SBA agrees with 4 industry associations to delay Safeguards Rule implementation
Now even another government agency thinks implementation of the enhanced Safeguards Rule from the Federal Trade Commission should be delayed.
Recently, the Small Business Administration (SBA) Office of Advocacy delivered a letter to the FTC, echoing many of the points previously made via a separate letter sent by the American Financial Services Association, ACA International, the Consumer Data Industry Association and the National Automobile Dealers Association.
The SBA Office of Advocacy also is seeking the FTC to delay the implementation from December until the same month next year.
The SBA’s letter came from Jennifer Smith, who is assistant chief counsel for economic regulation and banking, and Major Clark III, who is deputy chief counsel for Office of Advocacy.
“Because of the economies of scale, less robust recruiting and human resources budgets, and the waiting period for equipment that is being obtained by the larger companies, the problems that are outlined in the letter are magnified for small entities. Small entities do not have the buying power of large companies or additional resources to pay a premium for equipment,” Smith and Clark wrote. “Likewise, as noted in the industry letter, there is a labor shortage for workers needed to implement these safeguards. During a labor shortage, employers with the resources to offer high wages and other incentives are able to attract talent. It is more difficult for small firms that cannot afford the pay scales or incentives to attract talented employees.
“In addition, small financial institutions will need to modify their methods for evaluating these risks and the manner that they document them. Small entities must also ensure that the service providers they work with meet many of the requirements of the rule as well as amend contracts to reflect the changes,” Smith and Clark continued.
“Safeguarding customer information is extremely important. However, it is also important for the requirements of the rule to be implemented correctly,” they added.
In July, AFSA, ACA International, the Consumer Data Industry Association and NADA sent their letter to April Tabor, who is acting secretary of the FTC, explaining their position.
“Our members appreciate the FTC’s work to protect customers’ information, and they have every incentive to work alongside the commission to ensure the right safeguards are in place to protect customers, their institutions, and the financial marketplace as a whole,” the associations wrote. “At the same time, the residual effects of COVID-19 on the labor market and supply chain, as well as dueling regulatory demands and the technological changes required for proper compliance, make it difficult for covered entities to uplift their information security programs to meet the requirements in the final rule.
“To that end, we are calling for a year-long delay of the effective date to give covered entities — and their service providers — more time to properly implement the final rule’s modifications,” they continued.
The associations articulated four reasons for seeking the delay, including:
1. Members cannot hire enough skilled people fast enough to feel comfortable that they have sufficient coverage.
2. The final rule is not the only major initiative on the docket.
3. Equipment and external resources are in short supply.
4. Preparing a written risk assessment that conforms to the FTC’s specific criteria — the bedrock of the final rule — is a manual, subjective, time-consuming process.
“Moreover, the deficit in skilled workers is even greater when looking specifically at cybersecurity professionals,” the associations wrote.
“Much has been made of the growing patchwork of privacy and data security laws, rules, and guidance in the United States and the burdens it places on covered entities. This is an active space, with no signs of slowing down,” they continued.
“Additionally, some of the Final Rule’s modifications require technological changes to the existing security program. These changes include the establishment of a multi-factor authentication system, a move toward least privileged access, and an encryption process for all forms of customer information,” they went on to say. “While the amount of work required to fulfill these directives will depend on the entity’s current program, in almost all cases these technological changes will require significant investments of time and money to implement.”