On November 15, the FTC announced a six month extension to the deadline for companies to comply with the Safeguards Rule. The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe (we discussed the Safeguards Rule in a previous blog post here). The deadline for complying with some of the updated requirements of the Safeguards Rule is now June 9, 2023.
Many provisions of the rule went into effect 30 days after publication of the rule in the Federal Register. Other sections of the rule were set to go into effect on December 9, 2022. The provisions of the updated rule specifically affected by the six-month extension include requirements that covered financial institutions:
- designate a qualified individual to oversee their information security program,
- develop a written risk assessment,
- limit and monitor who can access sensitive customer information,
- encrypt all sensitive information,
- train security personnel,
- develop an incident response plan,
- periodically assess the security practices of service providers, and
- implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
Putting in into Practice: Despite the extension, financial institutions should continue in their efforts to expeditiously comply with all of the new requirements of the rule.