The (Updated) FTC Safeguards Rule

The FTC Safeguards Rule requires that businesses engaged in significant financial activities take the necessary steps to protect customer information. This rule applies to businesses that fall under the Gramm-Leach-Bliley Act (GLBA) and extends to third-party service providers that handle sensitive customer data as well. Effective June 9, 2023, the FTC will enforce the Safeguards Rule, and failure to comply may result in fines or other legal consequences.

Who does the FTC Safeguards Rule apply to?

Seems weird, but it’s important to note that the FTC’s definition of a financial institution includes non-financial institutions. Essentially, any organization that handles customer financial data and engages in transactions that use personal consumer information are impacted by the revised FTC Safeguards Rule. Some examples include:

• Accountants
• Tax Preparers
• Investment advisors (not required to register with the SEC)
• Financial advisors
• Finance companies
• Account servicers
• Automobile dealerships
• Wire transferors
• Collection agencies
• Credit counselors and other financial advisors
• Mortgage lenders
• Mortgage brokers
• Payday lenders
• Retailers that issue their own credit cards
• Non-federally insured credit unions
• Personal property or real estate appraisersTravel agencies in connection with financial service
• Estate Settlement Planners

Essentially, organizations who…

• provide financial products or services to consumers, such as loans, financial or investment advice, and insurance policies
• Collect personal information from consumers to provide a financial product or service, such as credit card issuers or mortgage brokers
• Act as a third-party service provider to a company that provides financial products or services and has access to the personal information of those consumers, such as a data processing company

It’s crucial to note that businesses that fall under the GLBA must comply with the Safeguards Rule, even if they only offer financial products or services to a small percentage of their customers.

What does the Safeguards Rule require companies to do?

The Safeguards Rule mandates that businesses create and maintain a comprehensive information security program that is tailored to their unique needs and the specific risks they face. 

The FTC directive states: “You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.”

What is an Information Security Program?

The FTC defines an Information Security Program as “the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.”

1. Protect Customer Information
2. Protect Against Anticipated Threats
3. Protect Against Unauthorized Access

The steps for creating an Information Security Program

1. Designate a qualified individual or service provider to implement and supervise your company’s information security program

According to section 16 CFR 314.4(a) of the FTC Safeguards Rule, “The Qualified Individual may be employed by you, an affiliate, or a service provider. To the extent the requirement in this paragraph (a) is met using a service provider or an affiliate, you shall:

1. Retain responsibility for compliance with this part;
2. Designate a senior member of your personnel responsible for direction and oversight of the Qualified Individual; and
3. Require the service provider or affiliate to maintain an information security program that protects you in accordance with the requirements of this part.

2. Conduct a written risk assessment

A written risk assessment includes:

• Criteria for the evaluation and categorization of security risks.
• Assessment of the security, confidentiality and integrity of systems and customer information. Must include the judgment of efficacy of controls.
• Output detailing how risk will be mitigated or accepted
  
  The FTC states the following: “Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats. Think through how customer information could be disclosed without authorization, misused, altered, or destroyed. The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct
  periodic reassessments in light of changes to your operations or the emergence of new threats.”
  
  The components of a Risk Assessment include the following:
  
  1.    Gap Assessment Analysis
  2.    Vulnerability Assessment (Every Six Months)
  3.    Penetration Scan (Annual)

3. Design and implement safeguards to control the risks identified through your risk assessment

1. Implement and review technical and physical access controls:
   - Authenticate and permit access only to authorized users.
   - Limit authorized user’s access to data to only those needed for their job (principle of least privilege).
2. Inventory systems, people, data and facilities.
3. Encrypt customer information in transit and at rest.
4. Develop software with a secure process.
5. Implement MFA for access to any information system.
6. Define data destruction and retention policy/process:
   – No later than two years after last used
   – Periodically review your policy/process
7. Adopt procedures for change management.
8. Implement policies to monitor/log authorized users and unauthorized users of customer information.

4. Regularly monitor and test the effectiveness of your safeguards through continuous monitoring of your system.

In addition to monitoring users, you must also monitor the access to data where it resides, such as file servers, databases, applications, backups, etc.ccording to section 16 CFR 314.4(d)(2) of the FTC Safeguards Rule: “For information systems,
the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.”

