FTC Amends Longstanding Data Security Rule

November 5, 2021

The FTC has revised a data security rule requiring financial institutions to encrypt customers’ personal data and appoint a cybersecurity point of contact in the event of a data breach. The updates outline specific criteria that financial institutions must meet, including explaining their information-sharing practices. After a year of high-profile data breaches and hacks, a response by the FTC is not surprising. According to a report by IBM Security, in 2021 alone, the financial industry suffered $5.72 million in losses directly attributable to data breaches.

The High Cost of Data Breaches

The average data breach goes undiscovered for nine months and can take the better portion of a year to identify and contain fully. Besides the cost to the industry, high-profile breaches of sensitive personal data erode the confidence that customers have in their financial institutions. In 2017, the data breach at Equifax resulted in a leak of 150 million people’s social security numbers. Further investigation into the Equifax breach revealed the scale of the company’s ineptitude regarding customer data security, with many customers’ passwords being stored in plaintext (i.e., unencrypted) files.

The Vote to Amend the Data Security Rule

The 3–2 vote by the FTC to amend the security rule fell along party lines, with all Democratic members of the Commission voting in favor and all Republican members voting against. In a joint statement, FTC Chair Lina M. Khan and Commissioner Rebecca K. Slaughter defended the amendments to the rule.

“In the twenty years since the rule was first issued, the complexity of information security has increased drastically, the use of computer networks in every aspect of life has expanded exponentially, and, most notably, an unending chain of damaging data breaches caused by inadequate security have cost Americans heavily. The amendments adopted today require financial institutions to develop information security programs that can meet the challenges of today’s security environment.”

In a statement explaining their dissent, the two Republican members of the Commission described the updates to the rule as being unnecessary.

“The amended Safeguards Rule replaces a rule that has worked well for 20 years, a rule that took a principle-based approach in order to provide financial institutions flexibility to determine the appropriate and realistic security safeguards for their organizations.”

Criticism of the New Rule

The dissenting Commissioners knock the new rule for requiring companies to achieve impossibly “perfect” security and imposing a one-size-fits-all rule to a complex and changing field. Even with the new rule’s requirements, they say, hacks such as the Equifax data breach could not have been prevented. However, in a world where cybersecurity threats, ransomware attacks and high-profile hacks are becoming more frequent and severe, such a rationale seems to ring hollow.

Response to Criticism

The Commission’s Democratic majority responds to such criticism by pointing out that the rule does not mandate any particular method to achieve compliant security, offering institutions some level of flexibility. Further, the majority sees the dissenter’s objection to demanding “perfect” security as disingenuous. The dissenters criticize the rule’s requirements of “perfection” in one breath, then critique it for not being a perfect solution with the next. If the rule had been in place, the majority says, a breach such as Equifax could have been limited in scope, even if it could not have prevented the hack altogether.

Data breaches have become an altogether too frequent occurrence where ordinary people pay the price for a company’s mishandling of their personal data. What effect the new rule will have in combatting data breaches remains to be seen, but with such high stakes, even a step in an imperfect direction may be better than taking no steps at all.