On October 27, 2021, the FTC announced its intention to publish (1) a final rule to change the standards for protecting customer information (backup rule); (2) additional notice and request for public comment on other changes to the collateral rule; and (3) a Final Rule to Amend the Consumer Financial Information Privacy Rule (Privacy Rule) under the Gramm-Leach-Bliley Act (collectively, the GLBA Rules).
Who does it apply to?
Currently, the safeguard rule applies to “financial institutions”, defined as institutions “carrying on financial activities”, including automobile dealers, real estate appraisers, tax preparers and financial advisers. investment. In addition to those subject to the current rule, the modified backup rule may apply to Internet service providers, the concert economy and online marketplaces.
The amended safeguard rule is broadened to include institutions “engaged in an activity of a financial nature. or incidental to these financial activities.“The practical effect of this language is to bring in” finders “- for example, “Companies that bring together one or more buyers and sellers of any product or service that the parties themselves negotiate and consume” – under the safeguard rule.
The definition of “finders” was developed by the Board of Governors of the Federal Reserve System (Council). In doing so, the Council gave examples of research activities and services:
(A) Identify potential parties, inquire about their interest, introduce themselves and refer potential parties to each other, and organize contacts and meetings between interested parties;
(B) Transmission between interested parties of expressions of interest, offers, offers, orders and confirmations relating to a transaction; 
(C) Transmit information about products and services to potential parties within the framework of the activities described in paragraphs [(A) and (B)] of this section [; and]
. . . .
[(D)] Operation of a website allowing several buyers and sellers to exchange information concerning the products and services they wish to buy or sell, to locate potential counterparties for transactions, to group together orders for goods or services with those passed through other parties and to enter into transactions between them.
The amendment ostensibly seeks to bring the FTC’s definition of “financial institution” “into harmony with the GLB of other agencies[A] Rules.” The FTC, however, has not compensated for the narrower enforcement jurisdiction of those “other agencies” which inherently limit the type of businesses subject to their rules. For example, when used by the Council, the term “researcher” defines the activities permitted for a certain subset of bank holding companies. Conversely, the FTC has jurisdiction over any business that affects commerce, except banks, savings and loan institutions, federal credit unions and public carriers.
The Association of National Advertisers, the Internet Association, and other commentators have expressed concerns about the scope of this definition. The Commission acknowledged in the Final Rule that the “language is somewhat broad”, but argued that the scope was limited (a) to transactions for “personal, family or household purposes” and (b) to consumer information with whom the “financial institution” has an “ongoing relationship”. The Commission said it believed these limitations would exclude “most advertising agencies and similar businesses”. The Commission has not offered similar guarantees to the Internet Association, whose members range from online marketplaces to pioneers of the odd-job economy. The FTC has rejected a request by the National Federation of Independent Businesses to exclude individuals and sole proprietors from the definition of “financial institution”.
The Commission has not updated the examples of what constitutes an “ongoing relationship” to reflect the revised definition of “financial institutions”. For now, the only thing we are sure of is that the amended safeguard rule will apply to “entities that provide research services to consumers with whom they have an ongoing relationship” and “will not apply to researchers. that only have isolated interactions with consumers. and who do not receive information from other financial institutions about the clients of those institutions. Future enforcement action will determine whether the FTC intends to apply the safeguards rule to new sectors of the economy.
What kind of information does it cover?
The amended safeguard rule applies to any information about a customer that is (a) provided by the consumer to obtain products or services; (b) on the consumer resulting from the transaction; or (c) otherwise obtained about the consumer as part of the transaction. This includes any resulting “list, description or other group of consumers” that is not publicly available. A customer is a consumer having an ongoing relationship with a “financial institution” who obtains any product or service offered by a “financial institution” to be used primarily for personal, family or household purposes.
The Commission recognized the wide range of information covered by the amended safeguard rule and rejected comments suggesting that the Commission should specifically exempt aggregated or anonymized information which does not contain personal identifiers. “This not only includes information associated with types of personal information such as a name or address or account number, but also information related to a persistent identifier” such as Internet cookies.
What obligations does it impose?
The amended safeguard rule extends the requirements imposed on a financial institution’s information security program. Financial institutions will be required to assess, develop and implement safeguards for access controls; inventory and classification of data; encryption; secure development practices; authentication; procedures for disposing of information; change management; trial; and incident response. The assessment, development and implementation of these safeguards should be documented.
Companies subject to the modified backup rule must implement protective measures to control the identified risks by taking certain prohibited actions, including encrypting all customer information to the extent possible; adopt multi-factor authentication for all means of access; elimination of customer information within two years; undergo annual penetration tests; and perform system-wide scans every six months.
Financial institutions should also provide training to employees on these guarantees and appropriate oversight of service providers. While training and supervision are not new, the amended safeguard rule adds, what the Commission considers, “mechanisms designed to ensure that such training and supervision is effective”.
The amended safeguard rule “also adds requirements designed to improve the accountability of financial institutions’ information security programs.” One of these requirements is that a single “qualified person” be responsible for the information security program and provide periodic reports to boards of directors or a senior executive of the company.
The additional amendment to the safeguard rule, if adopted, would also require financial institutions to report detected security events to the Commission under certain circumstances.
How is it applied?
Once the Commission enacts a rule to regulate commerce, anyone who breaks the rule may be considered to be engaging in an unfair or deceptive act or practice in violation of the Federal Trade Commission Act. Businesses that fail to comply with the rule could face financial penalties of up to $ 43,792 per violation per day.
Where is he at?
The amendment to the safeguard rule was adopted by the Commission by 3-2. FTC President Lina M. Khan and Commissioner Rebecca K. Slaughter released a joint statement in support of the final rule. Commissioners Christine S. Wilson and Noah J. Phillips issued a joint dissenting statement. The Commission voted unanimously in favor of the other two publications.
While the agency may have a legal fight on its hands over the use of the “zombie” votes cast by former commissioner Rohit Chopra before his resignation on October 12, 2021, initial reports suggest that the Commission voted on the amended safeguard rule before Mr Chopra’s official departure. Yet the three actions announced by the FTC on October 27, 2021 have yet to be published in the Federal Register.
 16 CFR § 314.2 (a) (effective May 23, 2002); 16 CFR § 313.3 (k) (1) (effective January 1, 2012).
 12 USC § 1843 (k) (4) (F); 12 CFR § 225.86 (d) (1).
 12 CFR § 225.86 (d) (1) (i) (A) – (ii) (C).
 Final Safeguard Rule, p. 17.
 These agencies are the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Board of Directors of the Federal Deposit Insurance Corporation, the National Credit Union Administration Board, and the Securities and Exchange Commission.
 15 USC § 46 (a).
 Final Safeguard Rule, pp. 18-19.
 See Letter from Executive Vice President and Chief Counsel Daryl Joseffer, US Chamber Litigation Center, to President Lina Khan, Federal Trade Commission (November 19, 2021), https://www.uschamber.com/assets/documents/211117_Comments_Zombie-Voting_FTC -with- signature.pdf; see also Dissenting statement by Commissioners Wilson and Phillips on Commission statement on the use of pre-approval provisions in merger cases (October 29, 2021), https://www.ftc.gov/system/files/documents/ public_statements / 1598095 / wilson_phillips_prior_approval_dissenting_statement_102921.pdf.