The FTC Safeguards Rule: What You Need to Know

The FTC Safeguards Rule: What You Need to Know The FTC Safeguards Rule: What You Need to Know The FTC Safeguards Rule: What You Need to Know
Photo of Oliver Pinson-Roxburgh

Oliver Pinson-Roxburgh

CEO and Co-Founder

25th May 2023

What is the FTC Safeguards Rule?

The Federal Trade Commission (FTC) Safeguards Rule is designed to protect personal information against external threats. The regulations apply to businesses collecting, maintaining, or sharing data such as names, addresses, Social Security numbers, bank account details, and other personally identifiable information (PII).

The Safeguards Rule took effect in 2003, and was updated in 2021 to keep pace with current technology. The revised Rule reflects core data security principles that all covered companies need to implement before the deadline of June 9th, 2023.

What does the FTC Safeguards Rule require companies to do?

The FTC has issued a new set of amendments to its Safeguards Rule that requires companies to undertake a series of technical, procedural and contractual measures to protect the personal data of consumers, partners and employees. It’s all part of building an information security program that helps to minimize the risk of cyberattacks or data breaches occurring.

The objective of your information security program should be to:

Start preparing early

Ensure the security and confidentiality of customer information

Be proactive

Protect against anticipated threats to the security or integrity of that information

Use an experienced insurance provider

Protect against unauthorized access to that information

Is my organization affected by the FTC Safeguards Rule?

The FTC now defines ‘financial institutions’ as any organization that is “engaging in an activity that is financial in nature”, excluding banks. This includes all other types of businesses that handle customer financial data, provide credit services, wire money between consumers or charge a fee for financial transactions.

Here’s what the FTC say:

“The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”

If your business handles customer financial data but you aren’t a bank, you’ll likely need to comply with the FTC Safeguards Rule. This includes businesses such as automobile dealerships, mortgage brokers, realtors and retailers that offer store credit cards.

Breaking down the FTC Safeguards Rule updates

There’s nine elements highlighted in Section 314.4 of the Safeguards Rule that you must implement in order to stay compliant.

  1. Designate a qualified individual responsible for overseeing and implementing your information security program

    This can be someone internally within your organization or a trusted service provider. There’s no education or experience required for this role, but they must take responsibility for maintaining the information security program that protects the personal data your company holds.

  2. Base your information security program on a risk assessment

    Your organization must complete a risk assessment that assesses internal and external risks to the security, confidentiality and integrity of customer information. This assessment must be written up and include criteria for evaluating the risks identified. You must also conduct periodic reviews due to operational changes or the emergence of new threats.

  3. Design and implement safeguards to control risks identified through your risk assessment

    The Safeguard Rule requires your company to:

    • Implement and periodically review access controls – know who has access to what and why
    • Conduct a periodical inventory of data – where it’s collected, stored, or transmitted. You’ll also need an asset profile that includes systems, devices and platforms
    • Encrypt customer information – this includes that held on your system and when it’s in transit
    • Assess your applications – whether your own apps or third-party apps, if they access or transmit customer data, you need to evaluate the security of these
    • Implement multi-factor authentication – any users in your organization that access customer data will need this set up
    • Dispose of customer information securely – if you’ve held customer data that you’ve not used for two years, you must securely dispose of it
    • Anticipate and evaluate changes to your information system or network – as business processes change (new servers added, for example) you’ll need to build change management into your information security program

    • Maintain a log of authorized users’ activity – you must have the means to detect unauthorized access and know when customer information has been accessed
  4. Regularly monitor and test the effectiveness of your safeguards

    This can be accomplished through continuous monitoring of your systems (managed SIEM), but if you do not have this implemented, you’ll need to conduct an annual penetration test as well as periodical vulnerability assessments.

  5. Train your staff

    You must provide cyber security awareness training to all staff members. This should include phishing, social engineering, password best practices and information about emerging threats. This training must be refreshed annually as part of your information security program.

  6. Monitor your service providers

    It is your responsibility to select service providers that maintain appropriate safeguards and assess their risk profile periodically to ensure they meet your own information security requirements.

  7. Keep your information security program up to date

    You must evaluate and adjust your information security program as changes to your operations happen. This could include new risks identified in your risk assessments, changes in personnel, or new emerging threats. Anything that may have a material impact on your program will need to be accounted for.

  8. Establish a written incident response plan

    This is your response and recovery plan. The goal of this plan is to detail the internal processes your company will take in response to a security event. It should include roles and responsibilities, communications plan, a process for remediation and reporting procedures.

  9. Require your qualified individual to report to your Board of Directors

    Your Qualified Individual must report in writing regularly to your Board of Directors on the overall status and workings of your information security program. This should include recommendations for changes, risk assessment findings, security events and access control decisions.

In Summary

It is expected that all companies affected by the FTC Safeguards Rule must be compliant with the latest amendments before the deadline of 9th June 2023. If your organization fails to do so, you could be liable to fines of up to $100,000 per violation. Your customers and employees could also file a lawsuit if they have been affected. Many companies will need to employ the help of an external security provider to meet at least some of the elements included within section 314.4, so it’s important to fully understand how the Safeguard Rule will affect you and what you need to do to stay compliant.

FTC Safeguards Rule compliant packages

We can help your business comply with the FTC Safeguards Rule, no matter what level of security you currently have in place.