FTC Finalizes Safeguard Rules
In October of 2021, the Federal Trade Commission (FTC) amended their Safeguard Rule after first announcing intentions to do so in 2019. While this provided relevant companies with some warning, many are overwhelmed with the new set of regulations outlined.
Despite this, it is crucial to remember that these measures are intended to protect the confidential and sensitive information of loyal consumers.
With reports indicating that as many as 78% of companies lack confidence in their existing cybersecurity measures, these amendments are intended to provide a much-needed push to expand budgets and strengthen existing systems.
What Is the FTC Safeguards Rule?
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule was first established by the FTC in 2003. The act was developed to build a strong foundation and set forth regulations on information security for certain financial institutions. Essentially, it sets basic guidelines for how these institutions should protect the private data and information of their clients.
While the Safeguard Rule was intended to ensure that confidentiality and discretion were used when handling consumer information, the initial regulations were fairly lax. They afforded financial institutions a lot of flexibility and options for handling this data while remaining compliant with the FTC.
The original set of regulations were not only quite flexible, they also did not apply to all organizations across the financial sector. Meanwhile, the amount of consumer personal data that became accessible online expanded enormously.
This was largely due to shifts from traditional paper files to digital ones. This made financial organizations more vulnerable to the rising rates of cyberattacks, data breaches, and ransomware.
Because financial institutions have access to sensitive information like Social Security numbers, driver’s licenses, addresses, and bank accounts, they are a prime target for cybercriminals.
This prompted an amendment to the original GLBA Safeguards Rule. In 2019, the FTC released a Notice of Proposed Rulemaking that outlined some of the anticipated changes.
The Safeguards Rule was officially amended and released to the public on October 27, 2021. Affected businesses have until December 2022 to ensure that their practices comply with the new rules outlined in this update.
Which Changes Were Made?
While several changes were implemented, the most notable is that the rules now apply to businesses in non-financial sectors that collect financial information from consumers.
In a computerized world, companies like mortgage lenders, payday loan providers, real estate companies, non-bank lenders, CPAs, appraisers, credit reporting agencies, car dealerships, debt collectors, and even couriers transport sensitive financial information.
The modern financial services marketplace also includes “finders.” Finders are classified as any company that collects sensitive information from consumers to connect them to a lender or a network of similar institutions.
In many cases, these finders have much of the same information as the final source. The updated regulations mean that many companies that were previously not subject to the Safeguards Rule must now become compliant.
These amendments do not apply to banks and credit unions as they are subject to their own regulations as set forth by the Financial Modernization Act, along with other bank-specific laws.
After the global cost of cybercrime rose to a staggering $1 trillion in 2020, it is more important than ever for all businesses to increase their focus on cybersecurity.
By following the lead of the FTC Safeguards Rule, all businesses—even those who are not subjected to compliance—can better protect their companies, as well as their customers, from catastrophic cyberattacks and hacking attempts.
Likewise, companies should keep in mind that the protection of sensitive information is hugely important to consumers. Although companies may incur some costs when making these changes initially, they are often rewarded by increased consumer loyalty, and they also benefit by protecting themselves from the potential damage of a cyberattack.
Specific amendments and requirements laid out in the Safeguards Rule, include:
When it comes to access controls, businesses must take preventative measures and address all potential concerns uncovered through their risk assessment strategies.
This means that organizations should regularly assess and limit which employees have access to consumer information files and put restrictions in place for users who can modify this data. The same access-control strategies should be developed for all tools used to access customer data, including equipment, devices, and systems.
Monitoring Users and Systems
In addition to limiting the users who have access to consumer data, businesses must also implement a new system capable of monitoring and logging the activity of users and their systems.
Although most organizations have similar technologies in place, this continuous monitoring helps to provide visibility and traceability. It can also aid in identifying failed login attempts and attempts to gain access to unauthorized areas of the system.
Multi-factor authentication is highly effective in thwarting attempts to gain unauthorized access to systems or customer information. This process is an electronic method that requires users to provide two forms of authentication before logging in.
In addition to a password, this may be a code that is emailed to the user’s email or provides an answer to a secret question. Reports show that enabling multi-factor authentication can block as many as 99% of hacking attempts.
Encryption of Data While In-Transit and at Rest
Encrypting data is crucial when handling sensitive information. This is because unencrypted data can easily be accessed and presents a large risk in the instance of cyberattacks or data breaches.
The new FTC Safeguards Rule requires that businesses encrypt their customers’ personal information both while the data is at rest in the system and while it is in transit to an off-premises destination.
Customer Information Disposal Requirements
All too often, businesses store customer information long after it is relevant. While this may be useful for future marketing purposes, after some time, it becomes irrelevant to the daily operation of the business. The new FTC Safeguards Rule now requires that businesses dispose of customer information within their system after it is no longer in use.
