Despite the unprecedent challenge that cybersecurity poses to businesses worldwide, the response of regulatory bodies has often been scattered and inconsistent. Efforts by federal agencies to improve this coordination saw a significant advance with the recent amendment to the Federal Trade Commission’s (FTC) Safeguards Rule. Alston & Bird conducted a comprehensive analysis of the changes, investigating its implications for nonbanking financial institutions.
While FTC is not the first federal agency to impose regulations on cybersecurity breaches, the amendment marks a remarkable degree of alignment with other existing federal and state rules. Yet, the interplay between the new FTC notification requirements and those of other agencies appears to be characterized by both symmetry and friction. Let’s examine these points further.
For nonbanking financial institutions, the amended Safeguards Rule ushers in requirements of speedy notifications to both consumers and the FTC should a cybersecurity breach occur. But this is not new ground – similar requirements are seen in other federal laws and are often familiar territory for these businesses.
The real distinction with the FTC’s amendment is not in the obligation itself, but in the specific mechanisms and timelines that it demands. The rule’s stipulations of reporting within ten days of a security event set a more stringent standard than many other regulations. This adds to the complexity for these institutions which are already navigating an intricate regulatory landscape.
Moreover, the new regulations also carry with them conflicts with existing rules. While the FTC points out their law aims to align with other federal and state regulations, some inherent contradictions are likely to produce challenges. Companies will need to foster cohesive strategies that blend compliance with the new FTC requirements while also adhering to other existing regulations.
The impact of the FTC’s new rule cannot be overstated. The demands it imposes on nonbanking financial institutions will necessitate substantial operational and policy shifts. Only through close scrutiny of the new regulations and continuous regulatory interaction can these businesses successfully meet growing cyber threats.