The FTC Safeguard Rule: How to Achieve Lasting Compliance
The Federal Trade Commission’s Standards for Safeguarding Customer Information, often referred to as just the “Safeguards Rule,” is an important piece of financial legislation that ensures businesses meet a high standard for protecting the security of customer personally identifiable information (PII).
First released in 2003, the rule was recently amended to cover emerging technologies, provide clearer, more concrete guidance for businesses, and keep pace with compliance trends.
The updated guidelines take effect on June 9th of 2023, meaning that now is the time for businesses who haven’t investigated the new regulation to get serious about compliance, or else face consequences such as lengthy consent decrees, injunctive relief, and reputational damage.
We’ve written this article to help businesses in Ohio start thinking about the FTC Safeguards Rule and provide an overview of the steps you’ll need to take to ensure that you avoid compliance fines.
Who Does the FTC Safeguard Rule Apply To?
The FTC Safeguard Rule applies to financial institutions that aren’t subject to other regulators under Section 505 of the Gramm-Leach-Bliley Act, which means it’s designed to set standards for data security at small-and midsized institutions that haven’t previously been subject to federal legislation before.
The Rule is purposefully a bit ambiguous, applying to any business that “significantly engaged” in providing financial products or services. That means a wide spectrum of businesses, including investment advisors and mortgage brokers, car dealers, payday lenders, real estate appraisers, and even ATM operators that handle customer information, are now subject to regulation.
Here are some of the firms that must comply with the new Safeguard Rule despite not being traditional financial services firms.
There are exemptions in the Rule of small businesses that handle less than 5000 customer records, unless that company provides services to covered businesses or organizations. This means that as an extension of their Graham-Leach-Bliley (GLB) requirements, tax preparers and other small financial institutions must be ready to demonstrate reasonable compliance, regardless of their size.
Real Estate Investors
Appraisal and settlement services are defined as a financial activity by the FTC, as are investment or advisory firms in the real estate industry. While lenders and mortgage brokers are accustomed to compliance standards, real estate agencies, settlement companies, and appraisers are often surprised to discover that they have new obligations to protect customer data.
To see the complete list of companies that must comply with the new Safeguard Rule, we recommend reviewing the full text of section 314.2(h) here.
FTC Safeguard Rule Compliance Checklist
The goal of the regulation is to protect customer information, or “any record containing nonpublic personal information” about a customer, whether that be in digital or paper form.
To do that, the Safeguards Rule requires that financial institutions develop, implement, and maintain a compliance program that provides safeguards in three areas: administrative, technical, and physical.
Here are the most important steps you’ll need to take to achieve compliance:
Designate the Right Individuals
The first thing to do is determine who will be responsible for your FTC Safeguards Rule compliance efforts at your organization. Like HIPAA, FINRA, or PCI-DSS, compliance is not a one-off affair that you can achieve and then forget about; instead, it takes sustained effort over months and years to keep your organization compliant.
Designating a person or team to lead the effort will help you coordinate efforts across your organization and ensure that you apply security controls and data protection tools consistently. Even when you decide to work with an external provider to help you lead compliance efforts, it’s still worthwhile to choose an internal individual to interface with your contractor to ensure clear lines of communication.
A risk assessment is a deep analysis of your network technology and existing security controls. The process of running a risk assessment has been written about extensively both on the Internet and in book form.
The goal of risk assessment is twofold. First, it will uncover the location of all the customer data in your network, so you know exactly what resources you’re charged with protecting. It also helps you assess risks and threats to that data, allowing you to tailor your controls to help better protect those resources.
According to the text of the Safeguards Rule 314.4 (c) (3), “Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest.” Most companies should start by encrypting their email and file storage systems, such as Microsoft OneDrive and Google Drive, as those systems are where most businesses store a large amount of PII.
Next, have your compliance team audit your line of business applications and ensure that files moving in and out of those systems are being protected from prying eyes with the appropriate levels of encryption.
Secure Software Applications
As part of your audit, you should closely examine all applications that handle customer information to ensure they’re up to standard. Replace applications that don’t provide 256-bit encryption while transmitting data and ask your IT team to analyze the software applications deployed on your network for known backdoors and vulnerabilities.
During your analysis, try to uncover applications that are unregulated by your cybersecurity team. These applications, known as “shadow IT,” are a well-known cause of data loss because they’re not being updated, patched, or managed like other systems.
Multifactor Authentication (MFA) and Access Controls
As we’ve written about elsewhere, the powerful security that multi-factor authentication provides can stop 99% of password-based attacks. For this reason, the FTC has mandated MFA deployment, with two of the following three common factor types: knowledge, possession, and inherence.
To learn more about what the means, you can learn more about multi-factor authentication in our other blog.
Data Destruction is an often-overlooked facet of compliance. The FTC has very strict requirements for the destruction of customer data.
First, start by examining your data destruction policy and make sure it aligns with the standards outlined in the link above. That includes how you track data as it moves throughout its lifecycle, designating individuals to supervise records disposal, conducting due diligence when hiring a third-party vendor, and destroying data before disposing of equipment such as computer, hard drives, thumb drives, etc.
48% of second-hand hard drives and smartphones had residual data containing sensitive personal information on them.
Create a Written Incident Response Plan
No business can achieve 100% cybersecurity assuredness, which is why the Safeguard Rule mandates that companies when a security incident occurs, there is a set of instructions for detecting, responding, and limiting the impact of that event by escalating your company’s response based on the severity of the event.
Every plan should also include a “postmortem” to help your team understand the attack better and revise your plan based on what you learned to help you respond better in the future. To learn more about the incident response planning phase , Section 314.4 of the Safeguard Rule outlines requirements that every business should have for its incident response plan.
Track and Update
As with any compliance standard, it’s your responsibility to be prepared for changes in your network that would affect your compliance status. New or replaced hardware, changes in line of business applications, or even mild configuration changes in critical security systems can all throw a compliant system into noncompliance and endanger custom PII.
All the steps above should be familiar to anyone with regulatory compliance expertise, but as with any compliance effort, the devil is in the details. Be consistent and thorough at each step of the process, ensuring that you’re coordinating internal teams and vendors into a single streamlined compliance process.
FTC Safeguard Compliance with Ohio’s Trusted Partner
Businesses in Columbus and Cincinnati often struggle to find a technology partner who truly understands their compliance challenges. The Astute Technology Management team has been helping businesses throughout Ohio manage their FTC, FINRA/SEC, HIPAA, PCI-DSS, and other compliance requirements with maximum efficiency and minimal stress.
Contact our friendly time for help at any time at 614 389 4102 or [email protected].