[Federal Register Volume 87, Number 225 (Wednesday, November 23, 2022)]
[Rules and Regulations]
[Pages 71509-71511]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-25201]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 314

RIN 3084-AB35


Standards for Safeguarding Customer Information

AGENCY: Federal Trade Commission.

ACTION: Final rule; delay of effectiveness.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission is delaying the effective date of 
portions of the amended Safeguards Rule as published on December 9, 
2021.

DATES: 
    Effective date: This final rule is effective November 23, 2022.
    Applicability date: The applicability of the provisions set forth 
in Sec.  314.5 is delayed from December 9, 2022 until June 9, 2023.

[[Page 71510]]


FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773), 
Division of Privacy and Identity Protection, Bureau of Consumer 
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 
Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Final Rule and Delay of Effectiveness

    On December 9, 2021, the Federal Trade Commission (Commission) 
amended the Safeguards Rule, 16 CFR part 314. While portions of the 
amended rule became effective on January 10, 2022, certain provisions 
were originally to become effective December 9, 2022. 16 CFR 314.5.
    The Commission is aware there is a reported shortage of qualified 
personnel to implement information security programs and supply chain 
issues may lead to delays in obtaining necessary equipment for 
upgrading security systems.\1\ In addition, these difficulties were 
exacerbated by the COVID-19 pandemic that has been active as financial 
institutions have attempted to come into compliance with the amended 
Safeguards Rule. These issues may make it difficult for financial 
institutions, especially small ones, to come into compliance with the 
amended Safeguards Rule by December 9, 2022. Accordingly, the 
Commission is delaying the effective date of those portions of the 
Safeguards Rule that were to go into effect on December 9, 2022, until 
June 9, 2023.\2\
---------------------------------------------------------------------------

    \1\ See, e.g., James Legg, ``Confronting the shortage of 
security professionals,'' Forbes.com (Oct. 21, 2021), https://www.forbes.com/sites/forbesbusinesscouncil/2021/10/21/confronting-the-shortage-of-cybersecurity-professionals/; Cyber Seek, 
Cybersecurity Supply/Demand, https://www.cyberseek.org/heatmap.html; 
Robert Triggs, ``The global computer chip shortage explained,'' 
Androidauthority.com (June 5, 2022), https://www.androidauthority.com/computer-chip-shortage-1212941/.
    \2\ The Safeguards Rule's ongoing rulemaking was included in the 
Commission's Spring 2022 Regulatory Agenda, but that Agenda did not 
contemplate this final rule extending the effective date of parts of 
the final rule issued on December 9, 2021. See Fed. Trade Comm'n, 
Standards for Safeguarding Consumer Information, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202204&RIN=3084-AB35. Pursuant to Section 22(d)(4) of the FTC Act, 15 U.S.C. 57-
b3(d)(4), this Rule was not included in the Commission's Spring 2022 
Regulatory Agenda because the Commission first considered this final 
rule and the reasons supporting it after its approval of the Agenda.
---------------------------------------------------------------------------

II. Administrative Procedure Act

    The Commission is issuing the final rule without prior notice and 
the opportunity for public comment and, as explained below, without the 
delayed effective date ordinarily prescribed by the Administrative 
Procedure Act (APA).\3\ Pursuant to section 553(b)(3)(B) of the APA, 
general notice and the opportunity for public comment are not required 
with respect to a rulemaking when an ``agency for good cause finds (and 
incorporates the finding and a brief statement of reasons therefor in 
the rules issued) that notice and public procedure thereon are 
impracticable, unnecessary, or contrary to the public interest.'' \4\
---------------------------------------------------------------------------

    \3\ 5 U.S.C. 553.
    \4\ Id. at 553(b)(3)(B).
---------------------------------------------------------------------------

