United States of America: Adopted FTC amendment to Standards for Safeguarding Customer Information Rule

On 9 December 2021, the Federal Trade Commission (FTC) adopted the amendment to the Standards for Safeguarding Customer Information Rule (section 16 CFR Part 314). The amended Rule expands the entities subject to the new requirements, defining the "financial institution" as entities that engage in any activity that is considered to be financial in nature. Under the amended Rule, entities such as mortgage brokers, payday lenders and motor vehicle dealers will be required to implement security systems to ensure the protection of customer data. In particular, the amended Rule requires financial institutions to develop a comprehensive preventive and detective security system and appoint a responsible employee to implement the required security measures. Furthermore, financial institutions are required to submit regular reports, encrypt information, create a data clearance hierarchy within the institution, and conduct a regular review of its security response plan. The expansion of the definition of "financial institutions" and the requirement to develop and maintain security systems enters into force on 10 January 2022, and the reporting requirements and compliance with the technical security standards enter into force on 9 June 2023, following the FTC decision to postpone it from 9 December 2022.