Blog

Better safeguard than sorry – FTC Safeguards Rule

In today’s digital age, protecting your customers’ information is of critical importance for businesses. That’s why we feel the need to talk about something that affects every company that handles customer information: data security.

Enter the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information, otherwise known as the FTC Safeguards Rule. The purpose of the Safeguards Rule is to ensure that covered entities maintain strong safeguards to protect the security of customer information. 

Recently, there were certain provisions of the Safeguards Rule that were updated. Although the original compliance deadline was earlier in the year, the FTC extended this deadline to June 9, 2023. That’s coming up fast, but if you’ve already been working on implementation at your business, you’re doing well!

If you’re running a bit behind, don’t panic yet! We would advise you to get familiar with the Rule and updates (read through this article for a quick read) and work with a team that knows about compliance and cybersecurity.

Talk to our Swift Chip experts today if you’re in need of help!

Now let’s dive deeper into what your business needs to know about the FTC Safeguards Rule and how it can help you enhance your data security practices.

Who’s covered by the safeguards rule?

The Safeguards Rule applies to financial institutions under the jurisdiction of the FTC. However, it excludes businesses regulated by other authorities under the Gramm-Leach-Bliley Act. 

How do you determine if your business is a financial institution covered by the Safeguards Rule? Well, the most critical part is to understand the definition provided in the rule. The term “financial institution” encompasses activities that are “financial in nature” or incidental to such activities.

The rule provides a comprehensive list of examples to help you assess if your business falls under the scope of the Safeguards Rule. Some examples include mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, and investment advisors.

The 2021 amendments also added a new example: finders, which are companies that facilitate transactions between buyers and sellers.

It’s worth noting that even if your business wasn’t covered by the original Safeguards Rule, you should periodically review the definition of “financial institution” as your operations evolve. Changes in your business activities could mean that your company now falls under the purview of the rule.

What does the safeguards rule require?

The Safeguards Rule mandates that covered financial institutions develop, implement, and maintain an information security program with administrative, technical, and physical safeguards. 

To make sure your company is complying, your program should be designed to protect customer information and align with the size, complexity, and nature of your business operations.

Customer information, as defined by the rule, refers to any record containing nonpublic personal information about your customer, whether in paper, electronic, or other forms. It covers information about your own customers as well as information about customers of other financial institutions shared with you.

A reasonable information security program, as outlined in the Safeguards Rule, should include the following elements:

Designate a qualified individual

Your company needs to appoint a qualified individual to implement and supervise the company’s information security program. 

This person can be an employee of your company or work for an affiliate or service provider. Their expertise and knowledge should align with your specific circumstances.

Conduct a risk assessment

Next, your information security program should include a thorough risk assessment to identify foreseeable risks and threats to the security, confidentiality, and integrity of customer information. 

The assessment should be written and include criteria for evaluating risks. Regular reassessments are essential to account for changes in operations and emerging threats.

Design and implement safeguards

Develop your company’s safeguards based on the risks identified through the risk assessment. These may include access controls, data inventory management, encryption of customer information, app security evaluation, multi-factor authentication, secure disposal of customer information, change management processes, and monitoring of authorized users’ activity.

Regularly monitor and test safeguards

To ensure your company is compliant with the FTC Safeguards Rule, your team must continuously monitor and test the effectiveness of your safeguards. 

This can be achieved through continuous system monitoring, annual penetration testing, vulnerability assessments, and system-wide scans. 

Remember, material changes to operations or business arrangements should trigger additional testing!

Train your staff

Another part of your company’s program should be to provide comprehensive security awareness training to all employees to ensure they’re equipped to identify and mitigate risks.

Specialized training should be given to employees, affiliates, or service providers directly responsible for carrying out the information security program. It’s crucial to stay updated on emerging threats and countermeasures—and digital threats are always evolving!

Monitor service providers

When you select service providers, ensure they have the necessary skills and experience to maintain appropriate safeguards. Clearly define your security expectations in contracts, establish monitoring mechanisms, and conduct periodic reassessments of their suitability for the job.

