FTC Safeguard Rule Gets Stronger than Ever
Introduction
Are you subject to the FTC Safeguards Rule? Do you know what the legislation requires?
If you don’t, it would be a good time to catch up.
The good news is that you don’t have to go far. Your guidebook to the Safeguards Rule, and its 2021 and 2023 amendments, starts now.
The Federal Trade Commission Has Changed It’s Definition Of A Financial Institution! Do you know if your business is now considered a financial institution and subject to the Safeguards Rule? Are you A..
Crash Course to FTC Safeguards
The Federal Trade Commission established its original Safeguards Rule in 2002 to better protect the security of consumer financial information, and it has been subject to several enhancements since then. Covered under the law were financial institutions, including non-banking organizations like mortgage brokers, bankers, and lenders; financial advisors and car dealerships that offer financing; tax and investment advisors; and the like.
The Rule was promulgated under the Gramm-Leach-Bliley Act (GLBA) in 2003, and required companies covered by the FTC to develop, implement and maintain an information security program to protect customer information. Any record containing nonpublic personal information about a customer of a financial institution, must be physically and technologically defended against unauthorized access, use, disclosure, disruption, modification or destruction. This includes using strong passwords and encryption, implementing access controls, and installing firewalls and intrusion detection systems.
The 2021 Amendment
In 2021, the Federal Trade Commission issued an amendment that would expand the scope of who would be affected under the rule. While the original law applied widely to financial institutions, this amendment expanded the types of businesses that would be required to be in compliance with the Safeguards Rule to those businesses adjacent to financial activities, such as internet marketplaces that connect sellers and consumers; examples of these would be mortgage brokers, account services, check cashing institutions, wire transfer services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
This addition also exempts small businesses from certain requirements, which is defined as institutions with fewer than 5K customers.
Although this amendment passed in October 2021, it only went into effect June 9th of this year after the deadline for compliance was pushed back by six months. Today, organizations who must comply with the FTC Safeguards Rule must have the following security measures in place:
领英推荐
The deadline for compliance with the 2021 amendment has already passed…how would you square up in an FTC audit?
What About the 2023 Amendment?
The latest Amendment to the FTC Safeguards Rule was finalized on October 27, 2023. In essence, this legislation widens the scope of what qualifies as a “notification event” and what must be done in the wake of a security incident.
Now, any financial institution or incidental business must report data breaches within 30 days of the that leaked the private information of 500 or more people. Notably, this data must be unencrypted and unauthorized for release by the person whose PII it contains. Both the FTC and affected consumers must be notified as quickly as possible.
All of these changes are designed to help the FTC better understand the scope and nature of data breaches in the financial sector, and to take appropriate enforcement action against companies that fail to protect consumers’ information.
What Will This Amendment Achieve?
With the knowledge gained from these breach reports, the FTC will be able to better understand the scope, nature, and causes of data breaches in the financial sector. They hope to be able to develop more effective, targeted solutions by first identifying the systemic problems. It will also help enforce compliance with the Safeguards Rule.
Additionally, the FTC will make these breach reports publicly available. This will help consumers to understand the risks of doing business with certain financial institutions, so they can make more informed choices about their financial products and services.
The 2023 amendment takes effect 180 days after its passage. Are you ready to become cybersecure and cyber-compliant?