1/10/22
By: Kirsten Patzer and Courtney Mazzio
On October 27, 2021, the Federal Trade Commission (“FTC”) announced an update to the rules implemented by the Gramm-Leach-Bliley Act expanding the definition of “financial institutions” under the Financial Privacy Rule and requiring these institutions to enact specific measures to protect their customers’ nonpublic personal information under the accompanying Safeguards Rule.
The Financial Privacy Rule previously defined “financial institutions” as businesses “significantly engaged” in providing clients financial products and services. The new definition casts a much wider net, encompassing business engaged in activities that are “financial in nature” or “incidental” to financial activities.
The Safeguards Rule update vastly expands the criteria financial institutions must now follow to protect their clients’ data. These new requirements include:
The covered institutions must also be transparent about their sharing practices and the safeguards used to “access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information.” See FTC Press Release.
The new requirements will become effective one year after the rule is published in the Federal Register. We will continue to monitor the developments of this new rule and provide further advisories here. If you have any concerns about how the new FTC update to the Safeguards Rule impacts your business, or you need guidance on how to implement these new requirements, please contact Kirsten Patzer at [email protected] or Courtney Mazzio at [email protected], or another attorney in our Data Security, Privacy & Technology or Financial Services practice groups.
* Small businesses maintaining customer information concerning fewer than 5,000 consumers are exempt from these specific provisions.
Share
Save Print