The FTC Safeguards Rule: What You Need to Know

What does the FTC Safeguards Rule require companies to do?

The FTC has issued a new set of amendments to its Safeguards Rule that requires companies to undertake a series of technical, procedural and contractual measures to protect the personal data of consumers, partners and employees. It’s all part of building an information security program that helps to minimize the risk of cyberattacks or data breaches occurring.

The objective of your information security program should be to:

Is my organization affected by the FTC Safeguards Rule?

The FTC now defines ‘financial institutions’ as any organization that is “engaging in an activity that is financial in nature”, excluding banks. This includes all other types of businesses that handle customer financial data, provide credit services, wire money between consumers or charge a fee for financial transactions.

Here’s what the FTC say:

“The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”

If your business handles customer financial data but you aren’t a bank, you’ll likely need to comply with the FTC Safeguards Rule. This includes businesses such as automobile dealerships, mortgage brokers, realtors and retailers that offer store credit cards.

Breaking down the FTC Safeguards Rule updates

There’s nine elements highlighted in Section 314.4 of the Safeguards Rule that you must implement in order to stay compliant.

1. Designate a qualified individual responsible for overseeing and implementing your information security program

   This can be someone internally within your organization or a trusted service provider. There’s no education or experience required for this role, but they must take responsibility for maintaining the information security program that protects the personal data your company holds.

2. Base your information security program on a risk assessment

   Your organization must complete a risk assessment that assesses internal and external risks to the security, confidentiality and integrity of customer information. This assessment must be written up and include criteria for evaluating the risks identified. You must also conduct periodic reviews due to operational changes or the emergence of new threats.

3. Design and implement safeguards to control risks identified through your risk assessment

   The Safeguard Rule requires your company to:

   • Implement and periodically review access controls – know who has access to what and why
   • Conduct a periodical inventory of data – where it’s collected, stored, or transmitted. You’ll also need an asset profile that includes systems, devices and platforms
   • Encrypt customer information – this includes that held on your system and when it’s in transit
   • Assess your applications – whether your own apps or third-party apps, if they access or transmit customer data, you need to evaluate the security of these
   • Implement multi-factor authentication – any users in your organization that access customer data will need this set up
   • Dispose of customer information securely – if you’ve held customer data that you’ve not used for two years, you must securely dispose of it
   • Anticipate and evaluate changes to your information system or network – as business processes change (new servers added, for example) you’ll need to build change management into your information security program

   • Maintain a log of authorized users’ activity – you must have the means to detect unauthorized access and know when customer information has been accessed

4. Regularly monitor and test the effectiveness of your safeguards

   This can be accomplished through continuous monitoring of your systems (managed SIEM), but if you do not have this implemented, you’ll need to conduct an annual penetration test as well as periodical vulnerability assessments.

5. Train your staff

   You must provide cyber security awareness training to all staff members. This should include phishing, social engineering, password best practices and information about emerging threats. This training must be refreshed annually as part of your information security program.

6. Monitor your service providers

   It is your responsibility to select service providers that maintain appropriate safeguards and assess their risk profile periodically to ensure they meet your own information security requirements.

7. Keep your information security program up to date

   You must evaluate and adjust your information security program as changes to your operations happen. This could include new risks identified in your risk assessments, changes in personnel, or new emerging threats. Anything that may have a material impact on your program will need to be accounted for.

8. Establish a written incident response plan

   This is your response and recovery plan. The goal of this plan is to detail the internal processes your company will take in response to a security event. It should include roles and responsibilities, communications plan, a process for remediation and reporting procedures.

9. Require your qualified individual to report to your Board of Directors

   Your Qualified Individual must report in writing regularly to your Board of Directors on the overall status and workings of your information security program. This should include recommendations for changes, risk assessment findings, security events and access control decisions.