Keep your information security program current

It’s important to recognize that information security is an ever-evolving landscape. That means you should regularly update your program to accommodate changes in operations, emerging threats, personnel, and other circumstances that may impact your information security. 

Flexibility and adaptability are key!

Create a written incident response plan

It’s also important you develop a comprehensive incident response plan that outlines clear steps and processes to be activated in case of a security event. 

This plan should cover goals, internal processes, roles and responsibilities, communication protocols, system fixes, documentation and reporting procedures, and a post-event analysis with updates to the incident response plan and information security program.

Require reporting to the Board of Directors

Your designated Qualified Individual should provide regular written reports to your Board of Directors or governing body, or a senior officer responsible for the information security program.

These reports should assess the company’s compliance with the program and cover specific topics such as risk assessment, risk management decisions, service provider arrangements, test results, security events, and recommendations for program improvements.

By adhering to these elements, your business can establish a robust information security program that aligns with the FTC Safeguards Rule. 

Remember, the rule is designed to protect the security and confidentiality of customer information, anticipate and address potential threats, and ensure your customers’ trust in your business… win-win, right?!

For more detailed information and general guidance on data security, the FTC provides additional resources and information about the Safeguards Rule. 

The smartest thing you and your company can do? Stay informed about best practices and evolving cybersecurity trends to continuously enhance your information security program and protect your customers’ sensitive data.

Revisions for compliance deadline on June 9th

Now that you know more about the FTC Safeguards Rule, we also wanted to highlight what parts of your business’ cybersecurity program needs to be revised before the upcoming deadline on June 9th.

Here’s a list of the provisions that you and your company must comply with to avoid fines:

• Appoint an experienced individual to supervise their information security program.
• Create a documented evaluation of potential risks, including routine risk assessments.
• Control and track access to sensitive customer data.
• Maintaining up-to-date lists of customer data and their location
• Apply encryption to safeguard all confidential information.
• Educate security staff through training sessions.
• Establish a plan to address and manage security incidents.
• Regularly evaluate the security protocols of service providers.
• Utilize multi-factor authentication or an equally secure alternative for individuals accessing customer data.
• Deleting customer data within two years of its use
• And more…

Consult with Swift Chip to make sure your company’s programs are compliant now.

Consider: Cybersecurity Employee Training

Our Swift Chip team believes that it’s important to do more than just hire a trusted cybersecurity company. We also advocate that cybersecurity employee training is super important for keeping organizations safe from cyber threats.

What should your employees know about cybersecurity? Based on our experience working with various companies, here are just a few of the areas most employees could use extra training in:

• How to spot and deal with potential risks
• Recognizing and avoiding phishing scams
• Using strong and unique passwords
• Safeguarding sensitive data
• Being aware of social engineering techniques
• Following established security protocols
• Identifying and reporting suspicious activities
• Regularly updating and patching software
• Understanding the importance of cybersecurity in their roles
• Practicing good email and internet browsing habits

By giving employees the right skills and knowledge, your company will be able to reduce the chances of data breaches, malware attacks, and other cyber troubles. 

Plus, regular cybersecurity training helps create a culture where everyone knows how to stay safe and can actively contribute to keeping the company’s digital stuff well-protected! More hands make light work, they say (and it applies here)!

Get aligned with the Federal Trade Commission!

Now you know the basics about ensuring you’re complying with the FTC and the Safeguards Rule that plays a vital role in ensuring that financial institutions implement strong information security programs. 

By understanding if your business falls under the scope of the rule, and diligently following the requirements outlined, you can protect customer information, mitigate risks, and establish a strong foundation for data security within your organization.

Embrace the evolving nature of information security, and remember that safeguarding customer information is not just a legal obligation but also a crucial aspect of building and maintaining customer trust in today’s digital world.

The more you do this, the better the longevity of your business looks—because customers will likely trust you more!

If all of this information is overwhelming, we don’t blame you. Why don’t you let Swift Chip help you with your information security program so that you can do the work your company is known for. We have a team of experts ready to help you and your company; get in touch with us now.