Today, the FTC announced “a newly updated rule [the ‘Safeguards Rule’] that strengthens the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information.”  According to the FTC’s press release,

The changes adopted by the Commission to the Safeguards Rule include more specific criteria for what safeguards financial institutions must implement as part of their information security program such as limiting who can access consumer data and using encryption to secure the data. Under the updated Safeguards Rule, institutions must also explain their information sharing practices, specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information. In addition, financial institutions will be required to designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.

CDIA filed a comment in this rulemaking expressing concern that the proposed rule trades away the benefits of the current Rule’s flexibility for a more rigid approach to compliance that is counterproductive. CDIA also offered comments on specific provisions in the proposed rule.

The Commission voted 5-0 to publish the final revisions to update the FTC’s jurisdiction under Dodd-Frank and the supplemental notice of proposed rulemaking to the Safeguards Rule in the Federal Register. The Commission voted 3-2 to publish the revisions to the Safeguards Rule in the Federal Register. Commissioners Noah Joshua Phillips and Christine S. Wilson voted no and issued a joint dissenting statement. Chair Lina M. Khan and Rebecca Kelly Slaughter issued a separate joint statement.