The Federal Trade Commission (FTC) has proposed amendments to its 2003 Safeguards Rule and 2000 Privacy Rule, applicable to financial institutions under the Gramm Leach Bliley Act (GLBA). The proposed changes are intended to keep pace with technological developments. The Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third-parties. Some of the proposed changes to the Safeguards Rule include:
- Encryption of all consumer data;
- Implementing access controls to prevent unauthorized users from accessing consumer information;
- Implementing multifactor authentication to access consumer data, and
- Requiring periodic reports submitted to the Board to ensure compliance.
The proposed amendments would require covered financial institutions to encrypt all customer data held or transmitted by the institution both in transit over external networks and at rest. The proposed amendments would also require the use of multi-factor authentication for any individual accessing customer information on the institution’s internal networks. Covered financial institutions would need to submit periodic reports to their Boards of Directors.