The U.S. Federal Trade Commission (FTC) is responsible for enforcing laws that protect consumers by reducing fraud, deception, and unfair business practices. The commission, created in 1914, was originally charged with promoting competition and “busting the trusts”, but it’s mission has expanded as technologies and business practices have changed.
What is the FTC Safeguards Rule?
The purpose of the Federal Trade Commission’s Standards for Safeguarding Customer Information – the FTC Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. The Safeguards Rule was amended in 2021 to make sure the Rule keeps pace with current technology.
Consider these key compliance questions when reviewing your obligations under the Safeguards Rule.
Who's covered by the Safeguards Rule?
How do you know if your business is subject to the Safeguards Rule?
First, consider that the Rule defines “financial institution” in a way much broader than how people may use that phrase in conversation.
What matters are the activities your business undertakes, not how you or others categorize your company.
To help you determine if your company is covered, Section 314.2(h) of the Rule lists 13 examples of the kinds of entities that are financial institutions under the Rule, including:
- automobile dealers
- mortgage lenders
- payday lenders
- finance companies
- mortgage brokers
- account servicers
- check cashers
- wire transferors
- collection agencies
- credit counselors and other financial advisors
- tax preparation firms
- non-federally insured credit unions
- investment advisors that aren’t required to register with the SEC.
The 2021 amendments to the FTC Safeguards Rule add a new example of a financial institution – finders. Those companies bring buyers and sellers together, and then the parties negotiate and consummate the transaction.
Even if the original Rule didn’t cover your company, consult the definition of financial institution periodically to see if your business could be covered now.
What does the Safeguards Rule require companies to do?
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.
The Rule defines customer information as “any record containing nonpublic personal information about a financial institution’s customer, whether in paper, electronic, or another form, that is handled or maintained by or on behalf of you or your affiliates.”
Your information security program must be written and appropriate to the size and complexity of your business, nature, scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:
- Ensure the security and confidentiality of customer information;
- Protect against anticipated threats or hazards to the security or integrity of that information; and
- Prevent unauthorized access to that information that could result in substantial harm or inconvenience to any customer.
When do the new requirements take effect?
Within 30 days of the October 27, 2021 publication, financial institutions and dealers needed to comply with the following sections of the amended Rule (many of which were existing requirements):
- 314.4(b)(2)—Additional periodic risk assessments.
- 314.4(d)(1)—Regularly test or monitor the effectiveness of the safeguards critical controls, systems, or procedures
- 314.4(f)(1) and (2)—Overseeing service providers by (1) taking reasonable steps to select and retain and (2) requiring specific contract terms.
- 314.4(g)—Evaluate and adjust your information security program considering the testing and monitoring results required by paragraph (d).
By December 9, 2022, financial institutions and dealers must comply with all remaining Rule requirements and amendments as outlined on the Code of Federal Regulations site.
How can you ensure that you meet your requirements under the FTC Safeguards Rule?
Your best protection to be sure you follow cybersecurity best practices, meet data protection requirements, and don’t leave loopholes for your commercial insurer to deny claims, is alignment to a recognized cyber framework.
Foresite Cybersecurity makes it easy for businesses to ensure compliance to their chosen framework with Foresite Integrated Risk Management (FIRM). With more than 260 frameworks to choose from including NIST, CMMC, PCI DSS, and many more, FIRM makes audit-ready compliance a breeze. Contact us today to get a demo of FIRM.