    The Commission believes the public interest is best served by 
revising 16 CFR 314.5 to delay the effective date of certain portions 
of the Safeguards Rule and by making such revision effective 
immediately upon publication in the Federal Register. As noted above, 
the COVID-19 pandemic has disrupted economic activity in the United 
States. This has exacerbated a reported shortage of qualified 
information security personnel and supply chain issues that can lead to 
delays involving equipment necessary to upgrade information security 
systems. Delaying the effective date of these portions of the amended 
Safeguards Rule will allow financial institutions additional time to 
effectively and efficiently bring their information security programs 
into compliance with the Rule.\5\ For these reasons, the Commission 
finds that there is good cause consistent with the public interest to 
issue the rule without advance notice and comment.\6\
---------------------------------------------------------------------------

    \5\ The revised deadline should also go into effect as soon as 
possible because the original deadline in December 2022 is imminent.
    \6\ See 5 U.S.C. 553(b)(3)(B).
---------------------------------------------------------------------------

    The APA also requires a 30-day delayed effective date, except for 
``(1) substantive rules which grant or recognize an exemption or 
relieve a restriction; (2) interpretative rules and statements of 
policy; or (3) as otherwise provided by the agency for good cause.'' 
\7\ As noted above, the Commission finds there is good cause to revise 
the effective date of the portions of the Safeguards Rule that were 
previously designated to go into effect on December 9, 2022, 
immediately.\8\ The Commission recognizes that, while this rule 
revision goes into effect immediately, the result of the revision is to 
give regulated parties additional time to come into compliance, so they 
would not be prejudiced if the change goes into effect immediately. 
Furthermore, the delay of an effective date of a substantive rule 
requirement is a ``substantive rule[]'' that ``relieve[s] a 
restriction'' for a period of time, which makes it eligible to take 
effect without the ordinary wait of 30 days.\9\
---------------------------------------------------------------------------

    \7\ Id. at 553(d).
    \8\ See id. at 553(d)(3).
    \9\ Id. at 553(d)(1).
---------------------------------------------------------------------------

III. Paperwork Reduction Act

    In accordance with the requirements of the Paperwork Reduction Act 
(PRA), an agency may not conduct or sponsor, and a respondent is not 
required to respond to, an information collection unless it displays a 
currently valid Office of Management and Budget (OMB) control number. 
The Commission has reviewed this final rule pursuant to authority 
delegated by the OMB and has determined it does not contain any 
collections of information pursuant to the PRA.

IV. Regulatory Flexibility Act and Congressional Review Act

    The Regulatory Flexibility Act (RFA) \10\ requires an agency to 
consider whether the rules it proposes will have a significant economic 
impact on a substantial number of small entities. The RFA applies only 
to rules for which an agency publishes a general notice of proposed 
rulemaking pursuant to 5 U.S.C. 553(b). As discussed previously, 
consistent with section 553(b)(3)(B) of the APA, the Commission has 
determined for good cause that general notice and opportunity for 
public comment is unnecessary, and therefore the Commission is not 
issuing a notice of proposed rulemaking. Accordingly, the Commission 
has concluded the RFA's requirements relating to initial and final 
regulatory flexibility analyses do not apply. In any event, the 
extension of the effective date will reduce the burden of complying 
with the Rule for all covered financial institutions, including small 
businesses.
---------------------------------------------------------------------------

    \10\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------

    Pursuant to the Congressional Review Act (5 U.S.C. 801 through 
808), the Office of Information and Regulatory Affairs designated this 
rule as not a ``major rule,'' as defined by 5 U.S.C. 804(2).

List of Subjects in 16 CFR Part 314

    Consumer protection, Credit, Data protection, Privacy, Trade 
practices.

    For the reasons stated above, the Federal Trade Commission amends 
16 CFR part 314 as follows:

PART 314--STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION

0
1. The authority citation for part 314 continues to read as follows:

    Authority: 15 U.S.C. 6801(b), 6805(b)(2).


0
2. Revise Sec.  314.5 to read as follows:

[[Page 71511]]

Sec.  314.5  Effective date.

