Could you be subject to the new FTC Safeguards Rule?

What is the FTC Safeguards Rule?

?The purpose of the Federal Trade Commission's?Standards for Safeguarding Customer Information?– the Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of?customer information. The Safeguards Rule was amended in 2021 to make sure the Rule keeps pace with current technology.

Consider these key compliance questions when reviewing your obligations under the?Safeguards Rule.

Who's covered by the Safeguard Rule?

How do you know if your business is?subject to the Safeguards Rule? First, consider that the Rule defines "financial institution" in a way broader than how people may use that phrase in conversation. What matters are the activities your business undertakes, not how you or others categorize your company.

To help you determine if your company is covered,?Section 314.2(h)?of the Rule lists 13 examples?of the kinds of entities that?are?financial institutions under the Rule, including automobile dealers, mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren't required to register with the SEC. The 2021 amendments to the Safeguards Rule add a new example of a financial institution – finders. Those companies bring buyers and sellers together, and then the parties negotiate and consummate the transaction.

Even if the original Rule didn't cover your company, consult the definition of?financial institution?periodically to see if your business could be covered now.

What does the Safeguards Rule require companies to do?

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an?information security program?with administrative, technical, and physical safeguards designed to protect customer information. The Rule defines?customer information?as "any record containing?nonpublic personal information?about a financial institution's customer, whether in paper, electronic, or another form, that is handled or maintained by or on behalf of you or your affiliates."

Your?information security program?must be written and appropriate to the size and complexity of your business, nature, scope of your activities, and the sensitivity of the information at issue. The objectives of your company's program are:

• Ensure the security and confidentiality of customer information;
• Protect against anticipated threats or hazards to the security or integrity of that information; and
• Prevent unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

When do the new requirements take effect?

Within 30 days of the October 27, 2021 publication, financial institutions and dealers needed to comply with the following sections of the amended Rule (many of which were existing requirements):

• 314.4(b)(2)—Additional periodic risk assessments.
• 314.4(d)(1)—Regularly test or monitor the effectiveness of the safeguards critical controls, systems, or procedures
• 314.4(f)(1) and (2)—Overseeing service providers by (1) taking reasonable steps to select and retain and (2) requiring specific contract terms.
• 314.4(g)—Evaluate and adjust your information security program considering the testing and monitoring results required by paragraph (d).

By December 9, 2022, financial institutions and dealers must comply with all remaining Rule requirements and amendments as outlined on the?Code of Federal Regulations?site.

How can you ensure that you meet your requirements under the Safeguards Rule?

Your best protection to be sure you follow cybersecurity best practices, meet data protection requirements, and don't leave loopholes for your commercial insurer to deny claims, is alignment to a recognized cyber framework.?