GRAMM-LEACH-BLILEY GETS A SYSTEMS UPGRADE: WHAT THE FTC’S PROPOSED SAFEGUARDS RULE CHANGES MEAN FOR SMALL AND MEDIUM AMERICAN FINANCIAL INSTITUTIONS

Abstract

This paper provides an overview of impending regulatory changes to the long-standing “Safeguards Rule.” The Safeguards Rule, adopted by the U. S Federal Trade Commission (FTC) following the passage of the Gramm-Leach-Bliley Act in 1999, established the very bedrock of business cybersecurity conditions that helped fuel development of the American information economy for two decades. While the Safeguards Rule fostered the emergence of the digital economy, it has begun to show its age. In response to a seemingly endless series of cybersecurity incidents, the FTC has proposed a series of the most sweeping reforms to the American cybersecurity regulatory regime in history. The paper identifies and describes the most impactful of the proposals and examines potential compliance challenges, including significantly increased compliance costs, notably burdensome for small and medium financial firms across the United States.

Notes

1. The FTC adopted the safeguards rule in May of 2002, with industry wide compliance required by May of 2003.

2. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.6.

3. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.1(b).

4. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.2(2)(e).

5. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.3.

6. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.4(a); §314.4(h)(7)(i).

7. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.4(d)(2); §314.4(d)(2)(i).

8. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.4(d)(2)(ii).

9. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.4(f).

10. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.4(h).

11. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.4(c)(7).

12. Proposed Safeguards Rule, supra Note 10, at 13175, to be codified at 16 C.F.R. §314.4(c)(8).

13. United States Federal Trade Commission. Standards for Safeguarding Consumer Information. Federal Register: The Daily Journal of the United States, 84 Fed. Reg. 65, 13174, §314.2(c), April 4, 2019, Washington, D.C. Said section provides: “(c) Security event means an event resulting in unauthorized access to, or disruption or misuse of, an information system or information stored on such information system.”

14. 16 CFR §314.3.

15. The term, “audit trails,” is defined as “chronological logs that show who has accessed an information system and what activities the user engaged in during a given period,” pursuant to the notice, Proposed Rule Notice, P. 13167, incorporating by reference the definition embraced by Computer Security Resource Center, Glossary, ‘‘Audit Trail,’’ available at: https://csrc.nist.gov/glossary/term/audit-trail.

Additional information

Notes on contributors

Patrick Ryle

Patrick Ryle is an Assistant Professor of Accounting in the Wright School of Business at Dalton State College where he teaches Business Law, Taxation, and Accounting courses. He is a former Adjunct Professor at the University of Rhode Island, former General Counsel of the Massachusetts Alcoholic Beverages Control Commission, former Assistant Corporation Counsel, City of Chelsea, Massachusetts and, while in law school, served in the chambers of Judge Normal H. Stahl, United States Court of Appeals for the First Circuit. Mr. Ryle is a graduate of Harvard University’s Kennedy School of Government, Boston University School of Law’s Graduate Tax Program, Northeastern University School of Law, and the MBA program at the University of Rhode Island. Mr. Ryle has had works accepted or published in the Journal of Taxation, the Journal of the American Taxation Association, the Journal of Accounting, Ethics and Public Policy, and the Journal of Accountancy.

Jie (Kevin) Yan

Jie (Kevin) Yan is an Assistant Professor of Management Information Systems in the Wright School of Business at Dalton State College. Kevin received his Ph.D. in Information Systems from Baylor University. Before beginning his Ph.D., Kevin possessed over six years of work experience in the Telecom and Datacom industries. He worked for companies including Ericsson AB, Cisco Systems and General Electric (GE). His research focuses on data philanthropy, online user communities, and Fintech. Kevin’s publications have appeared in Journal of Management Information Systems, Decision Support Systems, Information Technology & People, Information Systems Management, Journal of Information Technology Management, and AIS Transactions on Replication Research.

Lorraine R. Gardiner

Lorraine R. Gardiner is Professor of Management Information Systems in the Wright School of Business at Dalton State College. She received her Ph.D. in management science with an emphasis on management information systems from the University of Georgia. She has taught undergraduate and graduate courses in information systems, management science, statistics and project management. Dr. Gardiner’s research appears in journals that include Computers & Operations Research, Decision Sciences, European Journal of Operational Research, Group Decision and Negotiation, Interfaces, International Journal of Operations and Production Management, International Journal of Production Research, International Journal of Productivity and Performance Management, and Journal of Education for Business.