The Federal Trade Commission (“FTC”) announced last week that it is delaying the date by which certain financial institutions must comply with certain provisions of its updated Safeguards Rule by six months, with the compliance date now being June 9, 2023. Applicable to non-banking institutions such as mortgage brokers, motor vehicle dealers, and licensed lenders, the FTC’s iteration of the Safeguards Rule (16 C.F.R. 34) — which implements data security requirements from the Gramm-Leach-Bliley Act (“GLBA”) — was updated in December 2021.
The FTC’s new requirements are not without controversy. The Safeguards Rule has been hailed as uniquely effective over the two decades it has been in place because it is technology-agnostic and instead requires all financial institutions to maintain data security programs that are commercially reasonable, compared to their cohorts. Indeed, in a dissenting opinion from Commissioners Noah Joshua Phillips and Christine S. Wilson, they note that “the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions.”
To that end, the following provisions have been delayed:
While most of these provisions are part of a robust information security program, the FTC cited the need for the delay as stemming from the multitude of small businesses affected by the Safeguards Rule that are still struggling with resuming business as usual after the pandemic.