WHAT ARE MONITORING REQUIREMENTS?

• All activity of authorized and unauthorized users
• Tampering with customer information
• Effectiveness of controls, systems and procedures
• Changes in information systems
• New vulnerabilities in systems
• All activity of authorized and unauthorized users

MONITORING USER ACCESS

• GLBA Safeguards require you to monitor users' authentication continuously at the operating system, application, cloud and ”as-a-service” solutions.
• On individual systems, ensure local logging is happening.
• Use Windows Audit Policy if your computer logs into a network

MONITORING SENSITIVE DATA ACCESS

• Use Windows Group Policy to monitor central access policies (if networked).
• Monitor Central Access Policies for file servers access and us

MONITORING CLOUD DATA AND SYSTEMS

• Cloud providers and systems have their own means of monitoring user and data access. The
  same rules apply; you must monitor user and data access continuously.
• The same rules apply if the file server/application server is in the cloud.
• Use Cloud Access Security Broker (CASB) if you have multiple applications in the cloud.

Note: If you don’t implement Step 4, you must conduct annual penetration testing and vulnerability assessments, including systemwide scans every six months designed to test for publicly-known security vulnerabilities.

5. Provide your people with security awareness training and schedule regular refreshers.

1. Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment
2. Using qualified information security personnel employed by you or an affiliate or service provider sufficient to manage your information security risks and to perform or oversee the information security program
3. Providing information security personnel with security updates and training sufficient to address relevant security risks
4. Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures

6. Monitor your service providers. Select service providers with the skills and experience to maintain appropriate safeguards

Your organization will need to:

• Take reasonable steps to select and retain service providers.
• Require your service provider by contract to implement and maintain safeguards.
• Periodically assess your service provider based on risk present and adequacy of safeguards
  
  

7. Keep your information security program current

8. Create a written incident response plan

9. Require your Qualified Individual to report to your Board of Directors

If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program. The report must:

• Report the overall status of the security program and company compliance
• Report material details regarding the program, including risk assessment, risk management, control decisions, etc.

What are the consequences of NON-COMPLIANCE?

1.    Extensive Fines

The FTC Safeguards Rule authorizes the FTC to impose fines on impacted entities that don’t comply. The Gramm-Leach-Bliley Act (GLBA) authorizes fines up to $100,000 against non-compliant entities per violation and up to $10,000 against officers and directors in their
personal capacities per violation

2.    Extensive Penalties

The FTC can enforce long-term consent decrees or injunctive relief, which may impact business operations or force a company to cease certain activities related to the violation

3.    Regulatory Scrutiny

Offending organizations can become subject to probing regulatory audits for years. The FTC may also require the financial institution to implement a compliance program to ensure compliance with the FTC Safeguards Rule in the future.

4.    Imprisonment Due to Criminal Negligence

For the worst-case scenarios of non-compliance, key business stakeholders can be imprisoned for criminal negligence. Individuals found in violation can be put in prison for up to five years.

ADDITIONAL RESOURCES

• https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know
• https://consumer.sc.gov/sites/consumer/files/Documents/Identity%20Theft/ftc_safeguards_rule.pdf
• Safeguards Rule guide: https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-standards-safeguarding-customer
• Start with Security: A Guide for Business: https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
• Protecting Personal Information: A Guide for Business: https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business
• Data Breach Response: A Guide for Business: https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business

RECAP

The FTC's Safeguards Rule is an essential tool in protecting customer data and ensuring that businesses are taking appropriate steps to secure their networks and systems. Businesses that fall under the GLBA must take the necessary steps to create and implement a comprehensive information security program that meets the requirements of the rule. By following the best practices outlined by the FTC and regularly monitoring and testing their programs, businesses can protect their customers' sensitive information and avoid the legal and reputational consequences of a data breach.

What do you think? Has this info been helpful? Please let us know if we can help or answer any questions you may have. Please let us know in the Comments box below or shoot me an email if you’d like to discuss this in more detail.