- The Federal Trade Commission (FTC) sets standards for safeguarding customer information.
- The Safeguards Rule took effect in 2003 but was amended in 2021 after public comment to ensure the rule keeps pace with the current technology.
- The revised rule offers in-depth guidance for businesses — reflecting the core data security principles that all organizations under FTC’s jurisdiction must implement.
- The FTC Safeguards Rule applies to a specific class of financial institutions, such as mortgage companies, CPA and tax-prep businesses, creditors, mortgage brokers, and debt collectors.
- The safeguard rules don’t apply to banks, federal credit unions, and loans and savings institutions.
Financial institutions under the jurisdiction of the FTC Safeguards Rule must implement new security controls to protect customer’s financial information. The rule took effect in 2003 but was amended in 2021 after public comment to ensure the rule keeps pace with current technology.
After revision, FTC imposed a deadline of December 9, 2022, with a penalty of $45,000 for violating the rule. The regulations may be news for non-banking financial institutions that are first-time subject to the FTC Safeguards Rule.
FTC Safeguards Rule At Its Core
The FTC Safeguards Rule outlines data security guidelines for financial institutions under its jurisdiction to protect customers’ information and ensure organizations keep pace with current technology.
The rule is part of the more significant 1999 Financial Modernization Act, which first required financial institutions to document how they handle sensitive customer information. After almost two decades, it’s safe to say the technology and data security rules have become ancient.
Following public comment, the FTC updated the Safeguard Rule in 2021 to offer better guidance for organizations. The affected financial organizations have to go over the updates of the FTC Safeguards Rule to ensure they remain compliant with the outlined expectation before the December 9, 2022, deadline.
Who Must Comply with The FTC Safeguards Rule
According to FTC, the rule applies to all financial institutions under FTC’s jurisdiction. The official FTC site defines a financial institution as any organization that engages in activities that are financial in nature or are incidental to such financial activities.
Some financial institutions that FTC gives as examples include:
- Mortgage companies
- Mortgage brokers
- Debt collectors
- Retailers that issue store credit cards
- Property appraisers
- Career counselors who work with clients in the finance industry
- Automobile dealership
- Businesses that print and sell checks to customers
- Organizations that regularly wire money to and from consumers
- Check cashing businesses
- Accountants and income tax return preparers
- Investment advisory company and credit counseling service
- Colleges and universities accepting Title IV funds
The FTC safeguards rule doesn’t apply to banks, federal credit unions, and savings and loan institutions.
What The FTC Safeguards Rule Require Organization to Do
FTC Safeguards requires organizations under its jurisdiction to comply with several requirements. The regulator outlines three elements for every information security program of financial institutions. Your security program must:
- Ensure the security and confidentiality of customer data
- Protect customer data against threats and hazards
- Prevent unauthorized access
The FTC Safeguards Rule outlines nine requirements for compliant security infrastructure. For an organization to be compliant, it must:
- Assign a qualified individual to implement and supervise your organization’s information security program.
- Execute a risk assessment to identify any vulnerability that can compromise the security and confidentiality of customer data.
- Design and implement security controls to mitigate the risk identified through your risk assessment. The controls include access control, encrypting customer data in transit or at rest, implementing multifactor authentication, and secure data disposal.
- Regularly monitor and test the efficacy of your security controls.
- Train your staff to eliminate human weaknesses in your security programs.
- Monitor your service providers to ensure they’re up to the task and meet your company’s security standards.
- Keep your information security program current because the threat landscape is constantly evolving.
- Create a written incident response plan.
- Your qualified individual to report to your Board of Directors
What’s New With the FTC Safeguards Rule
The new amendments have many new requirements, including:
- Technical and training requirements
The technical requirements call for cybersecurity solutions that are FTC-compliant. Your organization needs to implement a security program with the following:
- Multi-Factor Authentication (MFA): The new FTC Safeguards Rule requires your organization to implement multifactor authentication for any individual accessing any information in your system. Your security system should provide users with more than one piece of evidence to verify their identity. MFA makes it harder for unauthorized people to access customers’ sensitive data.
- Penetration Testing and Vulnerability Assessments: FTC requires your security practices to include continuous monitoring, periodic penetration testing, and vulnerability assessments. The test checks for vulnerabilities in your system before hackers can exploit them. More importantly, the assessments test your cyber-defense capability and responsiveness.
- Monitor and Log User Activity & Access: Another requirement you must meet is implementing policies, controls, and procedures to monitor and log the activity of authorized users. Your organization should be able to detect unauthorized access to prevent the wrong use or tampering of customers’ data.
- Encryption: The Amended Rule requires your information security system to encrypt all customer data at rest and in transit. While data encryption is operationally difficult and costly, FTC has noted several low-cost and free encryption solutions for data in transit.
What is Monitoring & Activity Logging for FTC Safeguards Rule?
FTC says that you must implement a security solution that monitors when authorized users are accessing customer information on your system and detects any unauthorized or suspicious access to customer data.
One way to implement the requirement is to adopt a solution that collects, centralizes, and automatically analyzes your log data for users’ activities. The solution should detect unauthorized access, alert you in real-time, provide the next steps to respond, and allow easy access to historical log reports of user activity for investigations and audits.
The FTC Safeguards Mean Well For Your Business
Financial institutions under FTC should get into compliance the quickest way possible. While the new FTC Safeguards Rule demands a lot from your organization to be compliant, it’s for a good reason. The spike in security threats is concerning, and for every stakeholder in your organization, you need to do your part in managing risks.