The Safeguards Rule is intended to ensure that financial institutions securely handle customer information. The Standards for Safeguarding Customer Information first took effect in 2003, but was amended 2021 to reflect changes in technology.
The latest changes to the Safeguards Rule expands the number of business that must be in compliance with the requirements by June 9, 2023. Failing to comply with the rule can lead to fines, lawsuits, increased scrutiny, and expensive remediation costs.
What is the FTC Safeguards Rule?
The FTC Safeguards Rule is part of The Gramm–Leach–Bliley Act, which also covers consumer information privacy and opt-out notices.
The Safeguards Rule in particular requires covered businesses to develop, implement, and maintain a thorough and complete information security program to protect sensitive customer information. This includes any nonpublic, identifiable consumer information, regardless of how it’s stored or whether it’s managed by you or a service provider.
Requirements Effective June 9, 2023
Many businesses were unable to meet the December 9, 2022 deadline for compliance with updated rules due to staff shortages and supply chain delays. In response, the FTC extended the deadline to June 9, 2023 for compliance with some of the updated requirements of the Safeguards Rule.
You’ll find a comprehensive list of requirements below, but here are parts that are required to be in place by the new deadline of June 9, 2023.
- designating a qualified individual to oversee your information security program
- developing a written risk assessment
- implementing access controls for sensitive customer information,
- encrypting all sensitive information
- training security personnel
- developing an incident response plan
- periodically assessing the security practices of service providers, and
- implementing multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
Does the FTC Safeguards Rule Apply to Your Business?
Recent changes to the rule expanded its coverage to include non-banking financial institutions. Your business may now be considered a financial institution if you handle consumer financial information. This includes:
- mortgage lenders
- payday lenders
- finance companies
- mortgage brokers
- account servicers
- real estate appraiser
- check cashers
- wire transferors
- collection agencies
- credit counselors and other financial advisors
- tax preparation firms
- non-federally insured credit unions
- investment advisors that aren’t required to register with the SEC
- finders, aka companies that bring together buyers and sellers and then the parties themselves negotiate and consummate the transaction
Be aware that the FTC can change the definition of financial institution at any point in the future to include other businesses involved in financial operations.
Safeguards Rule Requirements
Establish an information security program
The program should be based on the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information.
Your program will have three main objectives:
- Ensure the security and confidentiality of customer information.
- Protect against any anticipated threats or hazards to the security or integrity of such information.
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Make sure your program is updated regularly based on changes to your business, risk assessment results, new threats, changes in human resources, or any other changes that affect access to customer information.
Designate a qualified person for your customer information security program.
The FTC calls this person your “Qualified Individual” and they’re responsible for overseeing and implementing the program. You can use a third-party to oversee and implement the program, but your business is ultimately responsible for compliance.
A senior member on your team should oversee the service provider/affiliate and ensure they maintain an information security program that meets the requirements.
Your Qualified Individual is also responsible for providing an annual status report to your Board of Directors or to the person responsible for your information security program.
The report should detail risk assessments results, risk management and control decisions, relationships with service providers, results of testing, and security events or violations and management’s responses to them. Finally, the report should recommend changes to the program, if needed.
Evaluate and address potential risks with safeguards
Performing a risk assessment will help you identify potential threats to customer information. It may be more efficient to start the process by mapping the flow of customer information through your business along with the systems and people—including third-parties—that have access to that information.
This assessment should:
- identify both internal and external risks that could compromise the security, confidentiality, and integrity of customer information
- be documented and include criteria for categorizing identified security risks, evaluating the protection of information systems and customer data, and outlining how risks will be addressed
- outline measures to mitigate or accept identified risks and describe how the overall information security program will tackle these risks
Required safeguards include:
- Setting up up access controls (and regularly reviewing them) to ensure only authorized users can access customer information. This includes authenticating users and limiting their access to the specific information required for their responsibilities.
- Understanding your data ecosystem. Periodically review your data flow to be sure your safeguards are adequate and responsive.
- Encrypting customer information during transmission over networks and when at rest. If encryption is not feasible, alternative compensating controls can be used, subject to approval by your Qualified Individual.
- Ensure apps are secure—whether they’re developed in-house or by a third-party. Follow secure development practices for in-house applications and implement procedures to evaluate and test the security of externally developed applications used for transmitting, accessing, or storing customer information.
- Implementing multi-factor authentication for individuals accessing information systems, unless alternative access controls of equivalent or higher security have been approved.
- Developing procedures for securely disposing of customer information within two years after its last use, unless retention is necessary for legitimate business purposes, legal requirements, or if targeted disposal is impractical.
- Establishing change management procedures to manage modifications to systems and processes.
- Implementing policies, procedures, and controls to monitor and log access activity for authorized users and to detect any unauthorized access, use, or tampering with customer information.
Once you have safeguards in place, you should perform regular risk assessments to reexamine risks and reassess the safeguards.
Regularly test and monitor the effectiveness of your safeguards
This includes all the controls, systems, and procedures in place to protect information. Use continuous monitoring for information systems. Or, If continuous monitoring is not in place, businesses can conduct penetration testing every year or vulnerability assessments every six months.
Train your staff
Provide updated security awareness training to your employees regularly so they know how to spot risks. Make sure key employees get specialized training for their role and stay updated on new information security threats, mitigation, and responses.
Monitor service providers
This includes vendors, affiliates, and other third-parties who handle customer information. Select qualified service providers and require that they implement and maintain safeguards. Audit service providers regularly based on their risk and continued adequacy of their safeguards.
Document your incident response plan
The plan should outline how to quickly respond to and recover from security events that affect the customer information you control. It should define roles and responsibilities, establish decision-making authority, define a communication plan, identify remediation steps, and outline documentation and reporting steps.
Your incident response plan may need updating periodically, particularly after a security event.
How Safe is Your Customer Information
The requirements may seem complex, as threats gets more sophisticated, having a comprehensive security plan becomes critical to protect consumers and your business. If your business falls under other state regulations or industry requirements, like PCI compliance for example, you may find that your business already has many of the processes in place.
This information isn’t legal advice. If your business falls under the Safeguards Rule’s definition for financial institution, refer to the FTC’s resources and your legal or compliance team.