The FTC Safeguards Rule: Information Security Program Elements

This article describes the elements of an information security program under the Federal Trade Commission Final Rule regarding Standards for Safeguarding Customer Information (the “FTC Rule”). While the effective date of the FTC Rule was January 10, 2022, certain information security program elements become effective as of December 9, 2022. This article also highlights differences between the FTC Rule information security program elements with counterparts under the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies. Financial institutions to which the FTC Rule applies should assess the extent to which their information security programs satisfy the elements of an information security program under the FTC Rule, identify, and address any gaps and document the foregoing. Others to which the FTC Rule does not apply also may choose to assess where their programs, policies, and practices, among other things, stand in light of evolving federal and state law requirements for information security programs.

By Melissa J. Krasnow^[1]

I. INTRODUCTION

The federal and state law requirements for information security programs continue to evolve. Examples include the Federal Trade Commission (“FTC”) Final Rule regarding Standards for Safeguarding Customer Information (the “FTC Rule”) and the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (