You may already be required under the FTC Safeguards Rule to have systems protecting your customer information. In addition to protecting your own business and internal users, if the FTC Safeguards Rule applies, you must ensure everyone connected is protected—that service providers and affiliates safeguard the customer information you share with them.
These changes are in response to changes in the cyber landscape, exploding worldwide data breaches, and supply chain attacks that lead to the leakage of personal data, including phone numbers, social security numbers, birthdays, home addresses, and email addresses, among other personally identifiable information.
Currently, financial losses to businesses due to security incidents are estimated at $4.35 million, and rising.
What is the Safeguards Rule?
The Safeguards Rule was established by the Federal Trade Commission in 1999 to implement a part of the Gramm-Leach-Bliley Act. The GLBA establishes many requirements and standards for financial institutions that protect consumer information.
The rudimentary rule actually took effect in 2003, as it was deemed sufficient for the times. Cybersecurity has undergone many changes since then, and the sheer volume and severity of attacks has necessitated updates.
Many of the requirements went into effect in 2022 with a compliance deadline in December. The FTC extended this deadline to June 2023 because it understood that many financial organizations will need more time to comply.
The two significant changes apply to the adaptation of a cybersecurity program and an expansion of the definition of constitutes a financial organization.
Information Security Program Requirements
We’ve moved forward from the time when these guidelines were based on businesses complying by the honor system. In light of a massive increase in cybersecurity incidents and breaches where millions of records containing PII were stolen, even though targets followed the FTC Safeguards Rule guidelines, it’s been decided that more must be done.
The new FTC Safeguards Rule clearly specifies how businesses need to be accountable and invest in better cybersecurity.
The changes to the Rule include these seven core requirements:
- Designating a qualified security person to oversee the implementation of a proper information security program.
- Access Restrictions include technical and physical methods that authenticate only authorized persons and limit what each can access to only what is required to carry out their duties and functions. Additionally, implementing and enforcing Multifactor Authentication is required for persons accessing network areas containing customer information.
- Risk Assessments must now include criteria such as confidentiality, integrity, and availability of the organization’s information systems and customer information. Also, how identified risks will be mitigation or accepted and how the information security program will address the risks must be outlined in the risk assessment procedures.
- Encryption of all customer information at rest and in transit is now required. If encryption is not possible in specific financial organizations, they may secure the date using alternative methods as approved by the designated qualified security person as previously referenced.
- Training on security awareness must be provided to all staff that will be updated frequently to include identified security risks. Additionally, security staff must get further training to enable them to address applicable security risks sufficiently and effectively.
- Periodic Assessments in organizations maintaining customer data above 5,000 consumers, including continuous monitoring, are required to detect changes to information systems indicative of possible vulnerabilities. Alternatives for organizations where this is not feasible include annual penetration testing for those symptoms and vulnerability assessment every six months at the minimum, including systemic scans or reviews of information systems likely created to recognize publicly known security vulnerabilities.
- Data minimization procedures must be created, implemented, and maintained by financial businesses that schedule secure disposal of customer information in any format no later than two years from the last date the data is used in connection with provisioning products or services for the related customer unless it is needed for business operations or other reasons.
Whether a business was just added or already under FTC purview, implementing a robust cybersecurity program that includes many policies, practices, and solutions helps keep customer data safe and minimizes risk.
Expanded Definition of Financial Institution
One of the significant provisions of the FTC Safeguard Rules that was not delayed is the definition of what determines if an organization is considered a financial institution.
According to Section 314.1(b), financial institutions include those participating in activities that are financial in nature or those included in section 4(k) of the Bank Holding Company Act (1956).
Additionally, section 314.2(h) of the Rule has a few examples, such as: finance companies, mortgage lenders, tax preparation businesses, and collection agencies.
The Rule has many new additions to this list, such as payday lenders that were not previously named. Additionally, the change adds businesses whose value is bringing sellers and buyers together, called “finders,” to the list.
Implementing the FTC Safeguards Rule
While it is apparent that businesses of all sizes need to implement these cybersecurity processes soon to comply with the new requirements, not all businesses are on board. One example is multifactor authentication (MFA)—a critical protection for any organization. Microsoft recently released a report that revealed that only 28% of its enterprise users had implemented MFA. Just over half of businesses have deployed MFA globally.
With the deadline looming at mid-year, all financial institutions should be self-evaluating to determine compliance status of the FTC’s seven core requirements. The first item on the list: “designating a qualified security person” is a logical first step to designate ownership of the tasks.
An assessment should include a roadmap for compliance and detailed mitigating controls if requirements can’t be achieved with auditable and trackable artifacts. It’s important that the business remain engaged throughout the process of compliance. For example, procedures to dispose of data should be approved by key stakeholders before they are operationalized to minimize impacts to the business as technical custodians haven’t historically shown awareness of this issue.
All seven core requirements can have an impact on business, so a clear communication plan should be implemented as new controls are put in place and enforced.
And finally, all businesses, even those outside the purview of the FTC rule, should be paying close attention to ensure they’re doing everything they can to protect customer data in addition to their own risk management strategies.
About The Author
Brian Ehle is the Vice President of Advisory and Success for Novacoast. A 20 year veteran of the IT and cybersecurity industry, he specializes in guiding organizations to optimize their security programs and operations by outlining efficient strategy and coordinating smoother execution of tactics. His organization provides consulting services to address regulatory requirements including those in this article.