The FTC Safeguards Rule: What You and Your Clients Need To Know

The FTC’s Safeguards Rule is a set of standards established to ensure that entities maintain safeguards to protect customer information. It was first implemented in 2003 and was recently amended in 2021 to keep up with current technology. The revised Rule provides more specific guidance for businesses while still maintaining flexibility. It is based on core data security principles that all covered companies must follow.

This publication acts as a guide for small entities to comply with the Small Business Regulatory Enforcement Fairness Act. The text of the Safeguards Rule is the most reliable source of information.

After studying your responsibilities detailed in the Safeguards Rule, here are some key compliance questions to think about:

Who does the Safeguard Rule cover?

The Safeguards Rule applies to financial institutions falling under the FTC’s jurisdiction and not under the enforcement authority of another regulator as per section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. As per Section 314.1(b), an entity is considered a “financial institution” if it’s engaged in financial activities or incidental to such activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”

To determine if your business falls under the Safeguards Rule for financial institutions, it’s important to note that the Rule’s definition of “financial institution” is broader than common usage. Additionally, the specific activities your business engages in are what determine its classification, not subjective categorization by yourself or others.

The 2021 amendments to the Safeguards Rule include a new example – findes, which refer to companies that facilitate transactions between buyers and sellers. Section 314.2(h) of the Rule provide 13 examples of the kinds of entities that are financial institutions under the Rule, such as:

  • mortgage lenders
  • payday lenders
  • finance companies
  • mortgage brokers
  • account servicers
  • check cashers
  • wire transferors
  • collection agencies
  • credit counselors
  • financial advisors
  • tax preparation firms
  • non-federally insured credit unions
  • investment advisors that aren’t required to register with the SEC

Section 314.2(h) of the Rule lists four examples of businesses that aren’t a “financial institution.” In addition, the FTC has exempted from certain provisions of the Rule financial institutions that “maintain customer information concerning fewer than 5000 consumers.”

This is an important factor to consider for your business. It’s likely that significant changes have occurred in your company’s operations over the last 20 years, regardless of whether it was previously subject to the Rule. It is advisable to periodically refer to the definition of financial institution as your business operations change, to determine if it is currently covered.

What are the requirements of the Safeguards Rule for companies?

The Safeguards Rule mandates that financial institutions under its purview establish and uphold an information security system that contains administrative, technical, and physical safeguards aimed at safeguarding client information. According to the Rule, customer information includes any record containing nonpublic personal information about a financial institution’s customer, whether in paper or electronic form. This information is handled or maintained by the financial institution or its affiliates. The Rule applies to information about the institution’s own customers, as well as information about customers of other financial institutions that has been provided to them. The definition of “nonpublic personal information” in Section 314.2(l) further clarifies what is included in this definition.

Creating a written information security program is essential and should be customized to suit the unique features of your business, operations, and the sensitivity level of the information at hand. The program of your company has certain objectives.

  • To maintain the safety and privacy of customer data.
  • To ensure the security and integrity of information, measures may be taken to protect against potential threats or hazards.
  • It is necessary to prevent unauthorized access to customer information in order to avoid potential harm or inconvenience.

What are the characteristics of an effective information security program?

Section 314.4 of the Safeguards Rule outlines the necessary components for a company’s information security program, including nine specific elements. We will analyze each element systematically.

Your company needs a Qualified Individual to implement and supervise its information security program.
This person can be an employee, affiliate, or service provider. They don’t need a specific degree or title, just real-world knowledge suited to your circumstances. The Qualified Individual chosen by a small business may have a different background from someone in charge of a large corporation’s complex system. If your company hires a service provider, it’s still your responsibility to designate a senior employee to supervise them. If the Qualified Individual works for an affiliate or service provider, that entity must also maintain an information security program to protect your business.

Perform a risk assessment.
Before creating an information security program, conduct a risk assessment to identify potential risks and threats to customer information. This assessment should be in writing and include criteria for evaluating the risks and threats. Consider possibilities such as unauthorized disclosure, misuse, alteration, or destruction of customer information. Risks to information change over time, so the Safeguards Rule requires periodic reassessments to account for changes in operations or new threats.

Design and implement safeguards to control the identified risks through your assessment.
The implementation of safeguards is necessary to mitigate risks identified through the risk assessment. The Safeguards Rule mandates companies to design an information security program that includes these safeguards.

