FTC Safeguard Rule Gets Stronger than Ever

Introduction

Are you subject to the FTC Safeguards Rule? Do you know what the legislation requires?

If you don’t, it would be a good time to catch up.

The good news is that you don’t have to go far. Your guidebook to the Safeguards Rule, and its 2021 and 2023 amendments, starts now.

The Federal Trade Commission Has Changed It’s Definition Of A Financial Institution! Do you know if your business is now considered a financial institution and subject to the Safeguards Rule? Are you A..

• mortgage lender?
• payday lender?
• auto dealer?
• finance company?
• mortgage broker?
• account servicer?
• check casher?

• wire transferor?
• collection agency?
• credit counselor or other financial advisor?
• tax preparation firm?
• non-federally insured credit union?
• investment advisor?

Crash Course to FTC Safeguards

The Federal Trade Commission established its original Safeguards Rule in 2002 to better protect the security of consumer financial information, and it has been subject to several enhancements since then. Covered under the law were financial institutions, including non-banking organizations like mortgage brokers, bankers, and lenders; financial advisors and car dealerships that offer financing; tax and investment advisors; and the like.

The Rule was promulgated under the Gramm-Leach-Bliley Act (GLBA) in 2003, and required companies covered by the FTC to develop, implement and maintain an information security program to protect customer information. Any record containing nonpublic personal information about a customer of a financial institution, must be physically and technologically defended against unauthorized access, use, disclosure, disruption, modification or destruction. This includes using strong passwords and encryption, implementing access controls, and installing firewalls and intrusion detection systems.

The 2021 Amendment

In 2021, the Federal Trade Commission issued an amendment that would expand the scope of who would be affected under the rule. While the original law applied widely to financial institutions, this amendment expanded the types of businesses that would be required to be in compliance with the Safeguards Rule to those businesses adjacent to financial activities, such as internet marketplaces that connect sellers and consumers; examples of these would be mortgage brokers, account services, check cashing institutions, wire transfer services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.

This addition also exempts small businesses from certain requirements, which is defined as institutions with fewer than 5K customers.

Although this amendment passed in October 2021, it only went into effect June 9th of this year after the deadline for compliance was pushed back by six months. Today, organizations who must comply with the FTC Safeguards Rule must have the following security measures in place:

• A designated Qualified Individual that is responsible to implement and supervise your company’s information security program.
• A written risk assessment that checks all the boxes for determining what risks the organization faces and provides steps for addressing those eventualities.
• Access controls which enforce different roles and requirements for gaining privileged access to private information. Remember the principle of least privilege: Limit access to personally identifiable information (PII) to the minimum degree necessary to perform the job’s function.
• Encrypted data whether it’s in storage, transit or just sitting in your inbox.
• Multi-factor authentication on all accounts accessing the system.
• Vulnerability assessments which assess all of the devices connected to the system, and guarantees their security before allowing them to connect.
• Penetration test reports that assess where a hacker can get into your systems, and how deep they can dive once inside.
• Procedures for data management, including its disposal, which must take place “no later than two years” after the data is last used and no longer necessary for the business to operate; as well as documentation when these policies change.
• Continuous monitoring systems which can automatically detect suspicious or unusual activity on the network.
• Incident response plans which detail how to react, respond and recover from security incidents.

The deadline for compliance with the 2021 amendment has already passed…how would you square up in an FTC audit?

What About the 2023 Amendment?

The latest Amendment to the FTC Safeguards Rule was finalized on October 27, 2023. In essence, this legislation widens the scope of what qualifies as a “notification event” and what must be done in the wake of a security incident.

Now, any financial institution or incidental business must report data breaches within 30 days of the that leaked the private information of 500 or more people. Notably, this data must be unencrypted and unauthorized for release by the person whose PII it contains. Both the FTC and affected consumers must be notified as quickly as possible.

All of these changes are designed to help the FTC better understand the scope and nature of data breaches in the financial sector, and to take appropriate enforcement action against companies that fail to protect consumers’ information.

What Will This Amendment Achieve?

With the knowledge gained from these breach reports, the FTC will be able to better understand the scope, nature, and causes of data breaches in the financial sector. They hope to be able to develop more effective, targeted solutions by first identifying the systemic problems. It will also help enforce compliance with the Safeguards Rule.

Additionally, the FTC will make these breach reports publicly available. This will help consumers to understand the risks of doing business with certain financial institutions, so they can make more informed choices about their financial products and services.

The 2023 amendment takes effect 180 days after its passage. Are you ready to become cybersecure and cyber-compliant?