On October 27, 2021 the FTC issued a final rule (the “Final Rule”) amending 16 CFR Part 134, Standards for Safeguarding Customer Information (“Safeguards Rule”), after a period of notice and comment. While the existing Safeguards Rule imposes a general obligation on financial institutions to maintain an information security program, the Final Rule outlines these requirements in more granular detail. Importantly for smaller financial institutions, the Final Rule exempts businesses with fewer than 5,000 customers.
The Final Rule now defines key terms rather than incorporating them by reference. Other changes include requiring greater oversight and responsibility of a company’s information security program by designating a qualified individual to maintain the program, requiring annual reports to a company’s board of directors or governing body, and requiring vulnerability assessments and penetration testing. While there will likely be some cost to comply with the new requirements of the Final Rule, the FTC indicated the importance of these requirements justifies any associated costs.
What Businesses are Subject to the
Read the article