On November 15, 2022, the Federal Trade Commission (FTC) announced it is extending the deadline for covered financial institutions to comply with the updated Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) by six months.
The FTC originally published updates to the Safeguards Rule in October 2021. Under the updated rule, covered financial institutions had until December 9, 2022, to comply with certain requirements intended to increase security and further protect customer information.
The new deadline to comply with these updates is June 9, 2023. The extension, pursuant to the final rule posted in the Federal Register by the FTC, is effective immediately.
Key Provisions Affected by the Extension
While many provisions of the October 2021 rule went into effect on January 10, 2022, other sections were set to go into effect on December 9, 2022. The six-month extension specifically applies to the latter set of requirements, which require covered financial institutions to:
- designate a qualified individual to oversee their information security program,
- develop a written risk assessment,
- limit and monitor who can access sensitive customer information,
- encrypt all sensitive information,
- train security personnel,
- develop an incident response plan,
- periodically assess the security practices of service providers, and
- implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
The six-month extension was issued after a number of reports spoke to the hardships of coming into compliance, including a letter by the Small Business Administration’s Office of Advocacy, which stated the shortage of personnel and supplies—exacerbated by the COVID-19 pandemic—has made it difficult for financial institutions, especially smaller ones, to come into compliance by the original deadline, and requested a one-year extension.
The extension passed unanimously, though Commissioner Christine Wilson issued a separate statement, which noted that while she voted against the October 2021 updates to the Safeguard Rule, she supported the six-month extension because of the staffing and supply shortages.
Conclusion
Wilson Sonsini Goodrich & Rosati routinely assists covered financial institutions, including financial technology companies, subject to the GLBA with compliance and will monitor developments in enforcement and industry standards to continue to assist our clients.
For more information or advice concerning the extension to the updated Safeguards Rule, please contact Libby Weingarten, Eddie Holman, Mudasar Khan, or another member of the firm’s privacy and cybersecurity practice.