FTC Safeguards Rule: What Your Business Needs to Know

As the name suggests, the purpose of the Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.

This publication serves as the small entity compliance guide under the Small Business Regulatory Enforcement Fairness Act. Your best source of information is the text of the Safeguards Rule itself.

In reviewing your obligations under the Safeguards Rule, consider these key compliance questions.

Who’s covered by the Safeguard Rule?

The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”

How do you know if your business is a financial institution subject to the Safeguards Rule? First, consider that the Rule defines “financial institution” in a way that’s broader than how people may use that phrase in conversation. Furthermore, what matters are the types of activities your business undertakes, not how you or others categorize your company.

To help you determine if your company is covered, Section 314.2(h) of the Rule lists 13 examples of the kinds of entities that are financial institutions under the Rule, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC. The 2021 amendments to the Safeguards Rule add a new example of a financial institution – finders. Those are companies that bring together buyers and sellers and then the parties themselves negotiate and consummate the transaction.

Section 314.2(h) of the Rule lists four examples of businesses that aren’t a “financial institution.” In addition, the FTC has exempted from certain provisions of the Rule financial institutions that “maintain customer information concerning fewer than five thousand consumers.”

Here is another key consideration for your business. Even if your company wasn’t covered by the original Rule, your business operations have probably undergone substantial transformation in the past two decades. As your operations evolve, consult the definition of financial institution periodically to see if your business could be covered now.

What does the Safeguards Rule require companies to do?

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” (The definition of “nonpublic personal information” in Section 314.2(l) further explains what is – and isn’t – included.) The Rule covers information about your own customers and information about customers of other financial institutions that have provided that data to you.

Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:

• to ensure the security and confidentiality of customer information;
• to protect against anticipated threats or hazards to the security or integrity of that information; and
• to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

What does a reasonable information security program look like?

Section 314.4 of the Safeguards Rule identifies nine elements that your company’s information security program must include. Let’s take those elements step by step.

a.   Designate a Qualified Individual to implement and supervise your company’s information security program. The Qualified Individual can be an employee of your company or can work for an affiliate or service provider. The person doesn’t need a particular degree or title. What matters is real-world know‑how suited to your circumstances. The Qualified Individual selected by a small business may have a background different from someone running a large corporation’s complex system. If your company brings in a service provider to implement and supervise your program, the buck still stops with you. It’s your company’s responsibility to designate a senior employee to supervise that person. If the Qualified Individual works for an affiliate or service provider, that affiliate or service provider also must maintain an information security program that protects your business.

b.   Conduct a risk assessment. You can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information. Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats. Think through how customer information could be disclosed without authorization, misused, altered, or destroyed. The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct periodic reassessments in light of changes to your operations or the emergence of new threats.

c.   Design and implement safeguards to control the risks identified through your risk assessment. Among other things, in designing your information security program, the Safeguards Rule requires your company to:

1. Implement and periodically review access controls. Determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it.
2. Know what you have and where you have it. A fundamental step to effective security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience.
3. Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.
4. Assess your apps. If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security.
5. Implement multi-factor authentication for anyone accessing customer information on your system. For multi-factor authentication, the Rule requires at least two of these authentication factors: a knowledge factor (for example, a password); a possession factor (for example, a token), and an inherence factor (for example, biometric characteristics). The only exception would be if your Qualified Individual has approved in writing the use of another equivalent form of secure access controls.
6. Dispose of customer information securely. Securely dispose of customer information no later than two years after your most recent use of it to serve the customer. The only exceptions: if you have a legitimate business need or legal requirement to hold on to it or if targeted disposal isn’t feasible because of the way the information is maintained.
7. Anticipate and evaluate changes to your information system or network. Changes to an information system or network can undermine existing security measures. For example, if your company adds a new server, has that created a new security risk? Because your systems and networks change to accommodate new business processes, your safeguards can’t be static. The Safeguards Rule requires financial institutions to build change management into their information security program.
8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access.

https://www.gillsalons.com/group/gillsalons-group/discussion/59da6948-f925-4d69-9947-55e50c3d6d5a
https://www.gillsalons.com/group/gillsalons-group/discussion/f5b0c733-e514-47e5-b225-de5ede37c8d4
https://www.gillsalons.com/group/gillsalons-group/discussion/b64ce48e-0701-4a11-97ae-09152b438561
https://www.gillsalons.com/group/gillsalons-group/discussion/3ce92517-592e-49a3-9cbe-f8e13ad07ce3
https://www.gillsalons.com/group/gillsalons-group/discussion/60a94d77-e452-494f-97c8-65d33fd37c22
https://www.gillsalons.com/group/gillsalons-group/discussion/07a8d37e-f82d-43c5-85b1-5aabc890ab4e
https://www.gillsalons.com/group/gillsalons-group/discussion/ae372ba1-d1a6-44fb-b50b-a324f4ea3cba
https://www.gillsalons.com/group/gillsalons-group/discussion/8f846ede-a491-427b-9573-748cf2d2e93e
https://www.gillsalons.com/group/gillsalons-group/discussion/8b76429f-4382-4226-8764-53b2d1b4561f

d.   Regularly monitor and test the effectiveness of your safeguards. Test your procedures for detecting actual and attempted attacks. For information systems, testing can be accomplished through continuous monitoring of your system. If you don't implement that, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly-known security vulnerabilities. In addition, test whenever there are material changes to your operations or business arrangements and whenever there are circumstances you know or have reason to know may have a material impact on your information security program.