Skip to main content

You are here

Advertisement

Proposed Amendment to FTC Cybersecurity Rules Could Affect Retirement Plans

Regulatory Compliance

The Federal Trade Commission is considering amendments to cybersecurity rules that could have an impact on retirement plan professionals. 

Earlier this month, the FTC voted 3-2 to propose amendments to the Standards for Safeguarding Customer Information, which became effective in 2003 and require that financial institutions develop, implement and maintain a comprehensive information security program. They also propose to amend the Privacy of Consumer Information Rule under the Gramm-Leach-Bliley Act, which went into effect in 2000 and requires financial institutions to inform customers about their information-sharing practices and allow customers to opt out of having their information shared with certain third parties.

The FTC will accept comments on the proposed amendments through a date 60 days after they are published in the Federal Register.

The proposed amendments are relevant to retirement plans and administrators, argues the Groom Law Group. This, they say, is because the proposal “could raise the baseline for plan fiduciaries when developing prudent cybersecurity programs” and because it builds on the growing interest in cybersecurity shown by federal regulators, Congress and state officials. 

The proposal would preempt state laws on data breach notifications, Groom notes, which also would make it relevant. “We would expect that many in the retirement community would welcome federal preemption in this area as opposed to managing the individualized state-level requirements,” Groom writes.

Also, they argue that the proposed amendments “highlight the difference between the retirement industry and other parts of the financial service industry,” which Groom says “are important when plans and service providers design cybersecurity policies.” For instance, they observe, many retirement plan participants belong to plans with auto-enrollment, as well as default contribution rates and investment elections, unlike customers in other parts of the financial services industry. 

Retirement plan fiduciaries, Groom observes, must balance keeping participant data secure with the risk that information could be locked down and unavailable to participants. “Because plan fiduciaries are tasked with prudently balancing these concerns, any time new cybersecurity standards develop, it may be appropriate to help shape those new standards,” they argue, adding that the retirement industry “is particularly well-suited to act on the FTC’s endorsement for self-regulation and to the development of industry-specific standards.”

Advertisement