FTC expands data security requirements for financial institutions with an update to the Gramm-Leach-Bliley Safeguards Rule


By: Kirsten Patzer and Courtney Mazzio

On October 27, 2021, the Federal Trade Commission (“FTC”) announced an update to the rules implemented by the Gramm-Leach-Bliley Act expanding the definition of “financial institutions” under the Financial Privacy Rule and requiring these institutions to enact specific measures to protect their customers’ nonpublic personal information under the accompanying Safeguards Rule.  

The Financial Privacy Rule previously defined “financial institutions” as businesses “significantly engaged” in providing clients financial products and services. The new definition casts a much wider net, encompassing business engaged in activities that are “financial in nature” or “incidental” to financial activities.  

The Safeguards Rule update vastly expands the criteria financial institutions must now follow to protect their clients’ data. These new requirements include:  

  • Appointment of a “qualified” individual or third-party service provider to oversee the information security program; 
  • Annual report to the board of directors or governing bodies regarding the information security program*; 
  • A written Risk Assessment which identifies security risks or threats and how these will risks will be mitigated*; 
  • Encryption of all customer information held or transmitted by the institution;  
  • Implementation of multi-factor authentication for any individual accessing an information system;  
  • Development and implementation of procedures for secure disposal of customer information;  
  • Review of any data retention policy;  
  • Monitor and log the activity of authorized users and implement procedures and control to detect unauthorized access; 
  • Continuous monitoring or periodic penetration testing and vulnerability assessments*; 
  • Provide security awareness training to employees; and 
  • Establish a written incident response plan in the event there is a security breach or unauthorized access*.  

The covered institutions must also be transparent about their sharing practices and the safeguards used to “access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information.” See FTC Press Release.  

The new requirements will become effective one year after the rule is published in the Federal Register. We will continue to monitor the developments of this new rule and provide further advisories here. If you have any concerns about how the new FTC update to the Safeguards Rule impacts your business, or you need guidance on how to implement these new requirements, please contact Kirsten Patzer at or Courtney Mazzio at, or another attorney in our Data Security, Privacy & Technology or Financial Services practice groups.  

* Small businesses maintaining customer information concerning fewer than 5,000 consumers are exempt from these specific provisions.