Financial institutions will get an extra six months to improve data security safeguards needed to protect customers’ personal information. The deadline for complying with some of the FTC’s updated requirements of the Safeguards Rule is now June 9, 2023.

The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.

The commission is extending the deadline based on reports, including a letter from the Small Business Administration’s Office of Advocacy, that there is a shortage of qualified personnel to implement information security programs and that supply chain issues may lead to delays in obtaining necessary equipment for upgrading security systems. These difficulties were exacerbated by the COVID-19 pandemic. These issues may make it difficult for financial institutions, especially small ones, to come into compliance by the deadline.

The FTC approved changes to the Safeguards Rule in October 2021 that include more specific criteria for what safeguards financial institutions must implement as part of their information security programs. While many provisions of the rule went into effect 30 days after publication of the rule in the Federal Register, other sections of the rule were set to go into effect on December 9, 2022. The provisions of the updated rule specifically affected by the six-month extension include requirements that covered financial institutions:

• designate a qualified individual to oversee their information security program,
• develop a written risk assessment,
• limit and monitor who can access sensitive customer information,
• encrypt all sensitive information,
• train security personnel,
• develop an incident response plan,
• periodically assess the security practices of service providers, and
• implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

The Commission vote to extend the deadline was 4-0.