    Sections 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), 
(h), and (i) are effective as of June 9, 2023.

    By direction of the Commission.
April J. Tabor,
Secretary.


    Note:  the following statement will not appear in the Code of 
Federal Regulations.

Concurring Statement of Commissioner Christine S. Wilson

    The Safeguards Rule requires financial institutions to develop, 
implement, and maintain a comprehensive information security program to 
protect customer information.\1\ In 2021, the Commission updated the 
Safeguards Rule to add several prescriptive requirements that 
necessitate significant investment to effectively implement.\2\ I voted 
against the revisions to the rule, in part, because I feared the new 
obligations would inhibit flexibility and impose substantial costs, 
especially on small businesses.\3\ Despite assurances that financial 
institutions were already implementing many of the requirements of the 
amended rule or had sophisticated compliance programs that could easily 
adopt and pivot to address new obligations, I was concerned that the 
Commission did not understand fully the economic impact of the proposed 
changes. It has become clear that the Commission may have 
underestimated the burdens imposed by the rule revisions.
---------------------------------------------------------------------------

    \1\ 16 CFR part 314.
    \2\ The amended Rule was published in the Federal Register on 
December 9, 2021. 86 FR 70272 (Dec. 9, 2021). As I noted at the time 
of the final rule's publication, I appreciated Staff's diligent work 
on the Safeguards Rule and commitment to consider input from all 
relevant parties. Staff's continued commitment to address the 
serious concerns of parties impacted by the Safeguards Rule is 
laudable.
    \3\ Dissenting Statement of Commissioner Noah Joshua Phillips 
and Commissioner Christine S. Wilson, Final Rule Amending the Gramm-
Leach-Bliley Act's Safeguards Rule (Oct. 27, 2021), https://www.ftc.gov/system/files/documents/public_statements/1597994/joint_statement_of_commissioners_phillips_and_wilson_in_the_matter_of_regulatory_review_of_the_1.pdf; Dissenting Statement of 
Commissioner Noah Joshua Phillips and Commissioner Christine S. 
Wilson, Review of Safeguards Rule (Mar. 5, 2019), https://www.ftc.gov/system/files/documents/public_statements/1466705/reg_review_of_safeguards_rule_cmr_phillips_wilson_dissent.pdf.
---------------------------------------------------------------------------

    While I continue to note my concerns about the revisions to the 
recently amended Safeguards Rule, I support extending the effective 
date. Labor shortages of qualified personnel have hampered efforts by 
companies to implement information security programs. Some estimates 
place the shortage of cybersecurity professionals in the 500,000 
range.\4\ Supply chain issues also have led to delays in obtaining 
necessary equipment for upgrading systems. These factors are outside 
the control of financial institutions and have complicated efforts by 
companies to meet the requirements of the amended rule by year end.
---------------------------------------------------------------------------

    \4\ Data gathered under a Commerce Department grant indicates 
that there are over 500,000 unfilled cybersecurity job openings. The 
research indicates that nationally, there are only enough 
cybersecurity workers in the United States to fill 68% of the 
cybersecurity jobs that employers demand. Cyber Seek, Cybersecurity 
Supply/Demand Heat Map, https://www.cyberseek.org/heatmap.html (last 
visited Nov. 14, 2022).
---------------------------------------------------------------------------

    The revisions finalized in December 2021 did not merely codify 
basic security practices of most financial institutions. Rather, the 
modifications imposed new onerous, misguided, and complex obligations. 
Safeguarding customer information is important. But it is still unclear 
whether these mandates will translate into a significant reduction in 
data security risks or offer other substantial consumer benefits. 
Regardless of the rule's effects, companies should be given the time 
necessary to correctly implement the final rule's burdensome 
requirements. For these reasons, I support extending the effective date 
until June 2023.

[FR Doc. 2022-25201 Filed 11-22-22; 8:45 am]
BILLING CODE 6750-01-P