Updated FTC Safeguards Rule: The What, Why And How
The Federal Trade Commission’s Standards For Safeguarding Customer Information Rule (aka The “FTC Safeguards Rule”) is a regulation requiring entities to develop, implement and maintain a comprehensive information security program consisting of appropriate administrative, technical and physical safeguards to keep nonpublic personal/customer information secure.
Although this regulation came into effect in 2003, it was updated in 2021 in line with the evolution in technology. In October 2023, the FTC issued a final rule, amending the existing rules again and requiring regulated entities to report breaches and other cybersecurity events.
Who Is Affected By FTC Safeguards Rule?
The FTC Safeguards Rule applies to all nonbanking financial institutions (under FTC jurisdiction) that collect, store or process customer information. This includes businesses including, but not limited to, mortgage lenders and brokers, account servicers, tax preparation firms, and financial institutions under FTC jurisdiction.
What Does Nonpublic Personal Information Mean?
Nonpublic personal information translates to any personally identifiable information (PII) that an individual provides to the business while obtaining financial, investment or economic advisory, regardless of whether there is a continuing advisory relationship established. Other examples of PII include:
• Information provided by a customer while signing up for a loan, a credit card or an insurance product.
• Name, account information, payment history, bank account number, Social Security number, etc.
• Customer information on purchase of airline tickets, travel insurance or traveler’s checks, even if they are isolated transactions.
• The fact that they are your customer or have purchased any financial services from you.
According to Cornell Law School, nonpublic personal information excludes things like: “A list of names and addresses of customers of an entity that is not a financial institution [and] information that does not identify a customer such as aggregate information or blind data which does not contain personal identifiers like account numbers, names or addresses.”
What Must The Safeguards Security Program Consist Of?
The Safeguards Rule specifies nine elements that every information security program must include, namely:
1. Designating a “Qualified Individual” (an employee, affiliate or a service provider) to implement and supervise the company’s information security program.
2. Conducting a risk assessment to determine foreseeable risks and threats.
3. Designing and deploying security defenses to control risks identified. For example, encrypting customer information, implementing strict access controls and multifactor authentication, assessing application risk, disposing customer information securely, periodically evaluating changes to the information changes or network, maintaining a log of user activity, etc.
4. Regularly monitoring and testing of these defenses.
5. Training your staff members (including affiliates and service providers) to exercise alertness, caution and vigilance.
6. Monitoring security standards of third-party service providers and spelling out security expectations in their contracts.
7. Keeping the information security management program (ISMP) current based on emerging threats, personnel changes, changes in infrastructure, risk assessments, policy updates and any other change that can cause a material impact to the information security program.
8. Developing an incident response plan (IRP) that outlines procedures for reporting security events, including designated roles and responsibilities of staff members on what to do post-incident. Testing the plan is also important by performing annual tabletop exercises.
9. Having the “Qualified Individual” report to the board of directors.
New Breach Notification Requirements
If a security incident impacts at least 500 customers, businesses that are subject to the Safeguards Rule must notify the FTC as soon as possible and no later than 30 days post-discovery of the event. Entities are required to notify electronically via a form located on the FTC’s website. The notice includes things such as:
- Name and contact information of the affected institution.
- A general description of the incident.
- A brief description of the type of information involved in the incident.
- The date or date range of said incident.
- The number of individuals affected or potentially affected by the incident.
How Can Organizations Comply With The FTC Safeguards Rule?
Listed below are some recommendations and best practices that can help organizations better comply with the FTC Safeguards mandate:
• Perform a risk assessment and gap analysis: Study the rules and requirements carefully to understand what’s already in place and what requirements gaps exist in security controls, policies and procedures.
• Implement an action plan: Formulate and execute an action plan to close the security gaps identified in the assessment.
• Leverage experts: Compliance is an overwhelming and continuous process. If your organization lacks resources and expertise, it would be advisable to onboard a cybersecurity partner that has in-depth knowledge and experience with regulations and security.
• Rinse and repeat: It’s important to periodically review and monitor the state of your compliance adherence in line with evolving business changes, infrastructure, workforce and compliance requirements.
As cyber risks intensify, regulators tighten their grip over cybersecurity practices to ensure customer safety and privacy. Regulated entities must adopt the previously mentioned FTC requirements or be ready to face criminal charges and hefty penalties.