US Federal Trade Commission Proposes Prescriptive Data Security Requirements and Other Updates to Its Gramm-Leach-Bliley Act Regulations

On March 5, 2019, the Federal Trade Commission (“FTC”) proposed a number of revisions to its Gramm-Leach-Bliley Act (“GLBA”) regulations, which would (i) change the Safeguards Rule to require financial institutions to implement specific information security controls (in a departure from the FTC’s current non-prescriptive approach to data security), (ii) update its GLBA Privacy Rule and (iii) expand the definition of “financial institution” to include so-called “finders” and other entities engaged in activities that are incidental to financial activities. This Legal Update discusses the three sets of proposed changes.