Following more than two years of deliberation since proposing amendments to the 2002 Gramm-Leach-Bliley Act Standards for Safeguarding Customer Information, known as the “Safeguards Rule,” the Federal Trade Commission recently issued a final rule embodying most of those proposed amendments. The New Safeguards Rule, which applies only to certain non-bank financial institutions, was approved 3–2 in a vote that fell along party lines, with three Democratic Commissioners—including Rohit Chopra, now the director of the Consumer Financial Protection Bureau—voting in favor. Although most of the New Safeguards Rule’s requirements are not effective until a year from the New Safeguards Rule’s publication in the Federal Register, certain requirements take effect within 30 days.
Simultaneously, the FTC issued a Supplemental Notice of Proposed Rulemaking to require financial institutions to report certain information security events. Specifically, under the proposed rule (which, if adopted, would become part of the New Safeguards Rule), financial institutions would be required to notify the FTC within 30 days after discovering an actual or reasonably likely “event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form” affecting at least 1,000 consumers.
Source: