The Information Security Deadline for FTC Compliance is June 23, 2023

The clock’s ticking for your business to stay compliant with the FTC’s Standards for Safeguarding Customer Information – make sure you keep up! Don’t miss the June 9, 2023 deadline! All brokers, lenders, and agents must update their security measures as per the 2003 Rule amendment to protect their customers’ data. Miss out, and your business could be hit with up to $46,517 in consent order violations – ouch!

Acting ahead of the incoming deadline is essential for your business’ financial health. It is important to work with a reputable IT business to protect your business. Providing secure data access to clients will increase their confidence in you. A good IT company will have experience in the changing security standards and potential risks of today.

Here are the nine security requirements to be developed, implemented and maintained as outlined in the Safeguards Rule going into effect this June 9, 2023:

1. Designate a qualified individual like an existing employee, an affiliate or your IT service provider responsible for overseeing and implementing your business’s information security program and enforcing your information. Unless your company has a top-notch IT security specialist in-house, it is risky to take on this task alone.

2. The information security program is derived from a documented risk assessment. This evaluation must include the conditions for assessing and measuring potential threats to client information.

3. Risk assessments should be conducted to identify risks, and security measures should be put into place to control them.  This includes:  

• Access controls should be implemented and reviewed on a regular basis.
• Access should only be granted to authenticated and authorized users in order to prevent unauthorized acquisition of customer data.
• Authorized users should only have limited and appropriate levels of customer information to fulfill their duties or for customers to view their own data.
• Maintain an up-to-date inventory of your data, personnel, devices, systems and facilities.
• All customer information should be encrypted when stored or transmitted.
• Ensure that in-house applications used for customer information transmission, access, or storage follow secure development practices.
• Implement procedures to evaluate, assess, or test the security of externally developed applications used to transfer, access, or save customer information.
• Multi-factor authentication (MFA) should be used for any individual accessing any information system.
• Establish, execute, and sustain protocols for the lawful disposal of customer information.
• Regularly review your data retention policy to ensure only necessary data is kept.
• Implement change management processes.
• Implement policies and procedures to monitor authorized user activity and identify any unauthorized access.

4. It is necessary to conduct vulnerability assessments at least every six months and anytime there is a significant change in operations or when there is reason to suspect an impact on the information security program. Regular testing should be conducted to determine the effectiveness of business safeguards, essential controls, systems, and procedures against actual or potential attacks.

5. It is essential to implement policies and procedures that provide training to personnel on how to ensure the secure handling of data. Failing to do so may result in a data security incident which could have immense financial repercussions as well as damage your company’s reputation.

6. Monitor all service providers by selecting and engaging those with the capacity to provide adequate security for customer information.

7. Periodically assess and modify your information security program in order to ensure it remains current with new potential risks.

8. Develop a written incident response plan to respond quickly and recover from any security event that significantly affects the confidentiality, integrity, or availability of customer information under your control.

Incident response plans should include:   

• Incident response plan goals.
• The procedures for responding to a security event.
• The definition of clear roles, responsibilities, and levels of decision-making authority.
• How sharing information is conducted both internally and externally.
• Requirements must be identified to remediate any weaknesses in information systems and their associated controls.
• Documentation and reporting on security events and associated incident response activities. Following a security event, the incident response plan should be reviewed and amended where necessary.

9. The Qualified Individual must submit regular written reports to the board of directors or equivalent governing body, at least once a year. In the absence of a board of directors or equivalent governing body, written reports must be timely submitted to a senior information security officer responsible for your IT systems. 

The report must include the following information:

• The information security program’s current state and compliance level must be assessed.
• Materials associated with the information security program, including risk assessment, risk management, control decisions, service provider arrangements, testing results, security incidents or violations and management’s responses with recommendations for improvement to the information security program.