On Oct. 27, the U.S. Federal Trade Commission adopted a new Gramm-Leach-Bliley Safeguards Rule. The revision imposes more detailed data security requirements than the original GLB rule promulgated in 2002. Strictly speaking, the rule only applies to financial institutions under the FTC’s jurisdiction. More broadly, however, the new rule signals that the commission will expect some very specific elements in the cybersecurity program of any entity collecting personal information.

First, as to coverage. Under GLB, the FTC has jurisdiction over a broad grab bag of entities not regulated by any other financial services regulator. These include mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, retailers that extend credit by issuing their own credit cards directly to consumers, certain automobile dealerships, personal property or real estate appraisers, even career counselors who specialize in providing career counseling services to individuals currently employed by or recently displaced from a financial organization.

Notably, the revision adds a new category to the rule’s illustrative list of types of covered financial institutions: “finders,” defined as entities that bring together buyers and sellers of a product or service for transactions that the parties themselves negotiate and consummate. In the notice describing the rule revisions, the commission sought to assuage concerns of advertisers by stating that the concept of “finders” does not include entities that have only isolated interactions with consumers and that do not receive information from other financial institutions about those institutions’ customers, thereby “excluding, the commission believes, most advertising agencies and similar businesses that generally do not have continuing relationships with consumers who are using their services for personal or household purposes.”

In terms of cybersecurity standards, the new rule represents an important step forward. The original GLB rule required covered entities to “develop, implement and maintain a comprehensive information security plan that … contains administrative, technical, and physical safeguards that are appropriate to (the business’) size and complexity, the nature and scope of (its) activities, and the sensitivity of any customer information at issue.” That language remains in the new rule. The old rule had then specified certain elements that had to be in any entity’s security plan, but they were quite high-level: identify reasonably foreseeable internal and external risks to customer information, design and implement information safeguards to control the risks identified, regularly test or otherwise monitor their effectiveness, and oversee service providers to ensure that they too maintain “appropriate” safeguards.

The new rule is considerably more detailed in terms of the elements required in an information security plan. Among other things, regulated entities must:

  • Implement and periodically review access controls to (1) authenticate and permit access only to authorized users and (2) limit authorized users’ access only to customer information that they need to perform their duties and functions.
  • Inventory and manage data, personnel, devices, systems, and facilities.
  • Encrypt all customer information both in transit over external networks and at rest.
  • Adopt secure development practices for in-house developed applications that process customer information and procedures for evaluating, assessing, or testing the security of externally developed apps.
  • Implement multifactor authentication for any individual accessing any information system or use other reasonably equivalent or more secure access controls.
  • Develop, implement and maintain procedures for the secure disposal of customer information no later than two years after the last date the information is used.
  • Adopt procedures for change management.
  • Monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information.

Details were also added to the requirement to test or otherwise monitor the effectiveness of key controls: For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.

While the old rule said a regulated entity had to designate “an employee or employees” to coordinate its information security program, the new rule specifies that companies must designate a single “qualified individual” responsible for overseeing, implementing and enforcing their information security program. In support of the change, FTC Chair Lina Khan said Equifax had split authority over its information security program between two people, which caused failures of communications and oversight, and that appointing a single qualified individual as coordinator could have helped prevent or limit the scope of one of the largest breaches in American history. And under the new rule, the designated lead on cybersecurity must report to the board of directors at least annually.

Practitioners, even those not representing entities with the FTC’s GLB  jurisdiction, will want to review the entire list of elements specified in the new Safeguards Rule. For most of the history of the FTC’s engagement in the data security space, there was a close alignment between the FTC’s GLB rule and its Section 5 enforcement. The FTC issued its first order in a cybersecurity case, against Eli Lilly, in May 2002, the same month it issued its initial GLB Safeguards Rule. The requirements in the original rule and the requirements imposed on Eli Lilly were essentially identical, and consent agreements in the commission’s 50-plus cybersecurity enforcement actions thereafter continued to track the GLB elements, even as the commission’s complaints identified a very long list of security failures on the part of respondents.

That alignment came to an abrupt end when the Fifth Circuit Court of Appeals ruled in 2018 in the LabMd case that high-level mandates in Section 5 cases to adopt “reasonable” security controls were unenforceable. In response, in 2019, starting with the Lightyear case and then Equifax, the FTC began imposing very specific and technical requirements in Section 5 enforcement actions. The implication of the commission’s approach was that any entity collecting personal information that did not implement these more detailed practices could be liable under Section 5. That left the GLB rule, with its high-level elements, looking increasingly unresponsive to the heightened cybersecurity risk environment.

The list of required elements for a cybersecurity program in the new Safeguards Rule brings the FTC’s specification of what cybersecurity is required under GLB more in line with what it has been requiring under its Section 5 authority since 2019. The list of required elements in the new Safeguards Rule is pretty much the same as what the commission required of Lightyear and, in 2020, of Zoom. (The extraordinary breach at Equifax yielded an extraordinarily long list of requirements.) However, the alignment is not perfect. The Zoom consent order, for example, requires scanning all new software or software updates for commonly known vulnerabilities, certainly a best practice, but not one specifically required under the GLB rule. Conversely, the Zoom order does not require multifactor authentication, instead mentioning it with a “such as” in a list of technical measures that may be used to protect against unauthorized access.

Unfortunately, therefore, neither entities regulated under GLB nor those subject to the commission’s unfair and deceptive authority can be comfortable doing only what is required in the new Safeguards Rule. Clearly, under Section 5, an entity could still be deemed to have fallen short even if it did everything in the Safeguards Rule. And the same is likely true of entities in the FTC’s GLB jurisdiction. Just to take one clear example: The Safeguards Rule does not specifically mention patch management. But any financial institution that does not follow sound patch management practices would likely be held to be violating GLB, even if it otherwise complied with the elements of the Safeguards Rule.

So the revised rule is important, but it leaves unanswered a key question in U.S. regulation of cybersecurity: How much cybersecurity is needed to avoid legal liability? Under the new rule, as under Section 5, no entity can ever be confident that it has done enough. Failing to take a particular action — one not required under the Safeguards Rule or in any prior FTC settlement — and thereafter succumbing to a new threat or vulnerability may still give rise to liability. Perhaps that degree of uncertainty is unavoidable, given the complexity of our cyber systems and the inventiveness of the bad guys, but it sure must be frustrating on the front lines.

When will the other regulators with responsibility under GLB update their rules? The rules issued jointly by the Office of the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of Thrift Supervision are only somewhat more detailed than those of the FTC’s original rule, while the Securities and Exchange Commission rule is even more skeletal.

Photo by Samson on Unsplash