The Federal Trade Commission enforces the Safeguard Rule, a series of requirements targeted at financial companies, who aren’t covered under another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA). These rules promote security, privacy and transparency and are designed to help protect consumers from identity theft and other financial losses.
Who is covered?
The FTC has published a non-exhaustive list, which follows:
The FTC Safeguards Rule covers businesses like mortgage lenders, mortgage brokers, motor vehicle dealers, payday lenders, finance companies, account servicers, check cashing companies, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
https://www.ftc.gov/business-guidance/blog/2022/11/compliance-deadline-certain-revised-ftc-safeguards-rule-provisions-extended-june-2023
This list is expanded compared to the original rule requirements bringing in entirely new finance adjacent industries, such as car dealers. If you are not sure your business is covered, now would be the time to get that figured out.
When is the compliance deadline?
The FTC originally amended the Safeguard Rule in October of 2021. While many of the provisions went into effect with-in 30 days, the rest of the rule was set to go into effect on December 9th, 2022. However, on November 15th, 2022, the FTC, at the urging Small Business Administration’s Office of Advocacy, extended the deadline of some aspects to June 9th, 2023.
These pending requirements are far more time intensive to stand up and operationalize, and we are rapidly entering the span of time where various companies may not make their compliance deadlines. Pay special attention to the training & potential hiring requirements. You may find your specific scenarios require hiring a consultancy in order to meet deadlines.
What is required?
The extended timeline applies to the following elements of the Safeguard Rule:
- Designating a qualified individual to oversee the information security program,
- Creating written risk assessments,
- Limiting and monitoring who can access sensitive customer information,
- Encrypting all sensitive information,
- Training of security personnel,
- Developomg an incident response plan,
- Reviewing and assessing the security practices of services providers, and
- Implementing multi-factor authentication (or equivalent tech) for anyone accessing customer information.
Some of these steps can consume inordinate amounts of time, and the Safeguard Rule may contain technical minimums for what qualifies as compliance. A helpful explainer on “What You Need to Know” can be found on the FTC website. Note that work doesn’t end when you meet all the requirements around tech & workflow.
There are operational adjustments to be implemented as well, ranging from documentation, to audits, to annual reports to the Board of Directors. In the testing of your safeguards you’ll be required to conduct penetration testing (annually) and vulnerability assessments (every six months). You’ll also be required to conduct this testing where there are material changes to the business.
The Rule updates are not a complete and forget exercise. They require a mindset / workflow shift to bake information security into your operations, and will impact the business at multiple levels, from engineering all the way to the boardroom.