How does the FTC Safeguards Rule Impact Your Business?

Posted July 2023

As the name suggests, the purpose of the Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.

The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act.

WHAT CHANGED AND WHEN?

  • The new 2021 Rule modernizes the language and takes into account many of the technological and business changes since the original Rule was written in 2003.
  • It includes 9 specific steps which must be taken to be compliant or there are significant fines (over $46,000) and other penalties, including civil suits by the FTC.
  • The new Rule broadens the definition of financial institutions which are covered, and now includes “finder” as a category which is a company that brings together buyers and sellers and then the parties themselves negotiate and consummate the transaction.

The new rule took effect June 9, 2023

DOES IT APPLY TO MY COMPANY?

If your company handles or stores any non-public personal information in the course of doing business, then the Rule applies to your company.

Some examples (besides actual financial institutions like banks and mortgage brokers) given by the Rule are:

  • Retailers who issue a store credit card
  • Any company that provides nonoperating consumer leases (example – car dealership)
  • Career counselors who provide services to individuals seeking employment in the finance, accounting, or audit department of any company
  • Any business that regularly wires money to and from consumers
  • Accountants and Tax preparation companies
  • A company providing real estate settlement services
  • Any appraisal company (personal property or real estate)
  • An investment advisory or credit counseling company
  • Any company that brings together buyers and sellers to negotiate a financial transaction

WHAT DO I NEED TO DO TO COMPLY?

Section 314.4 of the Safeguards Rule identifies nine elements that your company’s information security program must include:

  1. Designate a Qualified Individual to implement and supervise your program
  2. Conduct a risk assessment
  3. Design and implement safeguards to control the risks identified
  4. Regularly monitor and test the effectiveness of your safeguards
  5. Train your staff
  6. Monitor your service providers
  7. Keep your information security program current
  8. Create a written incident response plan
  9. Require your Qualified Individual to report in writing regularly

WHAT DO I NEED TO DO TO COMPLY?

  1. Designate a Qualified Individual
  • The Qualified Individual will implement and supervise your company’s information security program
  • The Qualified Individual can be an employee of your company or can work for an affiliate or service provider
  • If your company brings in a service provider to implement and supervise your program, the buck still stops with you. It’s your company’s responsibility to designate a senior employee to supervise that person
  • If the Qualified Individual works for an affiliate or service provider, that affiliate or service provider also must maintain an information security program that protects your business
  1. Conduct a Risk Assessment
  • Complete an inventory of what information you have and where it is stored
  • After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information
  • Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats. Think through how customer information could be disclosed without authorization, misused, altered, or destroyed
  1. Design and implement safeguards (a written security program) to control the risks identified through your risk assessment.The following are requirements:
  • Determine who has access to customer information and recheck regularly
  • Maintain an inventory of all information and systems
  • Encrypt customer information on your system and when it’s in transit
  • Assess the security of your apps
  • Implement multi-factor authentication. (Password + token or biometrics)
  • Dispose of customer information securely no later than two years after your most recent use of it to serve the customer unless there is a legal requirement to hold on to it
  • Anticipate and evaluate changes to your information system or network
  • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
  1. Regularly monitor and test the effectiveness of your safeguards
  • You should implement a service that continuously monitors your systems OR
  • at minimum conduct annual penetration testing and system-wide vulnerability scans every six months AND
  • In addition, do a penetration test and vulnerability scan whenever there are changes to your business operations which may have a material impact on your information security program.
  1. Train Your Staff
  • Provide your people with security awareness training and schedule regular refreshers
  • Insist on specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program and verify that they’re keeping their ear to the ground for the latest word on emerging threats and countermeasures
  1. Monitor your service providers
  • Select service providers with the skills and experience to maintain appropriate safeguards
  • Your contracts must:
  • Spell out your security expectations
  • Build in ways to monitor your service provider’s work
  • Provide for periodic reassessments of their suitability for the job
  1. Keep your information security program current
  • The only constant in information security is change. Flexibility is the key to success
  • Pay close attention to anything that can impact your information security program and modify as needed
  • Examples are:
  • Changes to operations or processes
  • Risks identified during regular risk assessments
  • Emerging threats reported in the news
  • Changes in personnel, especially if they had any contact with sensitive data or systems
  1. Create a written incident response plan
  • An incident is defined as unauthorized access or misuse of personal information. Your plan must include the following:
  • The goals of your plan
  • The internal processes your company will activate in response to a security event
  • Clear roles, responsibilities, and levels of decision-making authority
  • Communications and information sharing both inside and outside your company
  • A process to fix any identified weaknesses in your systems and controls
  • Procedures for documenting and reporting security events and your company’s response
  • A postmortem of what happened and a revision of your incident response plan and information security program based on what you learned.
  • *Exception – companies with information on less than 5,000 consumers are exempt from this part of the Rule
  1. Require written reports Qualified Individual to governing body
  • Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors, governing body or senior corporate officer responsible for security.
  • If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program.
  • What should the report address?
  • An overall assessment of your company’s compliance with its information security program
  • Risk assessment and test results
  • Risk management and control decisions
  • Service provider arrangements
  • Security events and how management responded
  • Recommendations for changes in the information security program
  • *Exception – companies with information on less than 5,000 consumers are exempt from this part of the Rule

Schedule a consultation call with TGI.

A simple call with our TGI and iPower experts is all you need to begin the steps needed for full FTC compliance.

Our advanced and certified team can execute, supervise, assist or educate on these procedures to be sure your organization is not only compliant, but remains compliant.

Contact your TGI or iPower sales representative today and let us take care of the rest.

Get in Touch with TGI

TGI is ready to assist. Let’s connect today to see how we can help your business.
Call 866-468-4462 or complete the form below.

Get in Touch with TGI