What Changes to the FTC Safeguards Rule Might Mean for Your Business:
At EON, we're committed to keeping you updated about key regulatory changes that can impact your business operations. Today, we're spotlighting the Federal Trade Commission’s Standards for Safeguarding Customer Information, also known as the Safeguards Rule.
The Safeguards Rule was initially established in 2003 to ensure covered entities maintain protections for customer data. Recognizing the necessity to adapt to evolving technology, the FTC amended the rule in 2021, aiming to provide more specific guidance to businesses. These new changes went into place on June 9th, 2023, so it’s important to know whether or not they apply to your organization and if they do, it’s important to make sure you’re meeting these new requirements.
Who Does the Safeguards Rule Apply To?
The Safeguards Rule applies broadly to what the FTC considers “financial institutions” within it’s jurisdiction. As a part of the 2021 amendments, the FTC has broadened the definition of a financial institution to include a wide range of businesses that you might not traditionally think of as financial institutions. Examples of financial institutions under the FTC’s new amended Safeguards Rule include tax preparation firms, car dealerships, mortgage lenders, non-federally insured credit unions, finance companies, investment advisors, business “finders” or brokers, etc.. This new expanded definition focuses on the types of activities the business performs rather than how it might traditionally be labeled.
What Does the Safeguards Rule Require Companies to Do?
The rule mandates that covered entities create, execute, and maintain a written information security program. This program should include administrative, technical, and physical safeguards designed to protect customer or client information. The program's goals are threefold:
Guarantee the security and confidentiality of customer/client information.
Shield against anticipated threats or hazards to the security or integrity of customer/client information.
Defend against unauthorized access to customer/client information, which could lead to considerable harm or inconvenience to any customer.
Key Elements of an Information Security Program (according to the FTC):
The Safeguards Rule identifies nine essential components for your company’s information security program:
Create a Written Incident Response Plan: This should cover your response plan goals, internal response processes, clear roles, communication strategies, procedures for remedying weaknesses, and documentation procedures.
Designate a Qualified Individual: This person should implement and oversee your company's information security program. They can be an employee or a service provider, but the final responsibility rests with your company.
Risk Assessment: Understand what information you have and where it's stored, and conduct an assessment to determine foreseeable internal and external risks.
Design and Implement Safeguards: Ensure your program features risk controls, access controls, secure customer information handling, secure disposal of customer information, and robust monitoring procedures.
Regularly Monitor and Test Your Safeguards: This includes continuous monitoring of your system, annual penetration testing, and vulnerability assessments.
Staff Training: Train your employees to recognize security risks and ensure they are up-to-date with emerging threats.
Monitor Your Service Providers: Ensure that your service providers can maintain appropriate safeguards and meet your security expectations.
Keep Your Information Security Program Current: Be prepared to modify your program to accommodate changes in your operations, risk assessments, emerging threats, personnel changes, and other influencing factors.
Reporting Requirements: The Qualified Individual must provide regular written reports to your board of directors or a senior officer.
What Happens If You’re Not Compliant with the Updated FTC Safeguards Rule?
The consequences of not being compliant can be serious: As of June 2023, the FTC will be allowed to impose fines of up to $100,000 per violation under the updated guidelines. You may also face lawsuits from unhappy customers and employees, which could further harm your business' reputation.
Information Security is What We Do Best!
We hope this information serves as a useful starting point in understanding the Safeguards Rule. For a more detailed comprehension, we encourage you to review the text of the rule itself. We're here to support you through these changes, so please don't hesitate to reach out if you have any questions or need assistance.