The deadline for complying with the updated FTC Safeguards Rule was June 9, 2023. Are you in compliance?
The FTC Safeguards Rule requires any business entity that is categorized as a financial institution to comply with security principles designed to protect non-public personal information. Some companies that were not considered financial institutions under the previous Rule may be included in the new updated guidelines, so it’s important to check the policy language if you handle any individual customer financial records. This may include lines of credit, loans, or other finance information.
In this article, we’ll recap the key information in the update and how our team can help you stay compliant.
Who Is Covered by the New FTC Safeguards Rule?
The FTC Safeguards Rule applies to non-banking financial institutions not covered by another regulatory body. That definition includes many entities that may not be immediately obvious, including:
- Mortgage Lenders (if not regulated by another consumer data privacy rule)
- Mortgage Brokers
- Real Estate Appraisal Firms
- Real Estate Agencies that provide real estate settlement services
- Real Estate Title Companies that provide real estate settlement services
- Automotive, Marine, Motorcycle, Farm Implement, and Recreational Vehicle Dealers
- Finance Companies
- Financial Advisors and Investment Firms
- Accounting and Tax Preparation Firms
- Insurance Agencies
- Check Cashing Companies
- Wire Transfer Service Providers
- Credit Counseling Services
- Collection Agencies
- Travel Agencies that offer financial and exchange services
Even if your company didn’t qualify as a financial institution under the original rule, it may apply to you now. It’s wise to periodically check the FTC definition of a financial institution1, since updates may include additional business models. However, if your institution falls under another federal regulating body such as the SEC, the FTC Safeguards Rule will not apply to you. This includes banks, federally-insured credit unions, and many others.
What Are the Requirements of the FTC Safeguards Rule?
The Safeguard Rule addresses the implementation, assessment, and enforcement of information security measures to provide administrative, technical, and physical safeguards designed to protect customer information. The required information security program for your company must be designed to identify and mitigate security risks and ensure data security.
The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether on paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” The Rule covers information about your own customers and information about customers of other financial institutions that have provided that data to you.
Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:
- to ensure the security and confidentiality of customer information;
- to protect against anticipated threats or hazards to the security or integrity of that information; and
- to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.
What does a reasonable information security program look like?
Section 314.4 of the Safeguards Rule2 identifies nine elements that your company’s information security program must include. Let’s take those elements step by step.
Designate a qualified individual to oversee, implement, and enforce your information security program.
You may designate a qualified individual on your internal team, or you may outsource to a third-party provider. If your company brings in a service provider to implement and supervise your program, the responsibility of your business’ security and compliance still lies with you. It’s your company’s responsibility to designate a senior employee to supervise that person.
If the Qualified Individual works for an affiliate or service provider, that affiliate or service provider must also maintain an information security program that protects your business.
Failure to properly implement your information security program can open your business up to expensive fines, legal issues, and severely damage your business reputation.
Conduct a written risk assessment of internal and external risks.
You can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing that inventory, an assessment must be conducted to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information.
Your risk assessment must be written and must include criteria for evaluating those risks and threats. While working through your risk assessment, think through how customer information could be disclosed without authorization, misused, altered, or destroyed.
The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct periodic reassessments in light of any “adds, moves, or changes” to your operations or the emergence of new threats. Risk assessments should be conducted on a regular basis and at least annually to re-examine the effectiveness of your safeguards.
Design and implement safeguards to control the risks identified through your risk assessment.
Among other things, in designing your information security program, the Safeguards Rule requires your company to:
- Implement and periodically review access controls.
Determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it. All data should be treated with the method of “Least Privilege”. This means that all users should only be able to access the minimal amount, or type, of data in order to perform their basic duties and nothing more.
- Know what you have and where you have it.
A fundamental step to effective security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience.
- Encrypt customer information at rest while on your system and when it’s in transit.
If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.
- Assess your apps.
If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security. Make sure you have a detailed plan for regularly applying patches and updates to your applications. Get rid of all applications that are “End of Life (EOL)” or no longer supported by the application vendor.
- Implement multi-factor authentication for anyone accessing customer information on your system.
