The Business Owner’s Guide to the FTC Safeguards Rule and Standards

Risk Ahead blue road sign

What is the FTC Safeguards Rule?

The Federal Trade Commission’s Standards for Safeguarding Customer Information, also known simply as the Safeguards Rule, was implemented to protect consumers’ private information. First instituted in 2003, the Safeguards Rule remained untouched until its standards were updated in 2021 to account for advances in technology. The deadline for businesses to meet these updated requirements is approaching. The FTC has extended the Safeguards Rule deadline to June 9, 2023.

Who Does the Safeguards Rule Apply to?

If your business is a non-banking financial institution, it’s time to move quickly to ensure that your customer privacy and cybersecurity programs are up to standard before the Safeguards Rule deadline comes around. Non-banking financial institutions are companies and organizations that facilitate financial transactions and services related to banking, but which are not licensed to perform banking directly.

Non-banking institutions can be found in a number of different industries. Affected parties include mortgage brokers, payday lenders, insurance firms, collections agencies, venture capitalists, pawn shops, currency exchanges, and motor vehicle dealers, among others. Many industries which weren’t affected by the 2003 FTC Standards for Safeguarding Customer Information are now subject to the requirements of the updated Safeguards Rule.

What Does the Safeguards Rule Require?

The Safeguards Rule requires non-banking financial institutions to develop and maintain an information security program that protects customer information on the administrative, technical, and physical levels. Your organization’s security program must ensure the confidentiality of private customer information, maintain your system’s integrity to protect against threats, and guard against unauthorized access to secure information. If that sounds like a broad set of requirements, don’t worry. The FTC provides nine specific criteria that a security program must meet in order to comply with appropriate standards.

Designation of a Qualified Individual

The first thing the FTC Safeguards Rule requires is for organizations to designate a Qualified Individual to be responsible for the implementation, maintenance, and supervision of the information security program. This individual can be an employee of your organization, an affiliate, or a service provider. They simply have to possess experience and qualifications which position them to be effective at managing information security.

Periodic Written Reports

It is the responsibility of your Qualified Individual to report to your Board of Directors or relevant governing body in writing on a regular basis. These reports must be submitted once per year at minimum and should address the state of your security program, your organization’s level of adherence, and topics such as risk assessment, service provider arrangements, security events, and so on. Additionally, these reports should include recommendations for updates and improvements to the security program.

Risk Assessment

The FTC Safeguards Rule also requires non-banking financial institutions to evaluate what information they have, where it’s stored, and how that storage is maintained. Upon completion of this evaluation, they must conduct a risk assessment to identify vulnerabilities and threats. The FTC mandates that all risk assessments be written and that they must be redone in the event of any operational changes or new threat developments.

Assess Your Risk Level

The Design, Implementation, and Maintenance of an Information Security Program

Once a Qualified Individual has been designated to manage your security program and a risk assessment has been completed, your organization must design safeguards to address all identified risks and implement an information security program. This program must include access controls, data encryption, multi-factor authentication, secure file disposal, activity logging, and other relevant measures.

Staff Training

After designing and implementing your new information security program, all staff must be trained on the program and its requirements. Employees must understand how to comply with procedures and how to stay vigilant to potential threats. Regular security awareness trainings are an integral facet of a strong information security strategy.

Monitoring and Testing

Once in place, your safeguards must be consistently monitored and regularly tested for efficacy. This means testing systems and procedures to see how they would withstand attempted attacks. Biannual penetration testing and vulnerability assessments will be critical elements of this aspect of your security program.

Service Provider Review

When you partner with a service provider, you are granting them a degree of access to your customers’ confidential data. To ensure that your service providers don’t put your customers or company at risk, it’s important that your organization only works with service providers that have the ability to maintain appropriate safeguards. Be sure to include detailed security standards and expectations in all service providers’ contracts to hold them legally accountable for adherence to your standards.

Regular Program Updates

The Safeguards Rule requires non-banking financial institutions to keep their information security program current and up-to-date. Anytime there are changes to your operations, the threat landscape, or personnel, you must review your information security program to determine whether it is still sufficient to protect consumer privacy. If your risk assessments reveal any new vulnerabilities or your organization sustains relevant changes,  you must update your program accordingly.

Incident Response Planning

The final major component of the Safeguards Rule is that all covered organizations must have a written incident response and disaster recovery plan. In the case of a security event, your plan will instruct personnel on response goals, processes, roles, duties, communications protocol, repair strategy, documentation procedure, and post-mortem process. This plan will allow you to respond swiftly and effectively to security threats and mitigate damages as a matter of course.

What are the Non-compliance Penalties for the Safeguards Rule?

Clearly, the Federal Trade Commission has laid out extensive information security requirements for non-banking financial institutions to follow. Non-compliance with these standards carries harsh consequences. Organizations that don’t comply can face up to $11,000 per day in fines. Damages for consent violations can exceed $43,000 per violation each day. Your business could also sustain penalties that impede operations, such as long-term consent decrees or extensive injunctive relief. There is also a risk of facing litigation and sustaining major reputational damage. The stakes are high in order to incentivize organizations to comply.

FTC Safeguards Rules & Standards Compliance

Ensure FTC Safeguards Compliance

However, some organizations don’t have the internal bandwidth to develop such a robust information security program or the time to hire a security officer before the fast-approaching deadline. This is why the Safeguards Rule has provisions that allow companies to rely on service providers to design, implement, and maintain their information security programs.

If your organization is looking for a service provider to manage your security program, there are a few things you should look for when choosing your partner. For one thing, it’s important to work with an agency that has relevant experience. You’ll want a service provider that offers as many security services as possible, including risk assessment, systems monitoring, disaster response and recovery planning, and so on. It’s important that your service provider has appropriate cybersecurity certifications, a response time promise, and an openness to questions as well.

With the June deadline fast approaching, it’s time to start planning! The first step toward updating your information security program to maintain FTC compliance is to schedule a consultation with a cybersecurity service provider.

To book a free consultation with CyberTeam, you can click this link. CyberTeam is a cybersecurity, IT, and compliance service provider with over 25 years of industry experience. Our team of information privacy and security experts is accountable, transparent, and always prepared to prioritize client needs. We’re available to help your organization develop a customer information security program that’s compliant with FTC Standards for Safeguarding Customer Information. Contact us today to get started.

Ready to learn all the details of the powers of an IT consultant?