  1. Apply and continually evaluate access controls. Regularly review access to customer information to ensure it is only granted to those with a legitimate business need.
  2. Know what you have and where you have it. A fundamental step to effective security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience.
  3. Make sure encryption is used to secure data.  To ensure the security of customer information, encrypt it while it’s on your system and during transit. If encryption is not possible, use alternative controls approved by the Qualified Individual overseeing your information security program.
  4. Regularly monitor the apps used on the in-house and client’s network.  It is recommended to assess the security of any apps used for storing, accessing, or transmitting customer information, whether they are developed in-house or by third-party providers. Appropriate procedures should be implemented for this evaluation process.
  5. Utilize multi-factor authentication for anyone accessing customer information on your system. The Rule requires the use of multi-factor authentication to access customer information on the system. This involves the use of at least two authentication factors, which may include a password or token, as well as biometric characteristics. The only deviation from this requirement is if a Qualified Individual approves the use of a different secure access control method in writing.
  6. Disposal of client data securely is required. It is recommended to dispose of customer information in a secure manner within two years of its last use, unless there is a legitimate business or legal reason to retain it. In cases where targeted disposal is not possible due to the maintenance of the information, exceptions may apply.
  7. Expect to evaluate necessary changes to your network periodically. You should be prepared for changes to your information system or network. These changes can weaken current security measures. A new server, for instance, may create new security risks. Your safeguards must adapt to changes in your systems and networks as new business processes are implemented. To comply with the Safeguards Rule, financial institutions must include change management in their information security program.
  8. Track authorized users’ activity and watch for unauthorized access. It is recommended to record the activity of authorized users and to be vigilant for any unauthorized access. It is also advisable to establish protocols and measures for monitoring the access of authorized users to customer information and to detect unauthorized access.

Monitor and check the fulfillment of your safeguards.
  Test your procedures to detect actual and attempted attacks. For information systems, monitor your system continuously. If not, conduct annual penetration testing and vulnerability assessments, including system-wide scans every six months to detect known security vulnerabilities. Also, test whenever there are material changes to your operations or business arrangements and when circumstances may impact your information security program.

Continue training and educating your staff. To ensure the effectiveness of a financial institution’s information security program, all staff members need to be vigilant. Properly trained employees can enhance the program’s impact by identifying risks. Regular security awareness training and updates should be provided to all personnel. Employees, affiliates, or service providers with hands-on responsibilities must undergo specialized training. They should also stay updated on the latest emerging threats and countermeasures. Verification of their knowledge is essential.

Measure your service provider’s skill sets.  When choosing service providers, it is important to confirm their skills and experience in maintaining appropriate safeguards. Agreements should explicitly outline security expectations, incorporate methods for supervising service providers’ work, and allow for regular evaluations of their suitability for the role.

Keep your information security program current. It is important to maintain an up-to-date information security program as the field is constantly evolving. This includes adapting to changes in operations, incorporating findings from risk assessments, addressing emerging threats, adjusting for staff turnover, and responding to other circumstances that may affect the program. The most effective programs are able to flexibly accommodate necessary updates.

Have an incident response plan in writing. It is imperative for businesses to have a response and recovery plan in place in case of a security event resulting in unauthorized access or misuse of information. As per Section 314.4(h) of the Safeguards Rule, the response plan must cover all necessary measures.

  • The objectives of your plan.
  • The internal procedures that your company will initiate in response to a security incident.
  • Establishing clear roles, responsibilities, and levels of decision-making authority is crucial.
  • The exchange of information and communication can occur both within and outside of your organization.
  • The process aims to address any weaknesses found in your systems and controls.
  • The company requires proper documentation and reporting of security events, along with a clear plan for response.
  • Conducting a post-mortem analysis and revising the incident response plan and information security program based on the findings is recommended.

It is necessary for the Qualified Individual to provide regular written reports to the Board of Directors or governing body, at least once a year. If there is no Board or equivalent in your company, the report should be sent to a senior officer who is responsible for the information security program. What is the topic that the report needs to cover? The initial step involves evaluating your company’s adherence to its information security program as a whole. The topics that must be covered in the program include risk assessment, risk management and control decisions, service provider arrangements, test results, security events, management responses, and recommendations for changes in the information security program.

Intech Hawaii Can Help You Safeguard Your Network

For over 30 years, we’ve handle the constantly changing world of information technology, including cybersecurity and compliance.  Let us apply our expertise to help you with the challenge of adapting to the constantly evolving and encompassing IT landscape. Contact us to us to learn more about our impactful services including Managed IT, Compliance, Cybersecurity and CMMC Compliance.