ICYMI: FTC delays Safeguards Rule implementation until June
While a notable portion of the industry was in San Diego for Used Car Week, the Federal Trade Commission made a decision involving the Safeguards Rule that likely delighted attendees mingling about the Manchester Grand Hyatt, but also at dealerships, finance companies and other service providers throughout automotive.
The FTC made a unanimous decision to extend the compliance deadline for six months, allowing financial services companies to better prepare for the Safeguards Rules. Now instead of a December mandate, companies now have until June.
The FTC reiterated through a news release that the regular approved changes to the Safeguards Rule in October 2021 that include more specific criteria for what safeguards financial institutions must implement as part of their information security programs. While many provisions of the rule went into effect 30 days after publication of the rule in the Federal Register, other sections of the rule were set to go into effect on Dec. 9.
Officials explained the provisions of the updated rule specifically affected by the six-month extension include requirements that covered financial institutions:
—Designate a qualified individual to oversee their information security program
—Develop a written risk assessment
—Limit and monitor who can access sensitive customer information
—Encrypt all sensitive information
—Train security personnel
—Develop an incident response plan
—Periodically assess the security practices of service providers
—Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information
In a separate statement, commissioner Christine Wilson elaborated about why it was important to make this decision, one requested by the American Financial Services Association along with ACA International, the Consumer Data Industry Association and the National Automobile Dealers Association.
“While I continue to note my concerns about the revisions to the recently amended Safeguards Rule, I support extending the effective date,” Wilson said. “Labor shortages of qualified personnel have hampered efforts by companies to implement information security programs. Some estimates place the shortage of cybersecurity professionals in the 500,000 range. Supply chain issues also have led to delays in obtaining necessary equipment for upgrading systems. These factors are outside the control of financial institutions and have complicated efforts by companies to meet the requirements of the amended rule by year end.
“The revisions finalized in December 2021 did not merely codify basic security practices of most financial institutions. Rather, the modifications imposed new onerous, misguided and complex obligations,” Wilson continued. “Safeguarding customer information is important. But it is still unclear whether these mandates will translate into a significant reduction in data security risks or offer other substantial consumer benefits. Regardless of the rule’s effects, companies should be given the time necessary to correctly implement the Final Rule’s burdensome requirements. For these reasons, I support extending the effective date until June 2023.
In another news release, AFSA pointed out that this request also was endorsed by the Small Business Administration’s Office of Advocacy, other trade groups and a bipartisan group of Congressional members led by Rep. Chrissy Houlahan (D-Pa.).
“AFSA member companies provide crucial services in our economy,” AFSA senior vice president Celia Winslow said. “Extending the implementation date of the rule means that companies will be able to make appropriate enhancements to systems and staffing, ultimately benefiting consumers.”