The SBA’s Office of Advocacy is supporting the efforts of ACA International and joint industry trade groups to ensure there is more time to comply with the regulator’s new data security rule impacting small businesses.
08/22/2022 1:15 P.M.
4 minute read
Advocacy efforts are increasing for the Federal Trade Commission to extend its effective date for the Standards for Safeguarding Customer Information rule from Dec. 9 this year to Dec. 9, 2023. The rule requires financial institutions to develop, implement, and maintain a comprehensive information security program.
In July, on behalf of their members, ACA International, the American Financial Services Association, the Consumer Data Industry Association and the National Automobile Dealers Association submitted a letter to the FTC requesting the deadline extension.
“Our members appreciate the FTC’s work to protect customers’ information, and they have every incentive to work alongside the commission to ensure the right safeguards are in place to protect customers, their institutions, and the financial marketplace as a whole,” the joint industry trade groups said in the letter. “At the same time, the residual effects of COVID-19 on the labor market and supply chain, as well as dueling regulatory demands and the technological changes required for proper compliance, make it difficult for covered entities to uplift their information security programs to meet the requirements in the final rule. To that end, we are calling for a year-long delay of the effective date to give covered entities—and their service providers—more time to properly implement the final rule’s modifications.”
Bolstering the groups’ advocacy for an extension, the U.S. Small Business Administration (SBA) Office of Advocacy also sent a letter to the FTC with a similar request, noting the impact the compliance deadline has on small entities like ACA’s members.
“Because of the economies of scale, less robust recruiting and human resources budgets, and the waiting period for equipment that is being obtained by the larger companies, the problems that are outlined in the [industry] letter are magnified for small entities,” the SBA says in its letter to the FTC. “Small entities do not have the buying power of large companies or additional resources to pay a premium for equipment. Likewise, as noted in the industry letter, there is a labor shortage for workers needed to implement these safeguards. During a labor shortage, employers with the resources to offer high wages and other incentives are able to attract talent. It is more difficult for small firms that cannot afford the pay scales or incentives to attract talented employees.”
Safeguards Rule Requirements
The safeguards rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information, according to the FTC. The rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”
The rule covers information about regulated entities’ own customers and information about customers of other financial institutions that have provided that data to regulated entities.
Regulated entities’ information security program must be written and it must be appropriate to the size and complexity of their business, the nature and scope of their activities, and the sensitivity of the information at issue. The objectives of a company’s program should be:
- To ensure the security and confidentiality of customer information.
- To protect against anticipated threats or hazards to the security or integrity of that information.
- To protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.
In addition, the final rule defines several terms and provides related examples in the safeguards rule rather than incorporating them from the Privacy of Consumer Financial Information Rule.
ACA’s Take
The current labor market shortage is still being felt by the financial services industry, ACA’s letter states. The COVID-19 pandemic caused a major disruption in the American labor force, which has affected nearly every industry, including the financial services industry.
Challenges with the rule’s deadline for the joint industry trade groups include:
- Members cannot hire enough skilled people fast enough to feel comfortable that they have sufficient coverage.
- The final rule is not the only major initiative on the docket for the groups to comply with. There is the California Consumer Privacy Act, for example, which has amendments taking effect on Jan. 1, 2023.
- Equipment and external resources are in short supply.
- Preparing a written risk assessment that conforms to the FTC’s specific criteria—the bedrock of the final rule—is a manual, subjective, time-consuming process.
ACA’s compliance team is updating relevant documents in the ACA SearchPoint library with guidance related to requirements of the Safeguards Rule.
ACA will also cover the Safeguards Rule on an upcoming ACA Huddle in August and at the 2022 Fall Forum in November.
If you have executive leadership updates or other member news to share with ACA, contact our communications department at [email protected]. View our publications page for more information and our news submission guidelines here.