The New FTC Safeguards Rule – What You Need to Know

The FTC Safeguards Rule has been in effect since 2003, but to keep up with changes in technology, the commission has released an update to the Safeguards Rule. The newest version of the Rule is expanded to include additional financial institutions and third parties that are involved in certain financial processes. The purpose of the Rule is to protect consumer data, and failure to comply with the new Safeguards Rule can result in fines of up to $11,000 per breach.

What Is the Deadline for Compliance with the New FTC Safeguards Rule?

The compliance deadline has been extended to June 9, 2023. Taking action to make sure your organization will meet the compliance requirements should already be underway. In order to comply with the Safeguards Rule, you must have an information security program in place. The program must “be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.”

According to the FTC, the goals of the Safeguards Rule and your compliant information security program are:

• to ensure security and confidentiality of customer information
• to protect against anticipated threats or hazards to information security and integrity
• to protect against unauthorized access to information that could result in substantial harm or inconvenience to any customer

Elements of Compliance for the New FTC Safeguards Rule

The Safeguards Rule has outlined nine elements of compliance that your organization’s information security program must contain. You must:

1. Designate a qualified individual to implement and supervise the program.
2. Conduct periodic risk assessments.
3. Design and implement safeguards to address risks discovered during your assessments.
4. Monitor and test the effectiveness of implemented safeguards.
5. Provide ongoing employee awareness training.
6. Select service providers that have adequate safeguards in place. Your contracts with service providers must clearly spell out security expectations to which you will hold them accountable; these expectations should include methods for periodic monitoring to ensure their continued suitability.
7. Your information security program must be regularly updated and kept current.
8. You must have a written incident response plan.
9. Your designated qualified individual must regularly provide a written report to your board of directors or senior officer responsible for the program.

What Does My Information Security Program Need to Cover?

The FTC provides specific guidance about what must be addressed in your risk assessments and security information program:

• You need to know who has access to your information and evaluate regularly whether they still need access. Included in this assessment should be a plan to immediately revoke access from employees who leave the organization and from third parties with whom you are no longer contracted.
• You need to know where your data is and how it’s stored and the methods through which it is transmitted. An inventory of the systems, devices, platforms, and people that collect, store, and transmit data is essential.
• Implement secure transmission protocols, including encryption, wherever possible.
• Regularly assess the apps used by the people in your organization and evaluate the security of any apps used, to ensure they meet the security requirements detailed by the Safeguards Rule.
• Implement multi-factor authentication for any person who must have access to customer information on your system.
• Have a process for safely disposing of customer information.
• If you make any changes to your network that might introduce a new security risk, immediately address it with updates to your safeguards.
• Maintain a comprehensive log of users accessing your information and monitor for unauthorized access – from within or outside of your organization.

New Types of Organizations Must Now Comply with the New FTC Safeguards Rule

The Safeguards Rule, a rule within the Gramm-Leach-Bliley Act, applies to financial institutions as well as those who bring two parties together for the purpose of a financial transaction, called finders. Every organization required to be compliant with the new FTC Safeguards Rule should already be assessing internal risks, formalizing their incident response plans, and training their employees.

Is My Business Required to Comply with the New FTC Safeguards Rule?

The type of businesses required to comply with the Safeguards Rule is far-reaching and now includes, among others, auto dealerships. The National Archives Code of Federal Regulations provides the following examples of financial entities that are impacted by the Safeguards Rule:

• Retailers that extend credit by issuing their own credit cards directly to consumers
• Automobile dealerships that, as a usual part of their business, lease automobiles on a nonoperating basis for longer than 90 days
• Personal property and real estate appraisers
• Career counselors that specialize in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or are seeking placement with the finance, accounting, or audit departments of any company
• Any business that prints and sells checks for consumers, either as its sole business or as one of its products
• Any business that regularly wires money to and from consumers
• Check cashing businesses
• Accountants and other tax preparation services in the business of completing income tax returns
• Any business that operates a travel agency in connection with financial services
• An entity that provides real estate settlement services
• Mortgage brokers
• Investment advisory companies and credit counseling services, including collection agencies.
• Any company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate

There are specific examples, as well, of those organizations that are relieved from compliance, including:

• Retailers whose only form of credit offering is layaway
• Retailers who accept credit card payments but do not issue credit
• Merchants who allow customers to “run a tab”
• Grocery stores that allow customers to write a check for more than the amount of groceries or to “get cash back” on a transaction

The FTC encourages all organizations to reevaluate whether their business has substantially changed in the last 20 years to the point where compliance is required:

Even if your company wasn’t covered by the original Rule, your business operations have probably undergone substantial transformation in the past two decades. As your operations evolve, consult the definition of financial institution periodically to see if your business could be covered now.

Visit the FTC website to learn more about the FTC Safeguards Rule.

How thinkCSC Can Help Your Columbus Organization Meet the New FTC Safeguards Rule Requirements

Many organizations do not have the internal IT resources necessary to develop and maintain the safeguards required by the FTC. However, because the FTC allows organizations to designate a qualified individual to implement and supervise the program, your Columbus organization may benefit from partnering with a managed service provider like thinkCSC. We provide our clients with extensive support to develop information security programs that meet or exceed the expectations of the Safeguards Rule. If you’re interested in learning more about how we can help you with compliance, information security, employee awareness training, incident response planning, and more, get in touch.