Updates to the Safeguards Rule
The updates to the rule enhances and offers more specific definitions and technical enhancements of current obligations under the rule. They are enhancements not a wholesale change in the rule. The enhancements to the existing rule mostly pertain to dealers explaining their information sharing practices, and how the personally identifiable information is secured and handled administratively, as well as a specific person who is designated responsible for the security program.
The key is for our dealers to have a written information security program that addresses who can access customer data, using encryption to secure data (housed, transmitted or received) and how Personally Identifiable Information (PII) data is handled administratively in compliance with the rule. More detail below...
Key Provisions of the New Safeguards Rule
Single Individual Responsible for the Information Security Program. The existing Safeguards Rule allows a covered financial institution (dealer) to have one or more employees hold the responsibility for the information security program by designation. The new rule requires that a single “Qualified Individual” be solely responsible for overseeing and implementing the program. The new rule does not specify any particular level of training or experience to be a qualified individual.
More Specific Risk Assessments. The existing Safeguards Rule requires that information security programs be based on a financial institution’s identification and assessment of reasonably foreseeable internal and external risks to customer information. The new rule continues to require risk assessments, but now also specifically *requires that risk assessments be in writing (see partial exemption below) and include criteria to evaluate and categorize identified security risks; criteria to assess the “confidentiality, integrity, and availability” of customer information and information systems, including whether the existing dealer’s controls are adequate in context of the identified risks to customer information; and requirements that describe how risks identified will be accepted or mitigated based on the risk assessment and how the dealer’s information security program will address them.
Specific Measures. To control the risks identified through risk assessments, dealers must implement a number of specific safeguards except where an exception or qualification applies, such as:
-
Multifactor authentication for both consumer and internal users accessing an information system
- Access controls for all customer information
- The principle of least privilege as it pertains to consumer information
- Encryption of customer information in transit on external networks and at rest
-
Data inventory and classification practices;
- Secure development practices;
- Change management;
- Logging and system monitoring;
- Penetration testing and vulnerability assessment;
- A written incident response plan; and
-
Procedures for the secure disposal of customer information within two years of when the data was last used.
“Customer information” to be protected by the new rule includes all personally identifiable financial information held by or on behalf of the financial institution; the Commission specifically declined to narrow any of the requirements to more sensitive types of information.
Enhanced Security Training and Personnel Requirements. The existing Safeguards Rule requires security training for dealership personnel. The new rule requires that the training be updated over time based on evolving risk assessments or changes in the dealer’s practices. It also requires that security personnel receive “security updates and training sufficient to address relevant security risks,” and it requires that the financial institution (dealer) keep verification that training requirements have been met.
Oversight of Service Providers. The existing Safeguards Rule requires that dealers require providers to maintain security and confidentiality by contract. The new rule continues these requirements, and also now requires dealers to “periodically assess” their service providers on an ongoing basis.
*Partial Exemption of Institutions that Maintain Information on a Limited Number of Consumers. The new rule allows financial institutions that maintain the customer information of less than 5,000 consumers to be exempt from certain requirements, such as the obligation to conduct written risk assessments, annual board reporting, certain monitoring and testing requirements, and a written incident response plan.
Please contact your BBDS representative for details >>>