US FTC Delays Safeguards Rule Deadlines by 6 MonthsRegulators Heed Concerns Over Lack of Qualified Personnel in Private Sector
U.S. regulators Tuesday postponed for six months the bulk of new cybersecurity mandates for mortgage brokers, car dealers and payday lenders that were set to come into effect in early December.
The Federal Trade Commission said it was heeding concerns that there aren't enough qualified personnel in the private sector to implement the new requirements, giving the nonbanking financial institutions that come under its purview until June 9 to comply.
The mandates stem from an October 2021 update of a regulation known as the Safeguards Rule. The update was the first since the rule took affect following President Bill Clinton's approval of the Gramm-Leach-Bliley Act of 1999.
Agency commissioners approved along partisan lines - three Democrats in favor, two Republicans against - to strengthen the rule by imposing obligations such as the encryption of sensitive information, development of an incident response plan and multifactor authentication as a prerequisite for accessing customer information. The updated rule also tells the collection agencies, tax preparation firms and other companies under FTC jurisdiction to prepare a written information security program and update it annually to make sure it stays in line with periodic risk assessments. All of these elements come under the six-month delay the current four sitting commissioners - three Democrats and one Republican - approved.
A clutch of industry lobbyists including the National Automobile Dealers Association and ACA International, which represents debt collectors, asked the agency in July for a 12-month delay. "With every organization (not just financial institutions) vying for the same scarce talent, it is extremely difficult to fill open requisitions for positions that are crucial to an effective information security program," the associations wrote.
The Small Business Administration endorsed a delay in August.
At the time they approved the updated Safeguards Rule, Democratic FTC Chair Lina Khan and Commissioner Rebecca Slaughter wrote that the new requirements would help tamp down massive data breaches, asserting that credit reporting agency Equifax likely would have avoided its massive 2017 data breach had it followed the outlined practices.
Had Equifax followed the Safeguards Rule by conducting an inventory of its systems, encrypting sensitive information, monitoring activity on its network and designating a single individual as coordinator of the cybersecurity program, they wrote, it would have "helped prevent or limit the scope of one of the largest breaches in American history."
Khan and Slaughter also pushed back against Republican criticism that the rule is prescriptive. In a dissenting statement, Commissioners Noah Phillips and Christine Wilson wrote that the Safeguards Rule will weaken data security "by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institution."