The FTC has updated its data security regulations for the financial institutions it regulates under the Gramm-Leach-Bliley Act (GLBA). The FTC’s revised requirements for information security programs, effective June 1, 2023, will now mandate data retention policies and disposal of unnecessary customer information.
To appreciate what this means, we must take a quick look at how we got here. GLBA, enacted back in 1999, required financial institution regulators to establish standards for safeguarding the security and confidentiality of customer data. 15 U.S.C. § 6801(b). The regulators obliged, with varying approaches typical of our idiosyncratic U.S. financial regulatory ecosystem. The federal banking agencies (FRB, OCC, & FDIC) promulgated the Interagency Guidelines Establishing Information Security Standards, see 12 C.F.R. Part 30, App. B, with detailed, granular security controls requirements. The NCUA adopted similarly specific safeguards for credit unions. 12 C.F.R. Part 748, App. A. In contrast, the SEC (Regulation S-P, 17 C.F.R. § 248.30(a)) and the FTC (16 C.F.R. Part 314) took a high-level approach with their respective standards, requiring safeguards reasonably designed to ensure security and confidentiality and to protect against anticipated threats and unauthorized access or use. For the insurance industry, GLBA security standards were left to state departments of insurance, consistent with federal deference to state-level regulation of insurance.
The key point here is that no federal GLBA regulator established security standards that directly required either data retention scheduling or the disposal of customer data no longer required for legal compliance or business purposes. The banking agencies’ and NCUA’s standards spoke only to the proper means of disposal, not when customer data must be disposed of. And the SEC and FTC standards were silent on these topics.
In 2021 the FTC took a fresh look at its Safeguards Rule, 16 C.F.R. Part 314, which was essentially untouched since first promulgated back in 2003. The resulting amendments updated the Rule to better address the current cyber-risk environment. And the amended Rule is more specific and granular in its required elements for the mandated information security program.
The significant point here is that the updated FTC Safeguards Rule for the first time adds data retention schedules and disposal of unnecessary data as required elements of a compliant security program for customer information. Entities subject to the amended Safeguards Rule must, effective June 1, 2023:
- Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained; and
- Periodically review your data retention policy to minimize the unnecessary retention of data. 16 C.F.R. § 314.4(c)(6).
This focus, on data retention schedules and data disposal as essential security controls for financial institutions, echoes a similar recent trend in state-level insurance laws under GLBA, discussed here, and also the New York DFS cybersecurity regulations for financial institutions, mentioned in Less Data #1. Yet it is also aligns with the FTC’s current view that retention schedules and data disposal are crucial to data security for all types of businesses. For example, the FTC’s 2016 guidance document Protecting Personal Information: A Guide for Business stressed the “Scale Down” principle, which is to keep only what you need for your business:
“If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary. … If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it.”
So for some time now the FTC has been moving toward the position that data retention schedules and data disposal are essential for reasonable data security. This position is clearly reflected in the FTC’s amended GLBA Safeguards Rule. But how deeply has this position permeated the FTC’s actual enforcement of reasonable data security beyond the GLBA financial institution setting? We’ll explore that in Less Data #3.