Thinking about implementing a data security law in your state? Fill out our interest form to connect with the regulatory team.
In 2018, triggered by several high-profile cybersecurity breaches, the CSBS Board of Directors requested the NDSC undertake consideration and development of a model law addressing nonbank data security (cybersecurity) concerns. The purpose of the initiative was to establish CSBS approved model statutory language to be used by states already considering such, and to encourage states that have not passed laws to consider following a uniform model. In early 2019, following review of several possible models, the NDSC produced the CSBS Model Data Security Law based on the Federal Trade Commission (FTC) 2019 proposed amendments to the Safeguards Rule under the Gramm-Leach-Bliley Act.
The Federal Trade Commission’s Safeguards Rule
The Safeguards Rule covers all nonbank financial companies. Using the Safeguards Rule proposal as the basis for the model law adds no additional regulatory burden to companies while providing consistency across federal and state oversight. Due to Covid-19, a long delay ensued for the FTC and the CSBS model law was effectively shelved pending FTC action. The FTC’s 2019 proposal became a final rule in early 2022, however, at the same time, the FTC determined that notice requirements was an important missing component, and a new section to the now final Safeguards Rule was proposed. We are currently awaiting the final version of the notice requirements.
These documents provide resources for states to draft and implement your own nonbank data security laws. These resources include information on notification requirements that may be useful to states desiring coverage for state chartered banks as well.
- CSBS Nonbank Model Data Security Law: Model law developed under direction of the CSBS Board and the NDSC for state nonbank data security (cybersecurity) needs. The model law can be used as a state statute template or as a state rule template.
- Alternative language requiring nonbank financial institutions to conform to the FTC Safeguards Rule: Developed for states desiring a more streamlined legislative or rule approach for implementing “comparable” nonbank data security language. This alternative, shortened language, requires nonbank licensees to comply with the FTC Safeguards Rule.
- CSBS Nonbank Model Data Security Guidance: This document provides industry guidance comparable to the model law. It is designed for states seeking coverage who are not yet ready to propose a full data security law.
- Comparison of Data Breach Notification Requirements for Bank vs Nonbank: This tool provides states with a comparison of federal notification requirements for banks (OCC/FRB/FDIC) versus nonbanks (FTC).
Using the CSBS Nonbank Model Data Security Law
The model is for voluntary consideration and adoption – it is meant to be a helpful tool. States with existing laws or rules likely do not need this model, however, you may wish to review for completeness of your coverage. States needing requirements for nonbank cybersecurity may find the following use suggestions helpful:
- As a model or guide for your own state’s law, with minor modifications for [bracketed] language.
- For states desiring to implement a rule over a law, conform the model to your rule writing process.
- For states not yet ready to implement a rule or pass a law, consider conforming the essential sections of the model to your guidance process (model template provided). Doing this will create greater harmonization across the state system even where states cannot yet pass a law.
- We have used yellow highlights to identify any substantive changes from the FTC rule.
- The model contains [Optional] sections, clearly identified. These sections are encouraged depending on your state’s need.
- The model contains [bracketed] placeholders for state specific language (e.g., “commissioner” or specific effective dates, etc.].
- We have kept the model language as close to the FTC rule language as possible to avoid any undue or layered burden on the industry.