The purpose of the FTC’s Safeguards Rule is to ensure that a company maintains safeguards to protect the security of customer information by implementing an information security program in their organization.
“Customer information” means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.
The Safeguards Rule went into effect in 2003 and the FTC amended it in 2021 to help the Rule keep pace with current technology. The revised FTC Safeguards Rule deadline is June 9, 2023. Your best source of information is the official text of the Safeguards Rule found here.
How do you know if your business is considered a “financial institution” subject to the Safeguards Rule?
The Safeguards Rule defines “financial institution” in a broader sense than normal. What matters are the types of activities your business undertakes, not how you or others categorize your company.
To help you determine if your company is covered, Section 314.2(h) of the Rule lists 13 examples of the kinds of entities that are financial institutions under the Rule, including:
finance companies including automobile dealerships,
credit counselors and other financial advisors,
tax preparation firms,
non-federally insured credit unions,
and investment advisors that aren’t required to register with the SEC.
What does the Safeguards Rule require companies to do?
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.
9 elements your company’s information security program must include:
Section 314.4 of the Safeguards Rule identifies 9 elements that your company’s information security program must include:
1. Designate a Qualified Individual to implement and supervise your company’s information security program. The Qualified Individual can be an employee of your company or can work for an affiliate or service provider. If the Qualified Individual works for an affiliate or service provider, that affiliate or service provider also must maintain an information security program that protects your business.
2. Conduct a risk assessment.
You can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information.
3. Design and implement safeguards to control the risks identified through your risk assessment.
Implement and periodically review access controls.
4. Regularly monitor and test the effectiveness of your safeguards.
Test your procedures for detecting actual and attempted attacks. For information systems, testing can be accomplished through continuous monitoring of your system. If you don’t implement that, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly-known security vulnerabilities.
5. Train your staff.
Provide your people with security awareness training and schedule regular refreshers.
6. Monitor your service providers.
Select service providers with the skills and experience to maintain appropriate safeguards.
7. Keep your information security program current.
The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program.
8. Create a written incident response plan. Every business needs a “What if?” response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form. Section 314.4(h) of the Safeguards Rule specifies what your response plan must cover.
9. Require your Qualified Individual to report to your Board of Directors. Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program.
Visit the FTC website more information about the Safeguards Rule and general guidance on data security.
VTC Tech can help your organization become compliant with the FTC Safeguards Rule. Whether you are an auto dealership or moneylender, we can design and implement a custom information security program that will meet the FTC compliance rules and follow cybersecurity practices. Give us a call now 1-888-800-3211 or contact us here.