For multi-factor authentication, the Rule requires at least two of these authentication factors:
- a knowledge factor (for example, a password);
- a possession factor (for example, a pin or a token),
- and an inherence factor (for example, biometric characteristics).
The use of multi-factor authentication should also be enforced for all online accounts as well as it dramatically increases the security posture of the account. The only exception would be if your Qualified Individual has approved in writing the use of another equivalent form of secure access controls.
- Dispose of customer information securely.
Securely dispose of customer information no later than two years after your most recent use of it to serve the customer.The only exceptions: if you have a legitimate business need or legal requirement to hold on to it or if targeted disposal isn’t feasible because of the way the information is maintained. This should be fully documented in your Data Classification, Handling, Retention, and Destruction Policy.
- Anticipate and evaluate changes to your information system or network.
Changes to an information system or network can undermine existing security measures. For example, if your company adds a new server or you have moved your data to the cloud, has that created a new security risk?Because your systems and networks change to accommodate new business processes, your safeguards can’t be static. The Safeguards Rule requires financial institutions to build change management into their information security program.
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
Implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access.
Regularly monitor and test the effectiveness of your safeguards.
Test your procedures for detecting actual and attempted attacks. For information systems, testing can be accomplished through continuous monitoring and vulnerability assessments of your systems. Otherwise, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly-known security vulnerabilities.
In addition, you must test whenever there are material changes to your operations or business arrangements and whenever there are circumstances you know or have reason to believe may have a material impact on your information security program.
Train your staff.
A financial institution’s information security program is only as effective as its least vigilant staff member. That said, employees trained to spot risks can multiply the program’s impact and effectiveness.
Provide your people with security awareness training and schedule regular refreshers. Insist on specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program and verify that they’re keeping their ear to the ground for the latest word on emerging threats and countermeasures.
Monitor your service providers.
Service providers are not created equally, nor should you expect that they all possess the appropriate skill sets to protect your business from harm. Select service providers with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job.
Keep your information security program current.
The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to believe may have a material impact on your information security program. The best programs are flexible enough to accommodate periodic modifications.
Create a written incident response plan.
Every business needs a “What do I do when bad things happen?” incident response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form. Section 314.4(h) of the Safeguards Rule specifies what your response plan must cover:
- The goals of your plan;
- The internal processes your company will activate in response to a security event;
- Clear roles, responsibilities, and levels of decision-making authority;
- Communications and information sharing both inside and outside your company;
- A process to fix any identified weaknesses in your systems and controls;
- Procedures for documenting and reporting security events and your company’s response; and
- A post mortem of what happened and a revision of your incident response plan and information security program based on what you learned.
Require your Qualified Individual to report to your Board of Directors or Senior Management.
Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors, senior management, or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program.
What should the report address? The report must include an overall assessment of your company’s compliance with its information security program and cover specific topics related to the program. Examples being an updated risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.
We Can Help You Get Compliant and Manage It
The standards set forth in the FTC Safeguards Rule are designed to protect customer data privacy, detect data leaks, prevent unauthorized access, and manage risk.
Our team at ITNS Consulting can help you meet these goals by providing your business everything necessary to not only meet the FTC Safeguards Rule’s requirements, but exceed them for total peace of mind. How you ask?
We offer a comprehensive Compliance as a Service (CaaS) program that can be tailored to your business’ various compliance requirements. This way you can be assured that if you are ever audited or required to show proof of compliance, you can easily prove your compliance status.
The FTC compliance deadline was June 9, 2023. If you didn’t realize your business was subject to these guidelines or you need to upgrade your current solutions, now is the time to act.
Even if you do have a security program in place that meets the guidelines, it’s a good idea to periodically review your solutions and ensure that they can provide the best security protection available.
At ITNS Consulting, we specialize in helping businesses close security gaps and mitigate risk. Contact us today for your free consultation and start your journey toward better security, compliance, and overall business resiliency.
Follow us on Social Media and continue to check back regularly for more Bits, Bytes, and Insights!
1. FTC definition of a financial institutions: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.2(h)(1)
2. Code of Federal Regulations – Part 314—Standards for Safeguarding Customer Information: https://www.ecfr.gov/current/title-16/part-314