specialized, tailored trainings.
- Monitoring service providers: Service providers should be selected with security in mind, and service provider contracts should build in security expectations. The company should conduct regular monitoring of the service provider’s work and periodically reassess their suitability.
- Updating the program: The FTC opines that “the only constant in information security is change,” and so the program should be appropriately adapted to address new circumstances.
- Written incident response plan: The company should adopt a plan for responding to security events, documented in writing, including details regarding the goal of the plan, incident responses processes once activated, roles, responsibilities and levels of decision-making authority, communications protocols for both inside and outside of the organization, processes for fixing any identified weaknesses, procedures for documenting incident responses, and a post mortem evaluation of lessons learned.
- Upward reporting: The Qualified Individual should at least annually send a written report to the Board of Directors or governing body (or, if no such body exists, a senior officer responsible for information security) providing an overall assessment of the company’s compliance with its information security program and covering other topics germane to the program, such as key service provider arrangements, security events the company may have experienced, and recommendations for changes to the program.
The nine elements outlined above are not the only elements of a robust security program, and companies should conduct an individual analysis of their own circumstances and risks. Moreover, in addition to the FTC Safeguards Rule, financial institutions should be aware of other significant cybersecurity developments. The SEC, for example, recently published draft regulations applicable to registered funds and advisors summarized in a prior Ropes & Gray alert here. We expect an updated draft responsive to industry comments soon. Ropes & Gray will continue to monitor these developments. Subscribe to RopesDataphiles.com for updates.