The regulations state that customer information must now be removed from databases two years after it is last used for a legitimate business purpose. This drastically decreases the amount of information that is accessible in the event of a security breach.
Incident Response Reports
When a data breach or other adverse incident occurs, a person who is knowledgeable and qualified to handle the situation must now create a written incident response plan report. This report must identify the responsibilities and roles of those involved, as well as any internal or external communications related to the incident that occurred.
Improved Security Training Requirements
Within an organization, the FTC now requires that security providers and personnel receive ongoing training. While the qualifications and specifics of training programs are vague under the Safeguards Rule, these staff members will need to actively seek continuously updated knowledge of the potential risks their organization may face as it grows and as risks evolve.
Continual Assessments of Service Providers
To ensure compliance with the FTC Safeguards Rule, organizations subject to the regulations must conduct continual assessments of their service providers. While this is typically included in risk assessment strategies, these rules also dictate that businesses must address any risks that these service providers prevent and attempt to mitigate them.
These assessments should be conducted on an ongoing basis for long-term providers and should also be considered each time a new service provider is added to business operations.
While these are specific key changes that are warranted by the amendments, many others apply. Matters like testing, change management, secure development practices, and data inventory and classification are also covered within the FTC Safeguards Rule.
To make the needed changes and remain compliant, businesses should explore the full list of requirements and specifics within the document published by the FTC.
How Long Do Businesses Have to Make Changes?
The vast majority of the amendments made to the Safeguards Rule must be implemented within 30 days. Other regulations that may take more time to put in place effectively must be fully operational within one year of the published amendments.
This means that all of these requirements must be met by December 2022 to ensure full compliance with the FTC.
For businesses that are struggling to meet this initial deadline or to continue to keep these practices in place, it can be helpful to consult a professional who is experienced and knowledgeable when it comes to IT compliance and the FTC Safeguard Rules specifically.
How to Remain Compliant with New FTC Safeguards Rule
To remain compliant with the amendments made by the FTC, companies should begin by first identifying if they are subject to these rules. If they are, it may seem like they are inundated with the need for new technologies and safety measures.
While these measures are intended to keep consumer information safe, implementing them can be an unexpectedly costly venture. To make the necessary changes, begin by performing a full assessment of the current practices that are in place. Businesses should also consider partnering with a managed service provider that specializes in IT support, cybersecurity, and compliance.
Some of the changes that are required by the amended Safeguards Rule may be simpler to implement than expected.
After current practices are identified and assessed thoroughly, some changes can be made immediately. For example, it is relatively simple to enable multifactor authentication on a business system or to perform an evaluation of access controls.
From there, determine which of the requirements will be most time-consuming and consider consulting a professional for help. This can streamline the process and ensure that everything is done correctly to meet the standards set forth by the FTC.
In most cases, however, many of the institutions that are subject to these rules already have strict practices in place to protect the information of their customers. Only minor tweaks will likely be necessary to remain compliant with a focus on increased reporting, transparency, traceability, and training.
What Happens If a Business Is Not Compliant?
Businesses that fail to comply with the regulations dictated by the FTC are subject to several civil penalties. The most commonly encountered penalty is monetary fines. These fines can be costly and can affect a businesses’ bottom line.
Additionally, organizations face legal action if they fail to protect consumer information properly. In these cases, they can be faced with litigation and may be responsible for covering the costs incurred by consumers in the event of a security breach.
The FTC can also require regular, ongoing audits of information security systems that the company has in place. This is inconvenient for the company and can have long-lasting impacts.
In addition to non-compliance penalties with the FTC, businesses risk losing credibility among their customers. Consumers place a lot of faith in policies established by the FTC to keep their information safe and confidential. By not following these regulations, consumers may feel as if the company is not concerned about their safety.
This may convince them to take their business to competitors that do prioritize the protection of their sensitive information according to FTC standards.
Will There Be Additional Amendments in the Future?
As of now, there are no current announcements regarding further changes to the FTC Safeguards Rule. Despite this, it isn’t uncommon for existing rules to require alterations to keep up with the latest technologies and threats.
Much like the technology sector itself, cybersecurity is ever-evolving and requires a diligent approach to ensure safety. To ensure that businesses remain compliant now and in the future, it is necessary to view cybersecurity as an ongoing journey rather than a destination.
There will always be new threats and new methods that cybercriminals use to target both businesses and consumers. The key to minimizing the damages assessed in these situations is to be prepared.
IT professionals and those responsible for the security of a business should continually undergo training and read relevant resources to stay up-to-date on what is happening in the industry. By doing so, small changes can be implemented over time which reduces the need for a complete overhaul in the future.