Skip to main content

You are here

Advertisement


Proposed Amendment to FTC Cybersecurity Rules Could Affect Retirement Plans

The Federal Trade Commission (FTC) is considering amendments to cybersecurity rules that could have an impact on retirement plan professionals.

The FTC voted 3-2 to propose amendments to the Standards for Safeguarding Customer Information, which became effective on 2003 and requires that financial institutions develop, implement and maintain a comprehensive information security program. They also propose to amend the Privacy of Consumer Information Rule under the Gramm-Leach-Bliley Act, which went into effect in 2000 and requires financial institutions to inform customers about their information-sharing practices and allow customers to opt out of having their information shared with certain third parties.

These proposed amendments are relevant to retirement plans and administrators, argues the Groom Law Group. This, they say, is because the proposal “could raise the baseline for plan fiduciaries when developing prudent cybersecurity programs” and because it builds on the growing interest in cybersecurity regulators, Congress and states evince.

The proposal would preempt state laws on data breach notifications, Groom notes, which also would make it relevant. “We would expect that many in the retirement community would welcome federal preemption in this area as opposed to managing the individualized state-level requirements,” Groom writes.

Also, they argue that the proposed amendments “highlight the difference between the retirement industry and other parts of the financial service industry,” which Groom says “are important when plans and service providers design cybersecurity policies.” For instance, they observe, many retirement plan participants belong to plans with auto-enrollment, as well as default contribution rates and investment elections, unlike customers in other parts of the financial services industry. 

Retirement plan fiduciaries, Groom observes, must balance keeping participant data secure with the risk that information could be locked down and unavailable to participants. “Because plan fiduciaries are tasked with prudently balancing these concerns, any time new cybersecurity standards develop, it may be appropriate to help shape those new standards,” they argue, adding that the retirement industry “is particularly well-suited to act on the FTC’s endorsement for self-regulation and to the development of industry-specific standards.”

The FTC will accept comments on the proposed amendments through a date 60 days after they are published in the Federal Register.